From 81e66fbc1a0fdb3e69d47133c8da93e0c360a8c1 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 23 May 2022 13:04:23 +0200 Subject: [PATCH 1/5] Remove ips not allowed in tests --- .../_dev/test/pipeline/test-route53.log | 18 +- .../pipeline/test-route53.log-expected.json | 90 +- .../route53_resolver_logs/sample_event.json | 6 +- packages/aws/docs/route53.md | 6 +- .../docker/sample_logs/eve-dns-4.1.4.ndjson | 4 +- .../_dev/test/pipeline/test-eve-dns-4-1-4.log | 4 +- .../test-eve-dns-4-1-4.log-expected.json | 24 +- .../test-sysmon-operational-events.json | 236 ++-- ...smon-operational-events.json-expected.json | 1116 ++++++++--------- .../_dev/test/pipeline/test-events.json | 236 ++-- .../pipeline/test-events.json-expected.json | 1116 ++++++++--------- .../_dev/deploy/docker/sample_logs/dns.log | 2 +- .../dns/_dev/test/pipeline/test-dns.log | 2 +- .../test/pipeline/test-dns.log-expected.json | 25 +- 14 files changed, 1316 insertions(+), 1569 deletions(-) diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log index 24de090fe1e..44262b5cee9 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log @@ -18,17 +18,17 @@ {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"s3-r-w.us-east-1.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"amazonlinux-2-repos-us-east-1.s3.us-east-1.amazonaws.com.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"s3-r-w.us-east-1.amazonaws.com.","Type":"CNAME","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"amazonlinux-2-repos-us-east-1.s3.us-east-1.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"s3-r-w.us-east-1.amazonaws.com.","Type":"CNAME","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:39Z","query_name":"15.22.21.154.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.160","srcport":"59464","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:39Z","query_name":"156.20.160.89.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.160","srcport":"59464","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2606:4700:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2607:f3c8:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2001:67c:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"45.63.54.13","Type":"A","Class":"IN"},{"Rdata":"216.229.4.69","Type":"A","Class":"IN"},{"Rdata":"45.79.111.167","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"108.61.73.244","Type":"A","Class":"IN"},{"Rdata":"71.43.215.194","Type":"A","Class":"IN"},{"Rdata":"162.159.200.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.229.0.50","Type":"A","Class":"IN"},{"Rdata":"192.227.183.3","Type":"A","Class":"IN"},{"Rdata":"162.159.200.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:47:41Z","query_name":"37.85.255.92.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.159","srcport":"39685","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"216.160.83.57","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:47:41Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.159","srcport":"39685","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"58350","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"38200","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"249.252.85.54.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-54-85-252-249.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:33Z","query_name":"abcd.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"test.example.com.","Type":"CNAME","Class":"IN"},{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"52785","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} -{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"15.3.4.32.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-54-85-252-249.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} \ No newline at end of file +{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"4.3.128.1.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} \ No newline at end of file diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json index 63416dc44c8..4fad7dfd24a 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json @@ -1278,7 +1278,7 @@ "dns": { "question": { "class": "IN", - "name": "15.22.21.154.in-addr.arpa", + "name": "156.20.160.89.in-addr.arpa", "type": "PTR" }, "response_code": "NXDOMAIN" @@ -1291,7 +1291,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:39Z\",\"query_name\":\"15.22.21.154.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.160\",\"srcport\":\"59464\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:39Z\",\"query_name\":\"156.20.160.89.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.160\",\"srcport\":\"59464\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "failure", "type": [ "protocol" @@ -1306,7 +1306,7 @@ "related": { "ip": [ "172.31.86.160", - "154.21.22.15" + "89.160.20.156" ] }, "source": { @@ -1399,17 +1399,17 @@ }, { "class": "IN", - "data": "2606:4700:f1::1", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { "class": "IN", - "data": "2607:f3c8:3803:1::6", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { "class": "IN", - "data": "2001:67c:1560:8003::c7", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -1431,7 +1431,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2606:4700:f1::1\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2607:f3c8:3803:1::6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2001:67c:1560:8003::c7\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", "outcome": "success", "type": [ "protocol" @@ -1449,9 +1449,9 @@ ], "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2606:4700:f1::1", - "2607:f3c8:3803:1::6", - "2001:67c:1560:8003::c7", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "172.31.86.159" ] }, @@ -1545,17 +1545,17 @@ }, { "class": "IN", - "data": "45.63.54.13", + "data": "67.43.156.12", "type": "A" }, { "class": "IN", - "data": "216.229.4.69", + "data": "216.160.83.57", "type": "A" }, { "class": "IN", - "data": "45.79.111.167", + "data": "216.160.83.61", "type": "A" } ], @@ -1577,7 +1577,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"0.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"45.63.54.13\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.229.4.69\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"45.79.111.167\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"51725\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"0.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.57\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"51725\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1595,9 +1595,9 @@ ], "ip": [ "81.2.69.143", - "45.63.54.13", - "216.229.4.69", - "45.79.111.167", + "67.43.156.12", + "216.160.83.57", + "216.160.83.61", "172.31.86.159" ] }, @@ -1631,17 +1631,17 @@ }, { "class": "IN", - "data": "108.61.73.244", + "data": "81.2.69.143", "type": "A" }, { "class": "IN", - "data": "71.43.215.194", + "data": "175.16.199.1", "type": "A" }, { "class": "IN", - "data": "162.159.200.1", + "data": "67.43.156.12", "type": "A" } ], @@ -1663,7 +1663,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"1.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"108.61.73.244\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"71.43.215.194\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"162.159.200.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"46159\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"1.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"46159\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1681,9 +1681,9 @@ ], "ip": [ "175.16.199.1", - "108.61.73.244", - "71.43.215.194", - "162.159.200.1", + "81.2.69.143", + "175.16.199.1", + "67.43.156.12", "172.31.86.159" ] }, @@ -1717,17 +1717,17 @@ }, { "class": "IN", - "data": "216.229.0.50", + "data": "216.160.83.61", "type": "A" }, { "class": "IN", - "data": "192.227.183.3", + "data": "67.43.156.12", "type": "A" }, { "class": "IN", - "data": "162.159.200.1", + "data": "67.43.156.12", "type": "A" } ], @@ -1749,7 +1749,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.229.0.50\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"192.227.183.3\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"162.159.200.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1767,9 +1767,9 @@ ], "ip": [ "81.2.69.143", - "216.229.0.50", - "192.227.183.3", - "162.159.200.1", + "216.160.83.61", + "67.43.156.12", + "67.43.156.12", "172.31.86.159" ] }, @@ -1797,7 +1797,7 @@ "dns": { "question": { "class": "IN", - "name": "37.85.255.92.in-addr.arpa", + "name": "143.69.2.81.in-addr.arpa", "type": "PTR" }, "response_code": "NXDOMAIN" @@ -1810,7 +1810,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:47:41Z\",\"query_name\":\"37.85.255.92.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"39685\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:47:41Z\",\"query_name\":\"143.69.2.81.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NXDOMAIN\",\"answers\":[],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"39685\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "failure", "type": [ "protocol" @@ -1825,7 +1825,7 @@ "related": { "ip": [ "172.31.86.159", - "92.255.85.37" + "81.2.69.143" ] }, "source": { @@ -1989,13 +1989,13 @@ "answers": [ { "class": "IN", - "data": "ec2-54-85-252-249.compute-1.amazonaws.com", + "data": "ec2-89.160.20.112.compute-1.amazonaws.com", "type": "PTR" } ], "question": { "class": "IN", - "name": "249.252.85.54.in-addr.arpa", + "name": "143.69.2.81.in-addr.arpa", "type": "PTR" }, "response_code": "NOERROR" @@ -2008,7 +2008,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"249.252.85.54.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-54-85-252-249.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"143.69.2.81.in-addr.arpa.\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-89.160.20.112.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", "outcome": "success", "type": [ "protocol" @@ -2022,11 +2022,11 @@ }, "related": { "hosts": [ - "ec2-54-85-252-249.compute-1.amazonaws.com" + "ec2-89.160.20.112.compute-1.amazonaws.com" ], "ip": [ "172.31.86.159", - "54.85.252.249" + "81.2.69.143" ] }, "source": { @@ -2154,7 +2154,7 @@ ], "question": { "class": "IN", - "name": "15.3.4.32.in-addr.arpa", + "name": "4.3.128.1.in-addr.arpa", "type": "PTR" }, "response_code": "NOERROR" @@ -2167,7 +2167,7 @@ "network" ], "kind": "event", - "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"4.3.128.1.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "outcome": "success", "type": [ "protocol" @@ -2185,7 +2185,7 @@ ], "ip": [ "81.2.69.143", - "32.4.3.15" + "1.128.3.4" ] }, "source": { @@ -2229,7 +2229,7 @@ "answers": [ { "class": "IN", - "data": "ec2-54-85-252-249.compute-1.amazonaws.com", + "data": "ec2-89.160.20.112.compute-1.amazonaws.com", "type": "PTR" } ], @@ -2248,7 +2248,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-54-85-252-249.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:48:30Z\",\"query_name\":\"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa\",\"query_type\":\"PTR\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"ec2-89.160.20.112.compute-1.amazonaws.com.\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"47882\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"i-079c44232510ca8ff\"}}", "outcome": "success", "type": [ "protocol" @@ -2262,7 +2262,7 @@ }, "related": { "hosts": [ - "ec2-54-85-252-249.compute-1.amazonaws.com" + "ec2-89.160.20.112.compute-1.amazonaws.com" ], "ip": [ "172.31.86.159", diff --git a/packages/aws/data_stream/route53_resolver_logs/sample_event.json b/packages/aws/data_stream/route53_resolver_logs/sample_event.json index 8a7b227dcac..e35aa7ed261 100644 --- a/packages/aws/data_stream/route53_resolver_logs/sample_event.json +++ b/packages/aws/data_stream/route53_resolver_logs/sample_event.json @@ -44,7 +44,7 @@ }, "dns": { "question": { - "name": "15.3.4.32.in-addr.arpa", + "name": "4.3.128.1.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -71,7 +71,7 @@ "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"4.3.128.1.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -94,7 +94,7 @@ }, "related": { "hosts": [ - "15.3.4.32.in-addr.arpa" + "4.3.128.1.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/aws/docs/route53.md b/packages/aws/docs/route53.md index 0c0ab49f5f7..3de18ea52f8 100644 --- a/packages/aws/docs/route53.md +++ b/packages/aws/docs/route53.md @@ -256,7 +256,7 @@ An example event for `route53_resolver` looks as following: }, "dns": { "question": { - "name": "15.3.4.32.in-addr.arpa", + "name": "4.3.128.1.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -283,7 +283,7 @@ An example event for `route53_resolver` looks as following: "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"4.3.128.1.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -306,7 +306,7 @@ An example event for `route53_resolver` looks as following: }, "related": { "hosts": [ - "15.3.4.32.in-addr.arpa" + "4.3.128.1.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson index 9f38719e12d..d7ec5e06c3a 100644 --- a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson +++ b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson @@ -5,7 +5,7 @@ {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} @@ -21,4 +21,4 @@ {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log index 9f38719e12d..d7ec5e06c3a 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log @@ -5,7 +5,7 @@ {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a04:4e42:0200:0000:0000:0000:0000:0729","2a04:4e42:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} @@ -21,4 +21,4 @@ {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a04:4e42:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json index 82b3dba9a82..96ec936242d 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json @@ -564,13 +564,13 @@ "type": "AAAA" }, { - "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" @@ -591,8 +591,8 @@ "resolved_ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "response_code": "NOERROR", "type": "answer" @@ -606,7 +606,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "type": [ "protocol" ] @@ -619,8 +619,6 @@ "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", "10.0.2.3", "10.0.2.15" ] @@ -1866,13 +1864,13 @@ "type": "AAAA" }, { - "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" @@ -1898,8 +1896,8 @@ }, "resolved_ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "response_code": "NOERROR", @@ -1914,7 +1912,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", + "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", "type": [ "protocol" ] @@ -1927,8 +1925,6 @@ "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a04:4e42:0200:0000:0000:0000:0000:0729", - "2a04:4e42:0400:0000:0000:0000:0000:0729", "10.0.2.3", "10.0.2.15" ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json index f9c1da4214c..746287c0b1a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json @@ -592,7 +592,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -616,7 +616,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1116,7 +1116,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1135,7 +1135,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1182,7 +1182,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1202,7 +1202,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1268,7 +1268,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1287,7 +1287,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1311,7 +1311,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1330,7 +1330,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1389,7 +1389,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1401,7 +1401,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1467,7 +1467,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1491,7 +1491,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1635,7 +1635,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1664,7 +1664,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1798,7 +1798,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1821,7 +1821,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1837,7 +1837,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1864,7 +1864,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1927,7 +1927,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1955,7 +1955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1978,7 +1978,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1996,7 +1996,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2235,7 +2235,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2261,7 +2261,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2332,7 +2332,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2353,7 +2353,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" }, "process": { "thread": { @@ -2419,7 +2419,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2445,7 +2445,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2504,7 +2504,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2532,7 +2532,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2759,7 +2759,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2780,7 +2780,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2924,7 +2924,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2946,7 +2946,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3254,7 +3254,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3277,7 +3277,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -4025,7 +4025,7 @@ { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4070,7 +4070,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4082,7 +4082,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4112,7 +4112,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4126,7 +4126,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4155,7 +4155,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4185,7 +4185,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4336,7 +4336,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4355,7 +4355,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4364,7 +4364,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4384,7 +4384,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4885,7 +4885,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4905,7 +4905,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4967,7 +4967,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4990,7 +4990,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -5015,7 +5015,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5031,7 +5031,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5104,7 +5104,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5115,7 +5115,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5214,7 +5214,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5241,7 +5241,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5337,7 +5337,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5354,7 +5354,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5387,7 +5387,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5409,7 +5409,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5463,7 +5463,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5475,7 +5475,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5505,7 +5505,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5524,7 +5524,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5547,7 +5547,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5564,7 +5564,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5586,7 +5586,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5598,7 +5598,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5650,7 +5650,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5661,7 +5661,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5675,7 +5675,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5684,7 +5684,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5713,7 +5713,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5745,7 +5745,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5757,7 +5757,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5771,7 +5771,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6440,7 +6440,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6456,7 +6456,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6483,7 +6483,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6491,7 +6491,7 @@ "event_data": { "QueryName": "ads.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.945", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6588,7 +6588,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6609,7 +6609,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6719,7 +6719,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6729,7 +6729,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6867,7 +6867,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6896,7 +6896,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6955,7 +6955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6965,7 +6965,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6998,7 +6998,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7015,7 +7015,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7038,7 +7038,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7050,7 +7050,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7127,7 +7127,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7155,7 +7155,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7164,7 +7164,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7188,7 +7188,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7219,7 +7219,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7236,7 +7236,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7425,7 +7425,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7437,7 +7437,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7464,7 +7464,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7479,7 +7479,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7570,7 +7570,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7578,7 +7578,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7593,7 +7593,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7602,7 +7602,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7681,7 +7681,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7692,7 +7692,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7828,7 +7828,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7852,7 +7852,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7904,7 +7904,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7934,7 +7934,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" } }, "log": { @@ -8608,7 +8608,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8625,7 +8625,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index 90939021c53..7126aaa02aa 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -1328,7 +1328,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -1336,7 +1336,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -1344,7 +1344,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -1362,11 +1362,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -1380,7 +1380,7 @@ "code": "22", "created": "2019-07-18T03:34:03.028Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -1409,11 +1409,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -2551,7 +2549,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2559,7 +2557,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2583,9 +2581,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -2599,7 +2597,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2626,9 +2624,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -2824,7 +2821,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2832,7 +2829,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2840,7 +2837,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2848,7 +2845,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2865,13 +2862,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -2885,7 +2882,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2914,13 +2911,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -3077,7 +3071,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3085,7 +3079,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3093,7 +3087,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3101,7 +3095,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3126,13 +3120,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3148,7 +3142,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3175,13 +3169,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3264,7 +3255,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3288,7 +3279,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3302,7 +3293,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3331,7 +3322,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3494,7 +3485,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3517,7 +3508,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3531,7 +3522,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3559,7 +3550,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3731,7 +3722,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -3751,7 +3742,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -3764,7 +3755,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3792,7 +3783,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "sysmon": { @@ -4162,7 +4153,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4180,7 +4171,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4194,7 +4185,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4224,7 +4215,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4563,7 +4554,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4587,7 +4578,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4601,7 +4592,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4629,7 +4620,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4674,7 +4665,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4682,7 +4673,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4690,7 +4681,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4698,7 +4689,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4723,13 +4714,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4745,7 +4736,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4772,13 +4763,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4919,7 +4907,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4927,7 +4915,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4935,7 +4923,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4943,7 +4931,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4964,13 +4952,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -4985,7 +4973,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5013,13 +5001,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -5073,7 +5058,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5081,7 +5066,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5089,7 +5074,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5097,7 +5082,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -5110,13 +5095,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -5129,7 +5114,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5158,13 +5143,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -5644,7 +5626,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5652,7 +5634,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5660,7 +5642,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5668,7 +5650,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -5681,13 +5663,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -5700,7 +5682,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5728,13 +5710,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -5888,7 +5867,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5896,7 +5875,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5904,7 +5883,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5912,7 +5891,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -5925,13 +5904,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -5944,7 +5923,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5973,13 +5952,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -6135,7 +6111,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6143,7 +6119,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6151,7 +6127,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6159,7 +6135,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -6175,13 +6151,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -6194,7 +6170,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6221,13 +6197,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -6379,7 +6352,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6387,7 +6360,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6404,9 +6377,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -6420,7 +6393,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6449,9 +6422,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -6881,7 +6853,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6889,7 +6861,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6897,7 +6869,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6905,7 +6877,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6922,13 +6894,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -6942,7 +6914,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6970,13 +6942,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -7265,7 +7234,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7273,7 +7242,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7281,7 +7250,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7289,7 +7258,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7306,13 +7275,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -7326,7 +7295,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7354,13 +7323,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -7922,7 +7888,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7930,7 +7896,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7938,7 +7904,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7946,7 +7912,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7963,13 +7929,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -7983,7 +7949,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -8011,13 +7977,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -9322,7 +9285,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9330,7 +9293,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9338,7 +9301,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9346,7 +9309,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9363,13 +9326,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -9383,7 +9346,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9411,13 +9374,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -9470,7 +9430,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9478,7 +9438,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9486,7 +9446,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9494,7 +9454,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9512,13 +9472,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -9532,7 +9492,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9559,13 +9519,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -9614,7 +9571,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9622,7 +9579,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9630,7 +9587,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9638,7 +9595,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9660,13 +9617,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9681,7 +9638,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9708,13 +9665,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9764,7 +9718,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9772,7 +9726,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9780,7 +9734,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9788,7 +9742,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9805,13 +9759,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -9825,7 +9779,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9853,13 +9807,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -10215,7 +10166,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10223,7 +10174,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10231,7 +10182,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -10247,11 +10198,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -10264,7 +10215,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10292,11 +10243,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30" + "192.168.92.30" ] }, "sysmon": { @@ -10360,7 +10309,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10368,7 +10317,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10376,7 +10325,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10397,11 +10346,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -10415,7 +10364,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10443,11 +10392,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -11274,7 +11221,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11282,7 +11229,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11290,7 +11237,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11310,11 +11257,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -11328,7 +11275,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11356,11 +11303,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -11532,7 +11477,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11556,7 +11501,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -11570,7 +11515,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11598,7 +11543,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -11647,7 +11592,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11655,7 +11600,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11663,7 +11608,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11671,7 +11616,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11688,13 +11633,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -11708,7 +11653,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11736,13 +11681,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -11902,7 +11844,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11910,7 +11852,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11918,7 +11860,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11926,7 +11868,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11951,13 +11893,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -11973,7 +11915,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12000,13 +11942,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -12257,7 +12196,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12265,7 +12204,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12273,7 +12212,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12281,7 +12220,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12298,13 +12237,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -12318,7 +12257,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12346,13 +12285,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -12590,7 +12526,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12598,7 +12534,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12606,7 +12542,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12614,7 +12550,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12631,13 +12567,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -12651,7 +12587,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12679,13 +12615,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -12730,7 +12663,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12738,7 +12671,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12746,7 +12679,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12754,7 +12687,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12775,13 +12708,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12796,7 +12729,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12823,13 +12756,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13022,7 +12952,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -13042,7 +12972,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -13055,7 +12985,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13083,7 +13013,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "sysmon": { @@ -13147,7 +13077,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13167,7 +13097,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -13181,7 +13111,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13210,7 +13140,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -13267,7 +13197,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13275,7 +13205,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13293,9 +13223,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -13309,7 +13239,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13338,9 +13268,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -13417,7 +13346,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13425,7 +13354,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -13445,9 +13374,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -13460,7 +13389,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13488,9 +13417,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "192.168.14.30" ] }, "sysmon": { @@ -13534,7 +13462,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13542,7 +13470,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13550,7 +13478,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13558,7 +13486,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13579,13 +13507,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13600,7 +13528,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13627,13 +13555,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13687,7 +13612,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13695,7 +13620,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13703,7 +13628,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13720,11 +13645,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -13738,7 +13663,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13767,11 +13692,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -13820,7 +13743,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13828,7 +13751,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13836,7 +13759,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13844,7 +13767,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13861,13 +13784,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -13881,7 +13804,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13909,13 +13832,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -13964,7 +13884,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13972,7 +13892,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13980,7 +13900,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13988,7 +13908,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -14005,13 +13925,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -14025,7 +13945,7 @@ "code": "22", "created": "2019-07-18T03:34:05.034Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -14053,13 +13973,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -15598,7 +15515,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15606,7 +15523,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15614,7 +15531,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15622,7 +15539,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15647,13 +15564,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15669,7 +15586,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15696,13 +15613,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15749,7 +15663,7 @@ "type": "A" }, { - "data": "98.138.49.44", + "data": "81.2.69.143", "type": "A" }, { @@ -15769,7 +15683,7 @@ }, "resolved_ip": [ "89.160.20.156", - "98.138.49.44", + "81.2.69.143", "89.160.20.156", "89.160.20.156" ] @@ -15784,7 +15698,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15811,7 +15725,7 @@ ], "ip": [ "89.160.20.156", - "98.138.49.44" + "81.2.69.143" ] }, "sysmon": { @@ -15957,7 +15871,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15965,7 +15879,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15973,7 +15887,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15981,7 +15895,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16002,13 +15916,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -16023,7 +15937,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16050,13 +15964,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -16298,7 +16209,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16306,7 +16217,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16314,7 +16225,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16334,11 +16245,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -16352,7 +16263,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16380,11 +16291,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -16791,7 +16700,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16815,7 +16724,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -16829,7 +16738,7 @@ "code": "22", "created": "2019-07-18T03:34:09.053Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16858,7 +16767,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -17030,7 +16939,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17054,7 +16963,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -17068,7 +16977,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17096,7 +17005,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -17141,7 +17050,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17149,7 +17058,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17157,7 +17066,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17165,7 +17074,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17190,13 +17099,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17212,7 +17121,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17239,13 +17148,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17296,7 +17202,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17304,7 +17210,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17312,7 +17218,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17320,7 +17226,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17338,13 +17244,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -17358,7 +17264,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17385,13 +17291,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -17570,7 +17473,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17578,7 +17481,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17586,7 +17489,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17594,7 +17497,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17616,13 +17519,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17637,7 +17540,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17664,13 +17567,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17760,11 +17660,11 @@ "type": "A" }, { - "data": "198.7.56.229", + "data": "216.160.83.61", "type": "A" }, { - "data": "198.7.56.231", + "data": "216.160.83.61", "type": "A" }, { @@ -17844,7 +17744,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17852,7 +17752,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17860,7 +17760,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17868,7 +17768,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17939,8 +17839,8 @@ "89.160.20.156", "89.160.20.156", "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.61", + "216.160.83.61", "89.160.20.156", "89.160.20.156", "89.160.20.156", @@ -17960,13 +17860,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", @@ -17991,7 +17891,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18018,16 +17918,12 @@ ], "ip": [ "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.61", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", @@ -18131,7 +18027,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -18155,7 +18051,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -18168,7 +18064,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18196,7 +18092,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "sysmon": { @@ -18621,7 +18517,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18629,7 +18525,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18637,7 +18533,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18658,11 +18554,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -18676,7 +18572,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18703,11 +18599,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -18764,7 +18658,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18772,7 +18666,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18780,7 +18674,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18788,7 +18682,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -18804,13 +18698,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -18823,7 +18717,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18850,13 +18744,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -18999,7 +18890,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19007,7 +18898,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19015,7 +18906,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19023,7 +18914,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19040,13 +18931,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -19060,7 +18951,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19088,13 +18979,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -19150,7 +19038,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19158,7 +19046,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19166,7 +19054,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19174,7 +19062,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19191,13 +19079,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -19211,7 +19099,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19239,13 +19127,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -19438,7 +19323,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19446,7 +19331,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19463,9 +19348,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -19479,7 +19364,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19509,9 +19394,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -19764,7 +19648,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19772,7 +19656,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19780,7 +19664,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19788,7 +19672,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19805,13 +19689,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -19825,7 +19709,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19853,13 +19737,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -20026,7 +19907,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -20034,7 +19915,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -20042,7 +19923,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -20050,7 +19931,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -20066,13 +19947,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -20085,7 +19966,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -20112,13 +19993,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -21351,7 +21229,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -21359,7 +21237,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -21367,7 +21245,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -21380,11 +21258,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -21397,7 +21275,7 @@ "code": "22", "created": "2019-07-18T03:49:52.105Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -21426,11 +21304,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30" + "192.168.92.30" ] }, "sysmon": { diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index 577c9798a8f..48d94e7f399 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -517,7 +517,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -541,7 +541,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1041,7 +1041,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1060,7 +1060,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1107,7 +1107,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1127,7 +1127,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1193,7 +1193,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1212,7 +1212,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1236,7 +1236,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1255,7 +1255,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1314,7 +1314,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1326,7 +1326,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1392,7 +1392,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1416,7 +1416,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1560,7 +1560,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1589,7 +1589,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1723,7 +1723,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1746,7 +1746,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1762,7 +1762,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1789,7 +1789,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1852,7 +1852,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1880,7 +1880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1903,7 +1903,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1921,7 +1921,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2160,7 +2160,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2186,7 +2186,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2257,7 +2257,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2278,7 +2278,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" }, "process": { "thread": { @@ -2344,7 +2344,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2370,7 +2370,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2429,7 +2429,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2457,7 +2457,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2684,7 +2684,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2705,7 +2705,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2849,7 +2849,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2871,7 +2871,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3179,7 +3179,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3202,7 +3202,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -3950,7 +3950,7 @@ { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -3976,7 +3976,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -3995,7 +3995,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4007,7 +4007,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4037,7 +4037,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4080,7 +4080,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4110,7 +4110,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4261,7 +4261,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4280,7 +4280,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4289,7 +4289,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4309,7 +4309,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4810,7 +4810,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4830,7 +4830,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4892,7 +4892,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4915,7 +4915,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4940,7 +4940,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -4956,7 +4956,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5029,7 +5029,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5040,7 +5040,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5139,7 +5139,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5166,7 +5166,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5262,7 +5262,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5279,7 +5279,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5312,7 +5312,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5334,7 +5334,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5388,7 +5388,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5400,7 +5400,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5430,7 +5430,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5449,7 +5449,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5472,7 +5472,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5489,7 +5489,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5511,7 +5511,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5523,7 +5523,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5575,7 +5575,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5586,7 +5586,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5600,7 +5600,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5609,7 +5609,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5638,7 +5638,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5670,7 +5670,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5682,7 +5682,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5696,7 +5696,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6365,7 +6365,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6381,7 +6381,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6408,7 +6408,7 @@ "@timestamp": "2021-05-05T15:30:51.709Z", "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6416,7 +6416,7 @@ "event_data": { "QueryName": "ads.yahoo.com", "QueryStatus": "0", - "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.945", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6513,7 +6513,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6534,7 +6534,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6644,7 +6644,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6654,7 +6654,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6792,7 +6792,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6821,7 +6821,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6880,7 +6880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6890,7 +6890,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6923,7 +6923,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -6940,7 +6940,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6963,7 +6963,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6975,7 +6975,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7052,7 +7052,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7080,7 +7080,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7089,7 +7089,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7113,7 +7113,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7144,7 +7144,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7161,7 +7161,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7350,7 +7350,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7362,7 +7362,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7389,7 +7389,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7404,7 +7404,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7495,7 +7495,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7503,7 +7503,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7518,7 +7518,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7527,7 +7527,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7606,7 +7606,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7617,7 +7617,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7753,7 +7753,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7777,7 +7777,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7829,7 +7829,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7859,7 +7859,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" } }, "log": { @@ -8533,7 +8533,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8550,7 +8550,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index e2dc82e9654..9fb68a86313 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -1204,7 +1204,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -1212,7 +1212,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -1220,7 +1220,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -1238,11 +1238,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -1256,7 +1256,7 @@ "code": "22", "created": "2019-07-18T03:34:03.028Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -1285,11 +1285,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -2439,7 +2437,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2447,7 +2445,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2471,9 +2469,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -2487,7 +2485,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2514,9 +2512,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -2712,7 +2709,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2720,7 +2717,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2728,7 +2725,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2736,7 +2733,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2753,13 +2750,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -2773,7 +2770,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2802,13 +2799,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -2965,7 +2959,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2973,7 +2967,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2981,7 +2975,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -2989,7 +2983,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3014,13 +3008,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3036,7 +3030,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3063,13 +3057,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3152,7 +3143,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3176,7 +3167,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3190,7 +3181,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3219,7 +3210,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3382,7 +3373,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -3405,7 +3396,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3419,7 +3410,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3447,7 +3438,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -3619,7 +3610,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -3639,7 +3630,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -3652,7 +3643,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3680,7 +3671,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "sysmon": { @@ -4050,7 +4041,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4068,7 +4059,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4082,7 +4073,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4112,7 +4103,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4451,7 +4442,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4475,7 +4466,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4489,7 +4480,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4517,7 +4508,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -4562,7 +4553,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4570,7 +4561,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4578,7 +4569,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4586,7 +4577,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4611,13 +4602,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4633,7 +4624,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4660,13 +4651,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4807,7 +4795,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4815,7 +4803,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4823,7 +4811,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4831,7 +4819,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4852,13 +4840,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -4873,7 +4861,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4901,13 +4889,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -4961,7 +4946,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4969,7 +4954,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4977,7 +4962,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -4985,7 +4970,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -4998,13 +4983,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -5017,7 +5002,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5046,13 +5031,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -5532,7 +5514,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5540,7 +5522,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5548,7 +5530,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5556,7 +5538,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -5569,13 +5551,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -5588,7 +5570,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5616,13 +5598,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -5776,7 +5755,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5784,7 +5763,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5792,7 +5771,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -5800,7 +5779,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -5813,13 +5792,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -5832,7 +5811,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5861,13 +5840,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -6023,7 +5999,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6031,7 +6007,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6039,7 +6015,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6047,7 +6023,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -6063,13 +6039,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -6082,7 +6058,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6109,13 +6085,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -6267,7 +6240,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6275,7 +6248,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6292,9 +6265,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -6308,7 +6281,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6337,9 +6310,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -6769,7 +6741,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6777,7 +6749,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6785,7 +6757,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6793,7 +6765,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -6810,13 +6782,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -6830,7 +6802,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6858,13 +6830,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -7153,7 +7122,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7161,7 +7130,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7169,7 +7138,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7177,7 +7146,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7194,13 +7163,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -7214,7 +7183,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7242,13 +7211,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -7810,7 +7776,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7818,7 +7784,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7826,7 +7792,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7834,7 +7800,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -7851,13 +7817,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -7871,7 +7837,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7899,13 +7865,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -9210,7 +9173,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9218,7 +9181,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9226,7 +9189,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9234,7 +9197,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9251,13 +9214,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -9271,7 +9234,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9299,13 +9262,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -9358,7 +9318,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9366,7 +9326,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9374,7 +9334,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9382,7 +9342,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9400,13 +9360,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -9420,7 +9380,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9447,13 +9407,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -9502,7 +9459,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9510,7 +9467,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9518,7 +9475,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9526,7 +9483,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9548,13 +9505,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9569,7 +9526,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9596,13 +9553,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9652,7 +9606,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9660,7 +9614,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9668,7 +9622,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9676,7 +9630,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -9693,13 +9647,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -9713,7 +9667,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9741,13 +9695,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -10103,7 +10054,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10111,7 +10062,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10119,7 +10070,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -10135,11 +10086,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -10152,7 +10103,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10180,11 +10131,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30" + "192.168.92.30" ] }, "sysmon": { @@ -10248,7 +10197,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10256,7 +10205,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10264,7 +10213,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -10285,11 +10234,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -10303,7 +10252,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10331,11 +10280,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -11162,7 +11109,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11170,7 +11117,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11178,7 +11125,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11198,11 +11145,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -11216,7 +11163,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11244,11 +11191,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -11420,7 +11365,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11444,7 +11389,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -11458,7 +11403,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11486,7 +11431,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -11535,7 +11480,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11543,7 +11488,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11551,7 +11496,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11559,7 +11504,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11576,13 +11521,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -11596,7 +11541,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11624,13 +11569,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -11790,7 +11732,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11798,7 +11740,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11806,7 +11748,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11814,7 +11756,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -11839,13 +11781,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -11861,7 +11803,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11888,13 +11830,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -12145,7 +12084,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12153,7 +12092,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12161,7 +12100,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12169,7 +12108,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12186,13 +12125,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -12206,7 +12145,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12234,13 +12173,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -12478,7 +12414,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12486,7 +12422,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12494,7 +12430,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12502,7 +12438,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12519,13 +12455,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -12539,7 +12475,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12567,13 +12503,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -12618,7 +12551,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12626,7 +12559,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12634,7 +12567,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12642,7 +12575,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -12663,13 +12596,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12684,7 +12617,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12711,13 +12644,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12910,7 +12840,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -12930,7 +12860,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -12943,7 +12873,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12971,7 +12901,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "sysmon": { @@ -13035,7 +12965,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13055,7 +12985,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -13069,7 +12999,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13098,7 +13028,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -13155,7 +13085,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13163,7 +13093,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13181,9 +13111,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -13197,7 +13127,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13226,9 +13156,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -13305,7 +13234,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13313,7 +13242,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -13333,9 +13262,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -13348,7 +13277,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13376,9 +13305,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "192.168.14.30" ] }, "sysmon": { @@ -13422,7 +13350,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13430,7 +13358,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13438,7 +13366,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13446,7 +13374,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13467,13 +13395,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13488,7 +13416,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13515,13 +13443,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13575,7 +13500,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13583,7 +13508,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13591,7 +13516,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13608,11 +13533,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -13626,7 +13551,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13655,11 +13580,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -13708,7 +13631,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13716,7 +13639,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13724,7 +13647,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13732,7 +13655,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13749,13 +13672,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -13769,7 +13692,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13797,13 +13720,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -13852,7 +13772,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13860,7 +13780,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13868,7 +13788,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13876,7 +13796,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -13893,13 +13813,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -13913,7 +13833,7 @@ "code": "22", "created": "2019-07-18T03:34:05.034Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13941,13 +13861,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -15486,7 +15403,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15494,7 +15411,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15502,7 +15419,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15510,7 +15427,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15535,13 +15452,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15557,7 +15474,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15584,13 +15501,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15637,7 +15551,7 @@ "type": "A" }, { - "data": "98.138.49.44", + "data": "81.2.69.143", "type": "A" }, { @@ -15657,7 +15571,7 @@ }, "resolved_ip": [ "89.160.20.156", - "98.138.49.44", + "81.2.69.143", "89.160.20.156", "89.160.20.156" ] @@ -15672,7 +15586,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:81.2.69.143;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15699,7 +15613,7 @@ ], "ip": [ "89.160.20.156", - "98.138.49.44" + "81.2.69.143" ] }, "sysmon": { @@ -15845,7 +15759,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15853,7 +15767,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15861,7 +15775,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15869,7 +15783,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -15890,13 +15804,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -15911,7 +15825,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15938,13 +15852,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -16186,7 +16097,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16194,7 +16105,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16202,7 +16113,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16222,11 +16133,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -16240,7 +16151,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16268,11 +16179,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -16679,7 +16588,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16703,7 +16612,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -16717,7 +16626,7 @@ "code": "22", "created": "2019-07-18T03:34:09.053Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16746,7 +16655,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -16918,7 +16827,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -16942,7 +16851,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -16956,7 +16865,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16984,7 +16893,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30" ] }, @@ -17029,7 +16938,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17037,7 +16946,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17045,7 +16954,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17053,7 +16962,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17078,13 +16987,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17100,7 +17009,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17127,13 +17036,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17184,7 +17090,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17192,7 +17098,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17200,7 +17106,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17208,7 +17114,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17226,13 +17132,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -17246,7 +17152,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17273,13 +17179,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -17458,7 +17361,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17466,7 +17369,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17474,7 +17377,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17482,7 +17385,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17504,13 +17407,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17525,7 +17428,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17552,13 +17455,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17648,11 +17548,11 @@ "type": "A" }, { - "data": "198.7.56.229", + "data": "216.160.83.61", "type": "A" }, { - "data": "198.7.56.231", + "data": "216.160.83.61", "type": "A" }, { @@ -17732,7 +17632,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17740,7 +17640,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17748,7 +17648,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17756,7 +17656,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -17827,8 +17727,8 @@ "89.160.20.156", "89.160.20.156", "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.61", + "216.160.83.61", "89.160.20.156", "89.160.20.156", "89.160.20.156", @@ -17848,13 +17748,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", @@ -17879,7 +17779,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17906,16 +17806,12 @@ ], "ip": [ "89.160.20.156", - "198.7.56.229", - "198.7.56.231", + "216.160.83.61", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", @@ -18019,7 +17915,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -18043,7 +17939,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -18056,7 +17952,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18084,7 +17980,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "sysmon": { @@ -18509,7 +18405,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18517,7 +18413,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18525,7 +18421,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18546,11 +18442,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30" ] }, @@ -18564,7 +18460,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18591,11 +18487,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30" ] }, @@ -18652,7 +18546,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18660,7 +18554,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18668,7 +18562,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18676,7 +18570,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -18692,13 +18586,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -18711,7 +18605,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18738,13 +18632,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -18887,7 +18778,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18895,7 +18786,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18903,7 +18794,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18911,7 +18802,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -18928,13 +18819,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -18948,7 +18839,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18976,13 +18867,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -19038,7 +18926,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19046,7 +18934,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19054,7 +18942,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19062,7 +18950,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19079,13 +18967,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -19099,7 +18987,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19127,13 +19015,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -19326,7 +19211,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19334,7 +19219,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19351,9 +19236,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30" ] }, @@ -19367,7 +19252,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19397,9 +19282,8 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30" ] }, @@ -19652,7 +19536,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19660,7 +19544,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19668,7 +19552,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19676,7 +19560,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19693,13 +19577,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.94.30" ] }, @@ -19713,7 +19597,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19741,13 +19625,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", "192.168.80.30", - "2001:500:856e::30", "192.168.94.30" ] }, @@ -19914,7 +19795,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19922,7 +19803,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19930,7 +19811,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -19938,7 +19819,7 @@ "type": "A" }, { - "data": "2001:500:856e::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -19954,13 +19835,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.80.30", - "2001:500:856e::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -19973,7 +19854,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -20000,13 +19881,10 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30" + "192.168.80.30" ] }, "sysmon": { @@ -21245,7 +21123,7 @@ "type": "A" }, { - "data": "2001:503:a83e::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -21253,7 +21131,7 @@ "type": "A" }, { - "data": "2001:503:231d::2:30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" }, { @@ -21261,7 +21139,7 @@ "type": "A" }, { - "data": "2001:503:83eb::30", + "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "type": "AAAA" } ], @@ -21274,11 +21152,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.92.30", - "2001:503:83eb::30" + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ] }, "ecs": { @@ -21291,7 +21169,7 @@ "code": "22", "created": "2019-07-18T03:49:52.105Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -21320,11 +21198,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2001:503:a83e::2:30", + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30" + "192.168.92.30" ] }, "sysmon": { diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log index 01a26e3067a..6c1297d7e7f 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log @@ -6,4 +6,4 @@ {"ts":1617105597.390017,"uid":"CkQ7DU1qCEGKL5xgg6","id.orig_h":"10.156.0.2","id.orig_p":42609,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":23824,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} {"ts":1617105597.389796,"uid":"CfFSjicQIGB8hU7L6","id.orig_h":"10.156.0.2","id.orig_p":52269,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":7284,"query":"portal.swiftcrypto.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["89.160.20.156"],"TTLs":[119.0],"rejected":false} {"ts":1617105597.761449,"uid":"C86PHA3q1KAtU7gAkb","id.orig_h":"10.156.0.2","id.orig_p":41064,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":46754,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[250.0,250.0,250.0],"rejected":false} -{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","40.126.31.143","89.160.20.156","40.126.31.1","89.160.20.156","40.126.31.135","40.126.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","81.2.69.143","89.160.20.156","1.128.3.4","89.160.20.156","1.128.3.435","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log index a3a633526de..e0b65b16876 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -3,6 +3,6 @@ {"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false} {"ts":1617105592.091052,"uid":"CpwXdW4LQaJkaIgpk","id.orig_h":"10.156.0.2","id.orig_p":33438,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58036,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[13.0,18.0,8.0],"rejected":false} {"ts":1617105592.973919,"uid":"CO5TE748RoJEZuOThl","id.orig_h":"10.156.0.2","id.orig_p":60444,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":35744,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[296.0,287.0,287.0],"rejected":false} -{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","40.126.31.143","89.160.20.156","40.126.31.1","89.160.20.156","40.126.31.135","40.126.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","81.2.69.143","89.160.20.156","1.128.3.4","89.160.20.156","1.128.3.435","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} {"ts":1617105593.106256,"uid":"ChP0cl4j5mbXSZ9TGf","id.orig_h":"10.156.0.2","id.orig_p":36364,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":8791,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[12.0,17.0,7.0],"rejected":false} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dns.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index e3787ffdd3e..0bbb198f401 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -482,7 +482,7 @@ "ttl": 243 }, { - "data": "40.126.31.143", + "data": "81.2.69.143", "ttl": 243 }, { @@ -490,7 +490,7 @@ "ttl": 243 }, { - "data": "40.126.31.1", + "data": "1.128.3.4", "ttl": 243 }, { @@ -498,11 +498,11 @@ "ttl": 243 }, { - "data": "40.126.31.135", + "data": "1.128.3.435", "ttl": 243 }, { - "data": "40.126.31.6", + "data": "81.2.69.193", "ttl": 243 }, { @@ -522,12 +522,11 @@ }, "resolved_ip": [ "89.160.20.156", - "40.126.31.143", + "81.2.69.143", "89.160.20.156", - "40.126.31.1", + "1.128.3.4", "89.160.20.156", - "40.126.31.135", - "40.126.31.6", + "81.2.69.193", "89.160.20.156" ], "response_code": "NOERROR", @@ -543,7 +542,7 @@ "created": "2020-04-28T11:07:58.223Z", "id": "CG1jsmeHcBCGnWXmk", "kind": "event", - "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"40.126.31.143\",\"89.160.20.156\",\"40.126.31.1\",\"89.160.20.156\",\"40.126.31.135\",\"40.126.31.6\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", + "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"81.2.69.143\",\"89.160.20.156\",\"1.128.3.4\",\"89.160.20.156\",\"1.128.3.435\",\"81.2.69.193\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", "outcome": "success", "type": [ "connection", @@ -594,12 +593,12 @@ "prda.aadg.msidentity.com", "www.tm.a.prd.aadg.trafficmanager.net", "89.160.20.156", - "40.126.31.143", + "81.2.69.143", "89.160.20.156", - "40.126.31.1", + "1.128.3.4", "89.160.20.156", - "40.126.31.135", - "40.126.31.6", + "1.128.3.435", + "81.2.69.193", "89.160.20.156" ], "query": "login.microsoftonline.com", From 6dc1501e07188b8828d520a1192f262e82e76287 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 24 May 2022 15:06:34 +0200 Subject: [PATCH 2/5] Remove invalid ips again --- go.mod | 46 +- go.sum | 225 ++-- .../_dev/test/pipeline/test-route53.log | 6 +- .../pipeline/test-route53.log-expected.json | 26 +- .../route53_resolver_logs/sample_event.json | 6 +- packages/aws/docs/route53.md | 6 +- .../docker/sample_logs/eve-dns-4.1.4.ndjson | 4 +- .../_dev/test/pipeline/test-eve-dns-4-1-4.log | 4 +- .../test-eve-dns-4-1-4.log-expected.json | 24 +- .../test-sysmon-operational-events.json | 232 ++-- ...smon-operational-events.json-expected.json | 1116 +++++++++-------- .../_dev/test/pipeline/test-events.json | 232 ++-- .../pipeline/test-events.json-expected.json | 1116 +++++++++-------- .../_dev/deploy/docker/sample_logs/dns.log | 2 +- .../dns/_dev/test/pipeline/test-dns.log | 2 +- .../test/pipeline/test-dns.log-expected.json | 19 +- 16 files changed, 1637 insertions(+), 1429 deletions(-) diff --git a/go.mod b/go.mod index c026841959c..7f2ae6073f2 100644 --- a/go.mod +++ b/go.mod @@ -42,6 +42,7 @@ require ( github.com/elastic/go-ucfg v0.8.5 // indirect github.com/elastic/go-windows v1.0.1 // indirect github.com/elastic/package-spec v1.9.0 // indirect + github.com/emicklei/go-restful v2.9.5+incompatible // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect @@ -62,13 +63,13 @@ require ( github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.0.1 // indirect + github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.7 // indirect github.com/google/go-github/v32 v32.1.0 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/gnostic v0.5.5 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/imdario/mergo v0.3.12 // indirect @@ -98,6 +99,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249 // indirect github.com/nwaples/rardecode v1.1.2 // indirect github.com/oklog/ulid v1.3.1 // indirect @@ -128,39 +130,41 @@ require ( go.mongodb.org/mongo-driver v1.8.1 // indirect go.starlark.net v0.0.0-20211203141949-70c0e40ae128 // indirect go.uber.org/atomic v1.7.0 // indirect + go.uber.org/goleak v1.1.12 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.21.0 // indirect - golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b // indirect + golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect - golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect - golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d // indirect + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect + golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect - golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect + golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect - golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect - golang.org/x/tools v0.1.11-0.20220316014157-77aa08bb151a // indirect - golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect + golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect + golang.org/x/tools v0.1.11-0.20220513221640-090b14e8501f // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.27.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect - helm.sh/helm/v3 v3.8.2 // indirect + helm.sh/helm/v3 v3.9.0 // indirect howett.net/plist v0.0.0-20201203080718-1454fab16a06 // indirect - k8s.io/api v0.23.6 // indirect - k8s.io/apiextensions-apiserver v0.23.5 // indirect - k8s.io/apimachinery v0.23.6 // indirect - k8s.io/cli-runtime v0.23.6 // indirect - k8s.io/client-go v0.23.6 // indirect - k8s.io/component-base v0.23.5 // indirect - k8s.io/klog/v2 v2.30.0 // indirect - k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect - k8s.io/kubectl v0.23.5 // indirect - k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect + k8s.io/api v0.24.0 // indirect + k8s.io/apiextensions-apiserver v0.24.0 // indirect + k8s.io/apimachinery v0.24.0 // indirect + k8s.io/cli-runtime v0.24.0 // indirect + k8s.io/client-go v0.24.0 // indirect + k8s.io/component-base v0.24.0 // indirect + k8s.io/klog/v2 v2.60.1 // indirect + k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect + k8s.io/kubectl v0.24.0 // indirect + k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect - sigs.k8s.io/kustomize/api v0.10.1 // indirect - sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect + sigs.k8s.io/kustomize/api v0.11.4 // indirect + sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace github.com/elastic/elastic-package => github.com/jsoriano/elastic-package v0.0.0-20220524105445-ecc0ba08cfb1 diff --git a/go.sum b/go.sum index 752eb9f1ad3..13c70b30453 100644 --- a/go.sum +++ b/go.sum @@ -27,7 +27,6 @@ cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aD cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= -cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0cM= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= @@ -38,7 +37,6 @@ cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM7 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= -cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -76,9 +74,9 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= -github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd/go.mod h1:64YHyfSL2R96J44Nlwm39UHepQbyR5q10x7iYa1ks2E= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= @@ -114,6 +112,7 @@ github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+V github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.23/go.mod h1:4zegtUJth7lAvFyc6cH2gGQ5B3OFQim01nnU2M8jKDg= +github.com/Microsoft/hcsshim v0.9.1/go.mod h1:Y/0uV2jUab5kBI7SQgl62at0AVX7uaruzADAVmxm3eM= github.com/Microsoft/hcsshim v0.9.2/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc= github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY= @@ -162,7 +161,6 @@ github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.m github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= @@ -192,6 +190,7 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqO github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= github.com/boumenot/gocover-cobertura v1.2.0/go.mod h1:fz7ly8dslE42VRR5ZWLt2OHGDHjkTiA2oNvKgJEjLT0= github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= @@ -204,7 +203,6 @@ github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3k github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= @@ -226,8 +224,6 @@ github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= -github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= -github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -236,9 +232,7 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= @@ -257,6 +251,7 @@ github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4S github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo= github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE= github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= +github.com/containerd/cgroups v1.0.2/go.mod h1:qpbpJ1jmlqsR9f2IyaLPsdkCdnt0rbDVqIDlhuu5tRY= github.com/containerd/cgroups v1.0.3/go.mod h1:/ofk34relqNjSGyqPrmEULrO4Sc8LJhvJmWbUCUKqj8= github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= @@ -280,7 +275,9 @@ github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoT github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c= github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s= +github.com/containerd/containerd v1.5.9/go.mod h1:fvQqCfadDGga5HZyn3j4+dx56qj2I9YwBrlSdalvJYQ= github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE= +github.com/containerd/containerd v1.6.3/go.mod h1:gCVGrYRYFm2E8GmuUIbj/NGD7DLZQLzSJQazjVKDOig= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= @@ -299,6 +296,7 @@ github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZH github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk= github.com/containerd/go-cni v1.1.0/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= github.com/containerd/go-cni v1.1.3/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= +github.com/containerd/go-cni v1.1.4/go.mod h1:Rflh2EJ/++BA2/vY5ao3K6WJRR/bZKsX123aPk+kUtA= github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0= github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g= @@ -309,6 +307,7 @@ github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6T github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow= github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms= github.com/containerd/imgcrypt v1.1.3/go.mod h1:/TPA1GIDXMzbj01yd8pIbQiLdQxed5ue1wb8bP7PQu4= +github.com/containerd/imgcrypt v1.1.4/go.mod h1:LorQnPtzL/T0IyCeftcsMEO7AqxUDbdO8j/tSUpgxvo= github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c= github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY= @@ -335,10 +334,12 @@ github.com/containernetworking/cni v1.0.1/go.mod h1:AKuhXbN5EzmD4yTNtfSsX3tPcmtr github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM= github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8= github.com/containernetworking/plugins v1.0.1/go.mod h1:QHCfGpaTwYTbbH+nZXKVTxNBDZcxSOplJT5ico8/FLE= +github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19sZPp3ry5uHSkI4LPxV8= github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= +github.com/containers/ocicrypt v1.1.3/go.mod h1:xpdkbVAuaH3WzbEabUd5yDsl9SwJA5pABH85425Es2g= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -390,9 +391,10 @@ github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hH github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v20.10.12+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v20.10.14+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= @@ -409,8 +411,6 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elastic/elastic-package v0.50.1 h1:p1ayfPCxoNj6lgeOM6CpwYdcOBQsJ4P1iDxBOHZ6Meg= -github.com/elastic/elastic-package v0.50.1/go.mod h1:GuY0XZtNm0KmrZG3UKvJigTDR+u+kmZAfOSGOtCPKUE= github.com/elastic/go-elasticsearch/v7 v7.17.1 h1:49mHcHx7lpCL8cW1aioEwSEVKQF3s+Igi4Ye/QTWwmk= github.com/elastic/go-elasticsearch/v7 v7.17.1/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= @@ -432,6 +432,7 @@ github.com/elastic/package-spec v1.9.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhN github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= @@ -443,9 +444,7 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= -github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -456,7 +455,6 @@ github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= @@ -495,6 +493,7 @@ github.com/go-git/go-git/v5 v5.4.2/go.mod h1:gQ1kArt6d+n+BGd+/B/I74HwRTLhth2+zti github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gorp/gorp/v3 v3.0.2/go.mod h1:BJ3q1ejpV8cVALtcXvXaXyTOlMmJhWDxTmncaR6rwBY= github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= @@ -537,6 +536,7 @@ github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw= @@ -559,15 +559,15 @@ github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxs github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= -github.com/gobuffalo/logger v1.0.3/go.mod h1:SoeejUwldiS7ZsyCBphOGURmWdwUFXs0J7TCjEhjKxM= +github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= -github.com/gobuffalo/packd v1.0.0/go.mod h1:6VTc4htmJRFB7u1m/4LeMTWjFoYrUiBkU9Fdec9hrhI= +github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= -github.com/gobuffalo/packr/v2 v2.8.1/go.mod h1:c/PLlOuTU+p3SybaJATW3H6lX/iK7xEz5OeMf+NnJpg= +github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= @@ -636,8 +636,10 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= -github.com/google/cel-go v0.9.0/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= +github.com/google/cel-go v0.10.1/go.mod h1:U7ayypeSkw23szu4GaQTPJGx66c20mx8JklMSxrmI1w= github.com/google/cel-spec v0.6.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA= +github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -695,7 +697,6 @@ github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pf github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= @@ -721,27 +722,17 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= -github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= -github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= -github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= -github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= -github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= -github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -749,24 +740,16 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= -github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY= -github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= -github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk= -github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= @@ -804,11 +787,12 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jsoriano/elastic-package v0.0.0-20220524105445-ecc0ba08cfb1 h1:rxmEv5GtkTr5pDQAydpxnooGYuuSirnilm/FUjU+f0U= +github.com/jsoriano/elastic-package v0.0.0-20220524105445-ecc0ba08cfb1/go.mod h1:3ry+GYdaybSqqTJ7ArkL8fLcNJJoHZbAqVLQu9qlagA= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= @@ -816,7 +800,7 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= -github.com/karrick/godirwalk v1.15.8/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= +github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= @@ -859,7 +843,6 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo= github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc= -github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magefile/mage v1.13.0 h1:XtLJl8bcCM7EFoO8FyH8XK3t7G5hQAeK+i4tq+veT9M= github.com/magefile/mage v1.13.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= @@ -882,8 +865,6 @@ github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= -github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= @@ -891,8 +872,6 @@ github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= -github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= -github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= @@ -905,6 +884,7 @@ github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o= github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= +github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= @@ -915,12 +895,10 @@ github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyex github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo= github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= -github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= +github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= -github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI= github.com/mitchellh/cli v1.1.2/go.mod h1:6iaV0fGdElS6dPBx0EApTxHrcWvmJphyh2n8YBLPPZ4= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= @@ -968,11 +946,13 @@ github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJ github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= +github.com/networkplumbing/go-nft v0.2.0/go.mod h1:HnnM+tYvlGAsMU7yoYwXEVLLiDW9gdMmb5HoGcwpuQs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249 h1:NHrXEjTNQY7P0Zfx1aMrNhpgxHmow66XQtm0aQLY0AE= github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249/go.mod h1:mpRZBD8SJ55OIICQ3iWH0Yz3cjzA61JdqMLoWXeB2+8= @@ -1020,6 +1000,7 @@ github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2-0.20211117181255-693428a734f5/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= @@ -1027,6 +1008,7 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0= github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= +github.com/opencontainers/runc v1.1.1/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= @@ -1040,18 +1022,17 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= -github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pierrec/lz4/v4 v4.1.12 h1:44l88ehTZAUGW4VlO1QC4zkilL99M6Y9MXNwEs0uzP8= github.com/pierrec/lz4/v4 v4.1.12/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1061,16 +1042,17 @@ github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s= +github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -1081,11 +1063,10 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= -github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= +github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190425082905-87a4384529e0/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1108,8 +1089,8 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc/go.mod h1:HFLT6i9iR4QBOF5rdCyjddC9t59ArqWJV2xx+jwcCMo= +github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= +github.com/rubenv/sql-migrate v1.1.1/go.mod h1:/7TZymwxN8VWumcIxw1jjHEcR1djpdkMHQPT4FWdnbQ= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= @@ -1118,7 +1099,6 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4= -github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig= github.com/santhosh-tekuri/jsonschema v1.2.4 h1:hNhW8e7t+H1vgY+1QeEQpveR6D4+OwKPXCfD2aieJis= github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= @@ -1150,18 +1130,15 @@ github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/cobra v0.0.6/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk= -github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4= github.com/spf13/cobra v1.4.0 h1:y+wJpx64xcgO1V+RcnwW0LEHxTKRi2ZDPSBjWnrg88Q= github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= @@ -1175,7 +1152,6 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= -github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -1202,7 +1178,6 @@ github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= -github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= @@ -1276,8 +1251,8 @@ go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQc go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs= go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0= +go.etcd.io/etcd/client/v3 v3.5.1/go.mod h1:OnjH4M8OnAotwaB2l9bVgZzRFKru7/ZMoS46OtKyd3Q= go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE= go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc= go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4= @@ -1346,9 +1321,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191122220453-ac88ee75c92c/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -1363,8 +1336,9 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b h1:QAqMVf3pSa6eeTsuklijukjXBlj7Es2QQplab+/RbQ4= -golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1405,10 +1379,10 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1432,7 +1406,6 @@ golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -1461,21 +1434,20 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= -golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d h1:62NvYBuaanGXR2ZOfwDFkhhl6X1DUgf8qg3GuQvxZsE= golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1492,7 +1464,6 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1539,12 +1510,9 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1594,7 +1562,6 @@ golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -1615,23 +1582,22 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210903071746-97244b99971b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211015200801-69063c4bb744/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1657,8 +1623,8 @@ golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 h1:GZokNIeuVkl3aZHJchRrr13WCsols02MLUcz1U9is6M= -golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= +golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -1683,7 +1649,6 @@ golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgw golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= @@ -1705,7 +1670,6 @@ golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapK golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= -golang.org/x/tools v0.0.0-20200308013534-11ec41452d41/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -1734,10 +1698,10 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= -golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.11-0.20220316014157-77aa08bb151a h1:ofrrl6c6NG5/IOSx/R1cyiQxxjqlur0h/TvbUhkH0II= -golang.org/x/tools v0.1.11-0.20220316014157-77aa08bb151a/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.10-0.20220218145154-897bd77cd717/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= +golang.org/x/tools v0.1.11-0.20220513221640-090b14e8501f h1:OKYpQQVE3DKSc3r3zHVzq46vq5YH7x8xpR3/k9ixmUg= +golang.org/x/tools v0.1.11-0.20220513221640-090b14e8501f/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1774,9 +1738,7 @@ google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6 google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= -google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= -google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1849,11 +1811,7 @@ google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEc google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= @@ -1886,7 +1844,6 @@ google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= -google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= @@ -1917,13 +1874,11 @@ gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qS gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= -gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw= gopkg.in/hjson/hjson-go.v3 v3.0.1/go.mod h1:X6zrTSVeImfwfZLfgQdInl9mWjqPqgH90jom9nym/lw= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -1954,8 +1909,8 @@ gotest.tools/gotestsum v1.8.1/go.mod h1:ctqdxBSCPv80kAFjYvFNpPntBrE5HAQnLiOKBGLm gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= -helm.sh/helm/v3 v3.8.2 h1:HDhe2nKek976VLMPZlIgJbNqwcqvHYBp1qy+sXQ4jiY= -helm.sh/helm/v3 v3.8.2/go.mod h1:NxtE2KObf2PrzDl6SIamPFPKyAqWi10iWuvKlQn/Yao= +helm.sh/helm/v3 v3.9.0 h1:qDSWViuF6SzZX5s5AB/NVRGWmdao7T5j4S4ebIkMGag= +helm.sh/helm/v3 v3.9.0/go.mod h1:fzZfyslcPAWwSdkXrXlpKexFeE2Dei8N27FFQWt+PN0= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1963,7 +1918,7 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -honnef.co/go/tools v0.3.1/go.mod h1:vlRD9XErLMGT+mDuofSr0mMMquscM/1nQqtRSsh6m70= +honnef.co/go/tools v0.3.2/go.mod h1:jzwdWgg7Jdq75wlfblQxO4neNaFFSvgc1tD5Wv8U0Yw= howett.net/plist v0.0.0-20181124034731-591f970eefbb/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0= howett.net/plist v0.0.0-20201203080718-1454fab16a06 h1:QDxUo/w2COstK1wIBYpzQlHX/NqaQTcf9jyz347nI58= howett.net/plist v0.0.0-20201203080718-1454fab16a06/go.mod h1:vMygbs4qMhSZSc4lCUl2OEE+rDiIIJAIdR4m7MiMcm0= @@ -1971,43 +1926,39 @@ k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ= k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs= -k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8= -k8s.io/api v0.23.6 h1:yOK34wbYECH4RsJbQ9sfkFK3O7f/DUHRlzFehkqZyVw= -k8s.io/api v0.23.6/go.mod h1:1kFaYxGCFHYp3qd6a85DAj/yW8aVD6XLZMqJclkoi9g= -k8s.io/apiextensions-apiserver v0.23.5 h1:5SKzdXyvIJKu+zbfPc3kCbWpbxi+O+zdmAJBm26UJqI= -k8s.io/apiextensions-apiserver v0.23.5/go.mod h1:ntcPWNXS8ZPKN+zTXuzYMeg731CP0heCTl6gYBxLcuQ= +k8s.io/api v0.24.0 h1:J0hann2hfxWr1hinZIDefw7Q96wmCBx6SSB8IY0MdDg= +k8s.io/api v0.24.0/go.mod h1:5Jl90IUrJHUJYEMANRURMiVvJ0g7Ax7r3R1bqO8zx8I= +k8s.io/apiextensions-apiserver v0.24.0 h1:JfgFqbA8gKJ/uDT++feAqk9jBIwNnL9YGdQvaI9DLtY= +k8s.io/apiextensions-apiserver v0.24.0/go.mod h1:iuVe4aEpe6827lvO6yWQVxiPSpPoSKVjkq+MIdg84cM= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U= -k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= -k8s.io/apimachinery v0.23.6 h1:RH1UweWJkWNTlFx0D8uxOpaU1tjIOvVVWV/bu5b3/NQ= -k8s.io/apimachinery v0.23.6/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM= +k8s.io/apimachinery v0.24.0 h1:ydFCyC/DjCvFCHK5OPMKBlxayQytB8pxy8YQInd5UyQ= +k8s.io/apimachinery v0.24.0/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ= -k8s.io/apiserver v0.23.5/go.mod h1:7wvMtGJ42VRxzgVI7jkbKvMbuCbVbgsWFT7RyXiRNTw= -k8s.io/cli-runtime v0.23.5/go.mod h1:oY6QDF2qo9xndSq32tqcmRp2UyXssdGrLfjAVymgbx4= -k8s.io/cli-runtime v0.23.6 h1:zvsGa4An+udUnznKSfD1Q17sETWHNOaMqYKHwHCvg+4= -k8s.io/cli-runtime v0.23.6/go.mod h1:0Z3VR/HRIFKiLzKIAkm1mPtcH98GT/fXu2IU0E4vFmw= +k8s.io/apiserver v0.24.0/go.mod h1:WFx2yiOMawnogNToVvUYT9nn1jaIkMKj41ZYCVycsBA= +k8s.io/cli-runtime v0.24.0 h1:ot3Qf49T852uEyNApABO1UHHpFIckKK/NqpheZYN2gM= +k8s.io/cli-runtime v0.24.0/go.mod h1:9XxoZDsEkRFUThnwqNviqzljtT/LdHtNWvcNFrAXl0A= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y= -k8s.io/client-go v0.23.5/go.mod h1:flkeinTO1CirYgzMPRWxUCnV0G4Fbu2vLhYCObnt/r4= -k8s.io/client-go v0.23.6 h1:7h4SctDVQAQbkHQnR4Kzi7EyUyvla5G1pFWf4+Od7hQ= -k8s.io/client-go v0.23.6/go.mod h1:Umt5icFOMLV/+qbtZ3PR0D+JA6lvvb3syzodv4irpK4= +k8s.io/client-go v0.24.0 h1:lbE4aB1gTHvYFSwm6eD3OF14NhFDKCejlnsGYlSJe5U= +k8s.io/client-go v0.24.0/go.mod h1:VFPQET+cAFpYxh6Bq6f4xyMY80G6jKKktU6G0m00VDw= k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= -k8s.io/code-generator v0.23.5/go.mod h1:S0Q1JVA+kSzTI1oUvbKAxZY/DYbA/ZUb4Uknog12ETk= +k8s.io/code-generator v0.24.0/go.mod h1:dpVhs00hTuTdTY6jvVxvTFCk6gSMrtfRydbhZwHI15w= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI= k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI= -k8s.io/component-base v0.23.5 h1:8qgP5R6jG1BBSXmRYW+dsmitIrpk8F/fPEvgDenMCCE= -k8s.io/component-base v0.23.5/go.mod h1:c5Nq44KZyt1aLl0IpHX82fhsn84Sb0jjzwjpcA42bY0= -k8s.io/component-helpers v0.23.5/go.mod h1:5riXJgjTIs+ZB8xnf5M2anZ8iQuq37a0B/0BgoPQuSM= +k8s.io/component-base v0.24.0 h1:h5jieHZQoHrY/lHG+HyrSbJeyfuitheBvqvKwKHVC0g= +k8s.io/component-base v0.24.0/go.mod h1:Dgazgon0i7KYUsS8krG8muGiMVtUZxG037l1MKyXgrA= +k8s.io/component-helpers v0.24.0/go.mod h1:Q2SlLm4h6g6lPTC9GMMfzdywfLSvJT2f1hOnnjaWD8c= k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= @@ -2017,30 +1968,31 @@ k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8 k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= -k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc= +k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= -k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 h1:E3J9oCLlaobFUqsjG9DfKbP2BmgwBL2p7pn0A3dG9W4= -k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk= -k8s.io/kubectl v0.23.5 h1:DmDULqCaF4qstj0Im143XmncvqWtJxHzK8IrW2BzlU0= -k8s.io/kubectl v0.23.5/go.mod h1:lLgw7cVY8xbd7o637vOXPca/w6HC205KsPCRDYRCxwE= +k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 h1:Gii5eqf+GmIEwGNKQYQClCayuJCe2/4fZUvF7VG99sU= +k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk= +k8s.io/kubectl v0.24.0 h1:nA+WtMLVdXUs4wLogGd1mPTAesnLdBpCVgCmz3I7dXo= +k8s.io/kubectl v0.24.0/go.mod h1:pdXkmCyHiRTqjYfyUJiXtbVNURhv0/Q1TyRhy2d5ic0= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= -k8s.io/metrics v0.23.5/go.mod h1:WNAtV2a5BYbmDS8+7jSqYYV6E3efuGTpIwJ8PTD1wgs= +k8s.io/metrics v0.24.0/go.mod h1:jrLlFGdKl3X+szubOXPG0Lf2aVxuV3QJcbsgVRAM6fI= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 h1:ZKMMxTvduyf5WUtREOqg5LiXaN1KO/+0oOQPRFrClpo= -k8s.io/utils v0.0.0-20211208161948-7d6a63dca704/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -oras.land/oras-go v1.1.1/go.mod h1:n2TE1ummt9MUyprGhT+Q7kGZUF4kVUpYysPFxeV2IpQ= +k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc= +k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +oras.land/oras-go v1.1.0/go.mod h1:1A7vR/0KknT2UkJVWh+xMi95I/AhK8ZrxrnUSmXN0bQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= @@ -2048,15 +2000,14 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyz sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw= -sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= -sigs.k8s.io/kustomize/api v0.10.1 h1:KgU7hfYoscuqag84kxtzKdEC3mKMb99DPI3a0eaV1d0= -sigs.k8s.io/kustomize/api v0.10.1/go.mod h1:2FigT1QN6xKdcnGS2Ppp1uIWrtWN28Ms8A3OZUZhwr8= -sigs.k8s.io/kustomize/cmd/config v0.10.2/go.mod h1:K2aW7nXJ0AaT+VA/eO0/dzFLxmpFcTzudmAgDwPY1HQ= -sigs.k8s.io/kustomize/kustomize/v4 v4.4.1/go.mod h1:qOKJMMz2mBP+vcS7vK+mNz4HBLjaQSWRY22EF6Tb7Io= -sigs.k8s.io/kustomize/kyaml v0.13.0 h1:9c+ETyNfSrVhxvphs+K2dzT3dh5oVPPEqPOE/cUpScY= -sigs.k8s.io/kustomize/kyaml v0.13.0/go.mod h1:FTJxEZ86ScK184NpGSAQcfEqee0nul8oLCK30D47m4E= +sigs.k8s.io/kustomize/api v0.11.4 h1:/0Mr3kfBBNcNPOW5Qwk/3eb8zkswCwnqQxxKtmrTkRo= +sigs.k8s.io/kustomize/api v0.11.4/go.mod h1:k+8RsqYbgpkIrJ4p9jcdPqe8DprLxFUUO0yNOq8C+xI= +sigs.k8s.io/kustomize/cmd/config v0.10.6/go.mod h1:/S4A4nUANUa4bZJ/Edt7ZQTyKOY9WCER0uBS1SW2Rco= +sigs.k8s.io/kustomize/kustomize/v4 v4.5.4/go.mod h1:Zo/Xc5FKD6sHl0lilbrieeGeZHVYCA4BzxeAaLI05Bg= +sigs.k8s.io/kustomize/kyaml v0.13.6 h1:eF+wsn4J7GOAXlvajv6OknSunxpcOBQQqsnPxObtkGs= +sigs.k8s.io/kustomize/kyaml v0.13.6/go.mod h1:yHP031rn1QX1lr/Xd934Ri/xdVNG8BE2ECa78Ht/kEg= sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log index 44262b5cee9..54d8ccf9e70 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log @@ -20,9 +20,9 @@ {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"amazonlinux-2-repos-us-east-1.s3.us-east-1.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"s3-r-w.us-east-1.amazonaws.com.","Type":"CNAME","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:39Z","query_name":"156.20.160.89.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.160","srcport":"59464","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"216.160.83.57","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.13","Type":"A","Class":"IN"},{"Rdata":"216.160.83.57","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:47:41Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.159","srcport":"39685","transport":"UDP","srcids":{}} @@ -30,5 +30,5 @@ {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"38200","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:33Z","query_name":"abcd.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"test.example.com.","Type":"CNAME","Class":"IN"},{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"52785","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} -{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"4.3.128.1.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} +{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"15.3.4.32.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} \ No newline at end of file diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json index 4fad7dfd24a..1350412569e 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json @@ -1399,17 +1399,17 @@ }, { "class": "IN", - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:f1::1", "type": "AAAA" }, { "class": "IN", - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:3803:1::6", "type": "AAAA" }, { "class": "IN", - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:1560:8003::c7", "type": "AAAA" } ], @@ -1431,7 +1431,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:f1::1\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:3803:1::6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:1560:8003::c7\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", "outcome": "success", "type": [ "protocol" @@ -1449,9 +1449,9 @@ ], "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:f1::1", + "2a02:cf40:3803:1::6", + "2a02:cf40:1560:8003::c7", "172.31.86.159" ] }, @@ -1545,7 +1545,7 @@ }, { "class": "IN", - "data": "67.43.156.12", + "data": "67.43.156.13", "type": "A" }, { @@ -1577,7 +1577,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"0.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.57\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"51725\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"0.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.13\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.57\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"51725\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1595,7 +1595,7 @@ ], "ip": [ "81.2.69.143", - "67.43.156.12", + "67.43.156.13", "216.160.83.57", "216.160.83.61", "172.31.86.159" @@ -2154,7 +2154,7 @@ ], "question": { "class": "IN", - "name": "4.3.128.1.in-addr.arpa", + "name": "15.3.4.32.in-addr.arpa", "type": "PTR" }, "response_code": "NOERROR" @@ -2167,7 +2167,7 @@ "network" ], "kind": "event", - "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"4.3.128.1.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "outcome": "success", "type": [ "protocol" @@ -2185,7 +2185,7 @@ ], "ip": [ "81.2.69.143", - "1.128.3.4" + "32.4.3.15" ] }, "source": { diff --git a/packages/aws/data_stream/route53_resolver_logs/sample_event.json b/packages/aws/data_stream/route53_resolver_logs/sample_event.json index e35aa7ed261..8a7b227dcac 100644 --- a/packages/aws/data_stream/route53_resolver_logs/sample_event.json +++ b/packages/aws/data_stream/route53_resolver_logs/sample_event.json @@ -44,7 +44,7 @@ }, "dns": { "question": { - "name": "4.3.128.1.in-addr.arpa", + "name": "15.3.4.32.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -71,7 +71,7 @@ "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"4.3.128.1.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -94,7 +94,7 @@ }, "related": { "hosts": [ - "4.3.128.1.in-addr.arpa" + "15.3.4.32.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/aws/docs/route53.md b/packages/aws/docs/route53.md index 3de18ea52f8..0c0ab49f5f7 100644 --- a/packages/aws/docs/route53.md +++ b/packages/aws/docs/route53.md @@ -256,7 +256,7 @@ An example event for `route53_resolver` looks as following: }, "dns": { "question": { - "name": "4.3.128.1.in-addr.arpa", + "name": "15.3.4.32.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -283,7 +283,7 @@ An example event for `route53_resolver` looks as following: "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"4.3.128.1.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -306,7 +306,7 @@ An example event for `route53_resolver` looks as following: }, "related": { "hosts": [ - "4.3.128.1.in-addr.arpa" + "15.3.4.32.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson index d7ec5e06c3a..3aebd4412d2 100644 --- a/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson +++ b/packages/suricata/_dev/deploy/docker/sample_logs/eve-dns-4.1.4.ndjson @@ -5,7 +5,7 @@ {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:0200:0000:0000:0000:0000:0729","2a02:cf40:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} @@ -21,4 +21,4 @@ {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log index d7ec5e06c3a..3aebd4412d2 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log @@ -5,7 +5,7 @@ {"timestamp":"2019-08-22T23:48:48.839495+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":50720,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60273,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.839714+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":41979,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4210,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-22T23:48:48.901548+0000","flow_id":40074894954311,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":50720,"proto":"UDP","dns":{"version":2,"type":"answer","id":60273,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":270,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}],"grouped":{"A":["175.16.199.1","175.16.199.1","175.16.199.1","175.16.199.1"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} -{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} +{"timestamp":"2019-08-22T23:48:48.902685+0000","flow_id":2130691028471842,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":41979,"proto":"UDP","dns":{"version":2,"type":"answer","id":4210,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":299,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"}],"grouped":{"AAAA":["2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","2a02:cf40:0200:0000:0000:0000:0000:0729","2a02:cf40:0400:0000:0000:0000:0000:0729"],"CNAME":["dualstack.r2.shared.global.fastly.net"]}}} {"timestamp":"2019-08-23T01:22:31.812655+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":44773,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28329,"rrname":"www.yahoo.com","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.812828+0000","flow_id":1887239765714716,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":55246,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7050,"rrname":"www.yahoo.com","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T01:22:31.846575+0000","flow_id":814378410010223,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":44773,"proto":"UDP","dns":{"type":"answer","id":28329,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.yahoo.com","rrtype":"CNAME","ttl":1315,"rdata":"atsv2-fp-shed.wg1.b.yahoo.com"}} @@ -21,4 +21,4 @@ {"timestamp":"2019-08-23T02:03:36.578089+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":48288,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9104,"rrname":"www.elastic.co","rrtype":"A","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.578262+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.15","src_port":59203,"dest_ip":"10.0.2.3","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12859,"rrname":"www.elastic.co","rrtype":"AAAA","tx_id":0}} {"timestamp":"2019-08-23T02:03:36.619381+0000","flow_id":2181951993205289,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":48288,"proto":"UDP","dns":{"version":2,"type":"answer","id":9104,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"A","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":150,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"A","ttl":29,"rdata":"175.16.199.1"}]}} -{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} +{"timestamp":"2019-08-23T02:03:36.626559+0000","flow_id":928596784370390,"in_iface":"enp0s3","event_type":"dns","src_ip":"10.0.2.3","src_port":53,"dest_ip":"10.0.2.15","dest_port":59203,"proto":"UDP","dns":{"version":2,"type":"answer","id":12859,"flags":"8180","qr":true,"rd":true,"ra":true,"rcode":"NOERROR","rrname":"www.elastic.co","rrtype":"AAAA","answers":[{"rrname":"www.elastic.co","rrtype":"CNAME","ttl":269,"rdata":"dualstack.r2.shared.global.fastly.net"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0200:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:0400:0000:0000:0000:0000:0729"},{"rrname":"dualstack.r2.shared.global.fastly.net","rrtype":"AAAA","ttl":29,"rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"}]}} diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json index 96ec936242d..2903e6b02a9 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-dns-4-1-4.log-expected.json @@ -564,13 +564,13 @@ "type": "AAAA" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:0200:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:0400:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" @@ -591,8 +591,8 @@ "resolved_ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729" ], "response_code": "NOERROR", "type": "answer" @@ -606,7 +606,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event", - "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"2a02:cf40:0200:0000:0000:0000:0000:0729\",\"2a02:cf40:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", "type": [ "protocol" ] @@ -619,6 +619,8 @@ "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729", "10.0.2.3", "10.0.2.15" ] @@ -1864,13 +1866,13 @@ "type": "AAAA" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:0200:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:0400:0000:0000:0000:0000:0729", "name": "dualstack.r2.shared.global.fastly.net", "ttl": 29, "type": "AAAA" @@ -1896,8 +1898,8 @@ }, "resolved_ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "response_code": "NOERROR", @@ -1912,7 +1914,7 @@ ], "created": "2020-04-28T11:07:58.223Z", "kind": "event", - "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", + "original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"}]}}", "type": [ "protocol" ] @@ -1925,6 +1927,8 @@ "related": { "ip": [ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:0200:0000:0000:0000:0000:0729", + "2a02:cf40:0400:0000:0000:0000:0000:0729", "10.0.2.3", "10.0.2.15" ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json index 746287c0b1a..27cff6dcef5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json @@ -592,7 +592,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -616,7 +616,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1116,7 +1116,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1135,7 +1135,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1182,7 +1182,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1202,7 +1202,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1268,7 +1268,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1287,7 +1287,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1311,7 +1311,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1330,7 +1330,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1389,7 +1389,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1401,7 +1401,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1467,7 +1467,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1491,7 +1491,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1635,7 +1635,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1664,7 +1664,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1798,7 +1798,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1821,7 +1821,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1837,7 +1837,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1864,7 +1864,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1927,7 +1927,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1955,7 +1955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1978,7 +1978,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1996,7 +1996,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2235,7 +2235,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2261,7 +2261,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2332,7 +2332,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2353,7 +2353,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" }, "process": { "thread": { @@ -2419,7 +2419,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2445,7 +2445,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2504,7 +2504,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2532,7 +2532,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2759,7 +2759,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2780,7 +2780,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2924,7 +2924,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2946,7 +2946,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3254,7 +3254,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3277,7 +3277,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -4025,7 +4025,7 @@ { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4070,7 +4070,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4082,7 +4082,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4112,7 +4112,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4126,7 +4126,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4155,7 +4155,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4185,7 +4185,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4336,7 +4336,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4355,7 +4355,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4364,7 +4364,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4384,7 +4384,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4885,7 +4885,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4905,7 +4905,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4967,7 +4967,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4990,7 +4990,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -5015,7 +5015,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -5031,7 +5031,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5104,7 +5104,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5115,7 +5115,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5214,7 +5214,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5241,7 +5241,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5337,7 +5337,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5354,7 +5354,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5387,7 +5387,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5409,7 +5409,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5463,7 +5463,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5475,7 +5475,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5505,7 +5505,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5524,7 +5524,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5547,7 +5547,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5564,7 +5564,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5586,7 +5586,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5598,7 +5598,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5650,7 +5650,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5661,7 +5661,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5675,7 +5675,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5684,7 +5684,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5713,7 +5713,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5745,7 +5745,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5757,7 +5757,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5771,7 +5771,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6440,7 +6440,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6456,7 +6456,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6588,7 +6588,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6609,7 +6609,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6719,7 +6719,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6729,7 +6729,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6867,7 +6867,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6896,7 +6896,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6955,7 +6955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6965,7 +6965,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6998,7 +6998,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7015,7 +7015,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7038,7 +7038,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7050,7 +7050,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7127,7 +7127,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7155,7 +7155,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7164,7 +7164,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7188,7 +7188,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7219,7 +7219,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7236,7 +7236,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7425,7 +7425,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7437,7 +7437,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7464,7 +7464,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7479,7 +7479,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7570,7 +7570,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7578,7 +7578,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7593,7 +7593,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7602,7 +7602,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7681,7 +7681,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7692,7 +7692,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7828,7 +7828,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7852,7 +7852,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7904,7 +7904,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7934,7 +7934,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" } }, "log": { @@ -8608,7 +8608,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8625,7 +8625,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index 7126aaa02aa..e920631aaa5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -1328,7 +1328,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -1336,7 +1336,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -1344,7 +1344,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -1362,11 +1362,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -1380,7 +1380,7 @@ "code": "22", "created": "2019-07-18T03:34:03.028Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -1409,9 +1409,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -2549,7 +2551,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2557,7 +2559,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2581,9 +2583,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2597,7 +2599,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2624,8 +2626,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2821,7 +2824,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2829,7 +2832,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2837,7 +2840,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -2845,7 +2848,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -2862,13 +2865,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -2882,7 +2885,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2911,10 +2914,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -3071,7 +3077,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3079,7 +3085,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -3087,7 +3093,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -3095,7 +3101,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -3120,13 +3126,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3142,7 +3148,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3169,10 +3175,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3255,7 +3264,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3279,7 +3288,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3293,7 +3302,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3322,7 +3331,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3485,7 +3494,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3508,7 +3517,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3522,7 +3531,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3550,7 +3559,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3722,7 +3731,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -3742,7 +3751,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -3755,7 +3764,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3783,7 +3792,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -4153,7 +4162,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4171,7 +4180,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4185,7 +4194,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4215,7 +4224,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4554,7 +4563,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4578,7 +4587,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4592,7 +4601,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4620,7 +4629,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4665,7 +4674,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4673,7 +4682,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4681,7 +4690,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4689,7 +4698,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4714,13 +4723,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4736,7 +4745,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4763,10 +4772,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4907,7 +4919,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4915,7 +4927,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4923,7 +4935,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4931,7 +4943,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4952,13 +4964,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -4973,7 +4985,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5001,10 +5013,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -5058,7 +5073,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5066,7 +5081,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5074,7 +5089,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5082,7 +5097,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5095,13 +5110,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5114,7 +5129,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5143,10 +5158,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5626,7 +5644,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5634,7 +5652,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5642,7 +5660,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5650,7 +5668,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5663,13 +5681,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5682,7 +5700,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5710,10 +5728,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5867,7 +5888,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5875,7 +5896,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5883,7 +5904,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5891,7 +5912,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5904,13 +5925,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5923,7 +5944,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5952,10 +5973,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6111,7 +6135,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6119,7 +6143,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6127,7 +6151,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6135,7 +6159,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -6151,13 +6175,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -6170,7 +6194,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6197,10 +6221,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6352,7 +6379,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6360,7 +6387,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6377,9 +6404,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6393,7 +6420,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6422,8 +6449,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6853,7 +6881,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6861,7 +6889,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6869,7 +6897,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6877,7 +6905,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -6894,13 +6922,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -6914,7 +6942,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6942,10 +6970,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7234,7 +7265,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7242,7 +7273,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7250,7 +7281,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7258,7 +7289,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7275,13 +7306,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7295,7 +7326,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7323,10 +7354,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7888,7 +7922,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7896,7 +7930,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7904,7 +7938,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7912,7 +7946,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7929,13 +7963,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7949,7 +7983,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7977,10 +8011,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9285,7 +9322,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9293,7 +9330,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9301,7 +9338,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9309,7 +9346,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9326,13 +9363,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9346,7 +9383,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9374,10 +9411,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9430,7 +9470,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9438,7 +9478,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9446,7 +9486,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9454,7 +9494,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9472,13 +9512,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9492,7 +9532,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9519,10 +9559,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9571,7 +9614,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9579,7 +9622,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9587,7 +9630,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9595,7 +9638,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9617,13 +9660,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9638,7 +9681,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9665,10 +9708,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9718,7 +9764,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9726,7 +9772,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9734,7 +9780,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9742,7 +9788,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9759,13 +9805,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9779,7 +9825,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9807,10 +9853,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -10166,7 +10215,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10174,7 +10223,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10182,7 +10231,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -10198,11 +10247,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -10215,7 +10264,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10243,9 +10292,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "192.168.92.30" + "2a02:cf40:231d::2:30", + "192.168.92.30", + "2a02:cf40:83eb::30" ] }, "sysmon": { @@ -10309,7 +10360,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10317,7 +10368,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10325,7 +10376,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -10346,11 +10397,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -10364,7 +10415,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10392,9 +10443,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11221,7 +11274,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11229,7 +11282,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11237,7 +11290,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11257,11 +11310,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11275,7 +11328,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11303,9 +11356,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11477,7 +11532,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11501,7 +11556,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11515,7 +11570,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11543,7 +11598,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11592,7 +11647,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11600,7 +11655,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11608,7 +11663,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11616,7 +11671,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11633,13 +11688,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11653,7 +11708,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11681,10 +11736,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11844,7 +11902,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11852,7 +11910,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11860,7 +11918,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11868,7 +11926,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11893,13 +11951,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -11915,7 +11973,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11942,10 +12000,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -12196,7 +12257,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12204,7 +12265,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12212,7 +12273,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12220,7 +12281,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12237,13 +12298,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12257,7 +12318,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12285,10 +12346,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12526,7 +12590,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12534,7 +12598,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12542,7 +12606,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12550,7 +12614,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12567,13 +12631,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12587,7 +12651,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12615,10 +12679,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12663,7 +12730,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12671,7 +12738,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12679,7 +12746,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12687,7 +12754,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12708,13 +12775,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12729,7 +12796,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12756,10 +12823,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12952,7 +13022,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -12972,7 +13042,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -12985,7 +13055,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13013,7 +13083,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -13077,7 +13147,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13097,7 +13167,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13111,7 +13181,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13140,7 +13210,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13197,7 +13267,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13205,7 +13275,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13223,9 +13293,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13239,7 +13309,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13268,8 +13338,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13346,7 +13417,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13354,7 +13425,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" } ], @@ -13374,9 +13445,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:231d::2:30" ] }, "ecs": { @@ -13389,7 +13460,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13417,8 +13488,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "192.168.14.30" + "2a02:cf40:a83e::2:30", + "192.168.14.30", + "2a02:cf40:231d::2:30" ] }, "sysmon": { @@ -13462,7 +13534,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13470,7 +13542,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13478,7 +13550,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13486,7 +13558,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13507,13 +13579,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13528,7 +13600,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13555,10 +13627,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13612,7 +13687,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13620,7 +13695,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13628,7 +13703,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13645,11 +13720,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13663,7 +13738,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13692,9 +13767,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13743,7 +13820,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13751,7 +13828,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13759,7 +13836,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13767,7 +13844,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13784,13 +13861,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13804,7 +13881,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13832,10 +13909,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13884,7 +13964,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13892,7 +13972,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13900,7 +13980,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13908,7 +13988,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13925,13 +14005,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13945,7 +14025,7 @@ "code": "22", "created": "2019-07-18T03:34:05.034Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13973,10 +14053,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -15515,7 +15598,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15523,7 +15606,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15531,7 +15614,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15539,7 +15622,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15564,13 +15647,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15586,7 +15669,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15613,10 +15696,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15871,7 +15957,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15879,7 +15965,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15887,7 +15973,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15895,7 +15981,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15916,13 +16002,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -15937,7 +16023,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15964,10 +16050,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -16209,7 +16298,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16217,7 +16306,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -16225,7 +16314,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -16245,11 +16334,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16263,7 +16352,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16291,9 +16380,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16700,7 +16791,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16724,7 +16815,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16738,7 +16829,7 @@ "code": "22", "created": "2019-07-18T03:34:09.053Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16767,7 +16858,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16939,7 +17030,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16963,7 +17054,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16977,7 +17068,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17005,7 +17096,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -17050,7 +17141,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17058,7 +17149,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17066,7 +17157,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17074,7 +17165,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17099,13 +17190,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17121,7 +17212,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17148,10 +17239,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17202,7 +17296,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17210,7 +17304,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17218,7 +17312,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17226,7 +17320,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17244,13 +17338,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17264,7 +17358,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17291,10 +17385,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17473,7 +17570,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17481,7 +17578,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17489,7 +17586,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17497,7 +17594,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17519,13 +17616,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17540,7 +17637,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17567,10 +17664,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17744,7 +17844,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17752,7 +17852,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17760,7 +17860,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17768,7 +17868,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17784,7 +17884,7 @@ "type": "A" }, { - "data": "2001:503:d414::30", + "data": "2a02:cf40:d414::30", "type": "AAAA" }, { @@ -17792,7 +17892,7 @@ "type": "A" }, { - "data": "2001:503:eea3::30", + "data": "2a02:cf40:eea3::30", "type": "AAAA" }, { @@ -17808,7 +17908,7 @@ "type": "A" }, { - "data": "2001:503:39c1::30", + "data": "2a02:cf40:39c1::30", "type": "AAAA" }, { @@ -17860,23 +17960,23 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", "2001:502:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", "2001:502:7094::30" ] @@ -17891,7 +17991,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17919,21 +18019,25 @@ "ip": [ "89.160.20.156", "216.160.83.61", + "216.160.83.61", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", "2001:502:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", "2001:502:7094::30" ] @@ -18027,7 +18131,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -18051,7 +18155,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -18064,7 +18168,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18092,7 +18196,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -18517,7 +18621,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18525,7 +18629,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18533,7 +18637,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18554,11 +18658,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18572,7 +18676,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18599,9 +18703,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18658,7 +18764,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18666,7 +18772,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18674,7 +18780,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18682,7 +18788,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -18698,13 +18804,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -18717,7 +18823,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18744,10 +18850,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -18890,7 +18999,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18898,7 +19007,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18906,7 +19015,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18914,7 +19023,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -18931,13 +19040,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -18951,7 +19060,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18979,10 +19088,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19038,7 +19150,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19046,7 +19158,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19054,7 +19166,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19062,7 +19174,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19079,13 +19191,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19099,7 +19211,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19127,10 +19239,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19323,7 +19438,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19331,7 +19446,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19348,9 +19463,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19364,7 +19479,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19394,8 +19509,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19648,7 +19764,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19656,7 +19772,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19664,7 +19780,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19672,7 +19788,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19689,13 +19805,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19709,7 +19825,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19737,10 +19853,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19907,7 +20026,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19915,7 +20034,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19923,7 +20042,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19931,7 +20050,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -19947,13 +20066,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -19966,7 +20085,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19993,10 +20112,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -21229,7 +21351,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -21237,7 +21359,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -21245,7 +21367,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -21258,11 +21380,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -21275,7 +21397,7 @@ "code": "22", "created": "2019-07-18T03:49:52.105Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -21304,9 +21426,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "192.168.92.30" + "2a02:cf40:231d::2:30", + "192.168.92.30", + "2a02:cf40:83eb::30" ] }, "sysmon": { diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index 48d94e7f399..3697a353c8b 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -517,7 +517,7 @@ { "@timestamp": "2021-05-05T15:30:51.694Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -541,7 +541,7 @@ } }, "event_data": { - "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.274", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1041,7 +1041,7 @@ "event_data": { "QueryName": "nym1-ib.adnxs.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.633", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1060,7 +1060,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -1107,7 +1107,7 @@ "event": { "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon" }, "winlog": { @@ -1127,7 +1127,7 @@ "event_data": { "QueryName": "px.ads.linkedin.com", "QueryStatus": "0", - "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.727", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1193,7 +1193,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1212,7 +1212,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1236,7 +1236,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -1255,7 +1255,7 @@ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "information", "event_data": { - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1314,7 +1314,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1326,7 +1326,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.821", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1392,7 +1392,7 @@ { "@timestamp": "2021-05-05T15:30:51.696Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -1416,7 +1416,7 @@ "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryStatus": "0", - "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1560,7 +1560,7 @@ "event_data": { "QueryName": "onevideosync.uplynk.com", "QueryStatus": "0", - "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.844", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1589,7 +1589,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "log": { @@ -1723,7 +1723,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1746,7 +1746,7 @@ "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryStatus": "0", - "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -1762,7 +1762,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1789,7 +1789,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1852,7 +1852,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1880,7 +1880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -1903,7 +1903,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.107", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1921,7 +1921,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2160,7 +2160,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "log": { "level": "information" @@ -2186,7 +2186,7 @@ "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "0", - "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.146" }, @@ -2257,7 +2257,7 @@ { "@timestamp": "2021-05-05T15:30:51.698Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -2278,7 +2278,7 @@ "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryStatus": "0", - "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" }, "process": { "thread": { @@ -2344,7 +2344,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2370,7 +2370,7 @@ "computer_name": "vagrant-2016", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "event_data": { - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.222", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2429,7 +2429,7 @@ "event_data": { "QueryName": "urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.271", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -2457,7 +2457,7 @@ "event": { "provider": "Microsoft-Windows-Sysmon", "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event" }, "log": { @@ -2684,7 +2684,7 @@ "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -2705,7 +2705,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2849,7 +2849,7 @@ "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "level": "information", @@ -2871,7 +2871,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -3179,7 +3179,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -3202,7 +3202,7 @@ "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryStatus": "0", - "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.581" }, @@ -3950,7 +3950,7 @@ { "@timestamp": "2021-05-05T15:30:51.701Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -3976,7 +3976,7 @@ "event_data": { "QueryName": "pixel.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -3995,7 +3995,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4007,7 +4007,7 @@ "level": "information", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.894", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4037,7 +4037,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4080,7 +4080,7 @@ "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryStatus": "0", - "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.911", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4110,7 +4110,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4261,7 +4261,7 @@ "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryStatus": "0", - "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.137", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -4280,7 +4280,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -4289,7 +4289,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4309,7 +4309,7 @@ "event_data": { "QueryName": "farm.plista.com", "QueryStatus": "0", - "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.141", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4810,7 +4810,7 @@ "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;" + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;" }, "record_id": 141, "event_id": "22", @@ -4830,7 +4830,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4892,7 +4892,7 @@ "time_created": "2019-07-18T03:34:04.692Z", "level": "information", "event_data": { - "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.184", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -4915,7 +4915,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4940,7 +4940,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -4956,7 +4956,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5029,7 +5029,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5040,7 +5040,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5139,7 +5139,7 @@ "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryStatus": "0", - "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -5166,7 +5166,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5262,7 +5262,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5279,7 +5279,7 @@ "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryStatus": "0", - "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;" + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;" }, "user": { "identifier": "S-1-5-18" @@ -5312,7 +5312,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5334,7 +5334,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5388,7 +5388,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5400,7 +5400,7 @@ "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryStatus": "0", - "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5430,7 +5430,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5449,7 +5449,7 @@ "event_data": { "QueryName": "x.dlx.addthis.com", "QueryStatus": "0", - "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.531", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5472,7 +5472,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5489,7 +5489,7 @@ "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryStatus": "0", - "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.532", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5511,7 +5511,7 @@ { "@timestamp": "2021-05-05T15:30:51.707Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5523,7 +5523,7 @@ "identifier": "S-1-5-18" }, "event_data": { - "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.534", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5575,7 +5575,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5586,7 +5586,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -5600,7 +5600,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -5609,7 +5609,7 @@ "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryStatus": "0", - "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.604" }, @@ -5638,7 +5638,7 @@ "@timestamp": "2021-05-05T15:30:51.707Z", "winlog": { "event_data": { - "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.621", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5670,7 +5670,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5682,7 +5682,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5696,7 +5696,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.822", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6365,7 +6365,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6381,7 +6381,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6513,7 +6513,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6534,7 +6534,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6644,7 +6644,7 @@ "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryStatus": "0", - "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -6654,7 +6654,7 @@ "version": 5 }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -6792,7 +6792,7 @@ { "@timestamp": "2021-05-05T15:30:51.710Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6821,7 +6821,7 @@ "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryStatus": "0", - "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;" + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;" }, "event_id": "22", "provider_name": "Microsoft-Windows-Sysmon", @@ -6880,7 +6880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" }, @@ -6890,7 +6890,7 @@ "event_data": { "QueryName": "i.liadm.com", "QueryStatus": "0", - "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.536", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6923,7 +6923,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -6940,7 +6940,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6963,7 +6963,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6975,7 +6975,7 @@ "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "opcode": "Info", @@ -7052,7 +7052,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7080,7 +7080,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7089,7 +7089,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7113,7 +7113,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { @@ -7144,7 +7144,7 @@ "event_data": { "QueryName": "tg.socdm.com", "QueryStatus": "0", - "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.619", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7161,7 +7161,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -7350,7 +7350,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", @@ -7362,7 +7362,7 @@ "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7389,7 +7389,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7404,7 +7404,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.051", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7495,7 +7495,7 @@ "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" } }, @@ -7503,7 +7503,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7518,7 +7518,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "time_created": "2019-07-18T03:34:10.067Z", @@ -7527,7 +7527,7 @@ "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryStatus": "0", - "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.184" }, @@ -7606,7 +7606,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7617,7 +7617,7 @@ "event_data": { "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryStatus": "0", - "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:09.730", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7753,7 +7753,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:16.329", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7777,7 +7777,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -7829,7 +7829,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7859,7 +7859,7 @@ "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;" } }, "log": { @@ -8533,7 +8533,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -8550,7 +8550,7 @@ "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryStatus": "0", - "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;" + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;" }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_id": "22", diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index 9fb68a86313..656ad42a023 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -1204,7 +1204,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -1212,7 +1212,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -1220,7 +1220,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -1238,11 +1238,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -1256,7 +1256,7 @@ "code": "22", "created": "2019-07-18T03:34:03.028Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -1285,9 +1285,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -2437,7 +2439,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2445,7 +2447,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2469,9 +2471,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2485,7 +2487,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2512,8 +2514,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -2709,7 +2712,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2717,7 +2720,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2725,7 +2728,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -2733,7 +2736,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -2750,13 +2753,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -2770,7 +2773,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -2799,10 +2802,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -2959,7 +2965,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -2967,7 +2973,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -2975,7 +2981,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -2983,7 +2989,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -3008,13 +3014,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3030,7 +3036,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3057,10 +3063,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -3143,7 +3152,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3167,7 +3176,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3181,7 +3190,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3210,7 +3219,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3373,7 +3382,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -3396,7 +3405,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3410,7 +3419,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3438,7 +3447,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -3610,7 +3619,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -3630,7 +3639,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -3643,7 +3652,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3671,7 +3680,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -4041,7 +4050,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4059,7 +4068,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4073,7 +4082,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4103,7 +4112,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4442,7 +4451,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4466,7 +4475,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4480,7 +4489,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4508,7 +4517,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -4553,7 +4562,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4561,7 +4570,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4569,7 +4578,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4577,7 +4586,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4602,13 +4611,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4624,7 +4633,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4651,10 +4660,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -4795,7 +4807,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4803,7 +4815,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4811,7 +4823,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4819,7 +4831,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -4840,13 +4852,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -4861,7 +4873,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4889,10 +4901,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -4946,7 +4961,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -4954,7 +4969,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -4962,7 +4977,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -4970,7 +4985,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -4983,13 +4998,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5002,7 +5017,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5031,10 +5046,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5514,7 +5532,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5522,7 +5540,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5530,7 +5548,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5538,7 +5556,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5551,13 +5569,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5570,7 +5588,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5598,10 +5616,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5755,7 +5776,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -5763,7 +5784,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -5771,7 +5792,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -5779,7 +5800,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -5792,13 +5813,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -5811,7 +5832,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5840,10 +5861,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -5999,7 +6023,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6007,7 +6031,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6015,7 +6039,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6023,7 +6047,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -6039,13 +6063,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -6058,7 +6082,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6085,10 +6109,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -6240,7 +6267,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6248,7 +6275,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6265,9 +6292,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6281,7 +6308,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6310,8 +6337,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -6741,7 +6769,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -6749,7 +6777,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -6757,7 +6785,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -6765,7 +6793,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -6782,13 +6810,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -6802,7 +6830,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -6830,10 +6858,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7122,7 +7153,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7130,7 +7161,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7138,7 +7169,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7146,7 +7177,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7163,13 +7194,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7183,7 +7214,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7211,10 +7242,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7776,7 +7810,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -7784,7 +7818,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -7792,7 +7826,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -7800,7 +7834,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -7817,13 +7851,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -7837,7 +7871,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -7865,10 +7899,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9173,7 +9210,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9181,7 +9218,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9189,7 +9226,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9197,7 +9234,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9214,13 +9251,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9234,7 +9271,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9262,10 +9299,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9318,7 +9358,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9326,7 +9366,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9334,7 +9374,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9342,7 +9382,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9360,13 +9400,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9380,7 +9420,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9407,10 +9447,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9459,7 +9502,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9467,7 +9510,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9475,7 +9518,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9483,7 +9526,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9505,13 +9548,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9526,7 +9569,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9553,10 +9596,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -9606,7 +9652,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -9614,7 +9660,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -9622,7 +9668,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -9630,7 +9676,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -9647,13 +9693,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -9667,7 +9713,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9695,10 +9741,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -10054,7 +10103,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10062,7 +10111,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10070,7 +10119,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -10086,11 +10135,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -10103,7 +10152,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10131,9 +10180,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "192.168.92.30" + "2a02:cf40:231d::2:30", + "192.168.92.30", + "2a02:cf40:83eb::30" ] }, "sysmon": { @@ -10197,7 +10248,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -10205,7 +10256,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -10213,7 +10264,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -10234,11 +10285,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -10252,7 +10303,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -10280,9 +10331,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11109,7 +11162,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11117,7 +11170,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11125,7 +11178,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11145,11 +11198,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11163,7 +11216,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11191,9 +11244,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -11365,7 +11420,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11389,7 +11444,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11403,7 +11458,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11431,7 +11486,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -11480,7 +11535,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11488,7 +11543,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11496,7 +11551,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11504,7 +11559,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11521,13 +11576,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11541,7 +11596,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11569,10 +11624,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -11732,7 +11790,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -11740,7 +11798,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -11748,7 +11806,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -11756,7 +11814,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -11781,13 +11839,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -11803,7 +11861,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11830,10 +11888,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -12084,7 +12145,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12092,7 +12153,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12100,7 +12161,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12108,7 +12169,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12125,13 +12186,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12145,7 +12206,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12173,10 +12234,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12414,7 +12478,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12422,7 +12486,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12430,7 +12494,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12438,7 +12502,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12455,13 +12519,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12475,7 +12539,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12503,10 +12567,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -12551,7 +12618,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12559,7 +12626,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -12567,7 +12634,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -12575,7 +12642,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -12596,13 +12663,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12617,7 +12684,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12644,10 +12711,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -12840,7 +12910,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -12860,7 +12930,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -12873,7 +12943,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12901,7 +12971,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -12965,7 +13035,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -12985,7 +13055,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -12999,7 +13069,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13028,7 +13098,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -13085,7 +13155,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13093,7 +13163,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13111,9 +13181,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13127,7 +13197,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13156,8 +13226,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -13234,7 +13305,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13242,7 +13313,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" } ], @@ -13262,9 +13333,9 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:231d::2:30" ] }, "ecs": { @@ -13277,7 +13348,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13305,8 +13376,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "192.168.14.30" + "2a02:cf40:a83e::2:30", + "192.168.14.30", + "2a02:cf40:231d::2:30" ] }, "sysmon": { @@ -13350,7 +13422,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13358,7 +13430,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13366,7 +13438,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13374,7 +13446,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13395,13 +13467,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13416,7 +13488,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13443,10 +13515,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -13500,7 +13575,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13508,7 +13583,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13516,7 +13591,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13533,11 +13608,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13551,7 +13626,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13580,9 +13655,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -13631,7 +13708,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13639,7 +13716,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13647,7 +13724,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13655,7 +13732,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13672,13 +13749,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13692,7 +13769,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13720,10 +13797,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13772,7 +13852,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -13780,7 +13860,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -13788,7 +13868,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -13796,7 +13876,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -13813,13 +13893,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -13833,7 +13913,7 @@ "code": "22", "created": "2019-07-18T03:34:05.034Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13861,10 +13941,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -15403,7 +15486,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15411,7 +15494,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15419,7 +15502,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15427,7 +15510,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15452,13 +15535,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15474,7 +15557,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15501,10 +15584,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -15759,7 +15845,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -15767,7 +15853,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -15775,7 +15861,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -15783,7 +15869,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -15804,13 +15890,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -15825,7 +15911,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15852,10 +15938,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -16097,7 +16186,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16105,7 +16194,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -16113,7 +16202,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -16133,11 +16222,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16151,7 +16240,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16179,9 +16268,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -16588,7 +16679,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16612,7 +16703,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16626,7 +16717,7 @@ "code": "22", "created": "2019-07-18T03:34:09.053Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16655,7 +16746,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16827,7 +16918,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16851,7 +16942,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16865,7 +16956,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16893,7 +16984,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30" ] }, @@ -16938,7 +17029,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -16946,7 +17037,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -16954,7 +17045,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -16962,7 +17053,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -16987,13 +17078,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17009,7 +17100,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17036,10 +17127,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30" @@ -17090,7 +17184,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17098,7 +17192,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17106,7 +17200,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17114,7 +17208,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17132,13 +17226,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17152,7 +17246,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17179,10 +17273,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -17361,7 +17458,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17369,7 +17466,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17377,7 +17474,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17385,7 +17482,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17407,13 +17504,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17428,7 +17525,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17455,10 +17552,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30" ] @@ -17632,7 +17732,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -17640,7 +17740,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -17648,7 +17748,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -17656,7 +17756,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -17672,7 +17772,7 @@ "type": "A" }, { - "data": "2001:503:d414::30", + "data": "2a02:cf40:d414::30", "type": "AAAA" }, { @@ -17680,7 +17780,7 @@ "type": "A" }, { - "data": "2001:503:eea3::30", + "data": "2a02:cf40:eea3::30", "type": "AAAA" }, { @@ -17696,7 +17796,7 @@ "type": "A" }, { - "data": "2001:503:39c1::30", + "data": "2a02:cf40:39c1::30", "type": "AAAA" }, { @@ -17748,23 +17848,23 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", "2001:502:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", "2001:502:7094::30" ] @@ -17779,7 +17879,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17807,21 +17907,25 @@ "ip": [ "89.160.20.156", "216.160.83.61", + "216.160.83.61", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30", "2001:502:1ca1::30", "192.168.51.30", - "2001:503:d414::30", + "2a02:cf40:d414::30", "192.168.93.30", - "2001:503:eea3::30", + "2a02:cf40:eea3::30", "192.168.112.30", "2001:502:8cc::30", "192.168.172.30", - "2001:503:39c1::30", + "2a02:cf40:39c1::30", "192.168.79.30", "2001:502:7094::30" ] @@ -17915,7 +18019,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" } ], @@ -17939,7 +18043,7 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "ecs": { @@ -17952,7 +18056,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17980,7 +18084,7 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:a83e::2:30" ] }, "sysmon": { @@ -18405,7 +18509,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18413,7 +18517,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18421,7 +18525,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18442,11 +18546,11 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18460,7 +18564,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18487,9 +18591,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30" ] }, @@ -18546,7 +18652,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18554,7 +18660,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18562,7 +18668,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18570,7 +18676,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -18586,13 +18692,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -18605,7 +18711,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18632,10 +18738,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -18778,7 +18887,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18786,7 +18895,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18794,7 +18903,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18802,7 +18911,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -18819,13 +18928,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -18839,7 +18948,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18867,10 +18976,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -18926,7 +19038,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -18934,7 +19046,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -18942,7 +19054,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -18950,7 +19062,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -18967,13 +19079,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -18987,7 +19099,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19015,10 +19127,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19211,7 +19326,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19219,7 +19334,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19236,9 +19351,9 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19252,7 +19367,7 @@ "code": "22", "created": "2019-07-18T03:34:10.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19282,8 +19397,9 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30" ] }, @@ -19536,7 +19652,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19544,7 +19660,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19552,7 +19668,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19560,7 +19676,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" }, { @@ -19577,13 +19693,13 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19597,7 +19713,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19625,10 +19741,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", + "2a02:cf40:83eb::30", "192.168.80.30", + "2a02:cf40:856e::30", "192.168.94.30" ] }, @@ -19795,7 +19914,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -19803,7 +19922,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -19811,7 +19930,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" }, { @@ -19819,7 +19938,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:856e::30", "type": "AAAA" } ], @@ -19835,13 +19954,13 @@ "89.160.20.156", "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:83eb::30", "192.168.80.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:856e::30" ] }, "ecs": { @@ -19854,7 +19973,7 @@ "code": "22", "created": "2019-07-18T03:34:17.272Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.80.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -19881,10 +20000,13 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", + "2a02:cf40:231d::2:30", "192.168.92.30", - "192.168.80.30" + "2a02:cf40:83eb::30", + "192.168.80.30", + "2a02:cf40:856e::30" ] }, "sysmon": { @@ -21123,7 +21245,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:a83e::2:30", "type": "AAAA" }, { @@ -21131,7 +21253,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:231d::2:30", "type": "AAAA" }, { @@ -21139,7 +21261,7 @@ "type": "A" }, { - "data": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "data": "2a02:cf40:83eb::30", "type": "AAAA" } ], @@ -21152,11 +21274,11 @@ "resolved_ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:231d::2:30", "192.168.92.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "2a02:cf40:83eb::30" ] }, "ecs": { @@ -21169,7 +21291,7 @@ "code": "22", "created": "2019-07-18T03:49:52.105Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.14.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;192.168.92.30;2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -21198,9 +21320,11 @@ "ip": [ "89.160.20.156", "192.168.6.30", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "2a02:cf40:a83e::2:30", "192.168.14.30", - "192.168.92.30" + "2a02:cf40:231d::2:30", + "192.168.92.30", + "2a02:cf40:83eb::30" ] }, "sysmon": { diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log index 6c1297d7e7f..f8154be5dac 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log @@ -6,4 +6,4 @@ {"ts":1617105597.390017,"uid":"CkQ7DU1qCEGKL5xgg6","id.orig_h":"10.156.0.2","id.orig_p":42609,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":23824,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} {"ts":1617105597.389796,"uid":"CfFSjicQIGB8hU7L6","id.orig_h":"10.156.0.2","id.orig_p":52269,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":7284,"query":"portal.swiftcrypto.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["89.160.20.156"],"TTLs":[119.0],"rejected":false} {"ts":1617105597.761449,"uid":"C86PHA3q1KAtU7gAkb","id.orig_h":"10.156.0.2","id.orig_p":41064,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":46754,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[250.0,250.0,250.0],"rejected":false} -{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","81.2.69.143","89.160.20.156","1.128.3.4","89.160.20.156","1.128.3.435","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log index e0b65b16876..6be5e4f04d6 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -3,6 +3,6 @@ {"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false} {"ts":1617105592.091052,"uid":"CpwXdW4LQaJkaIgpk","id.orig_h":"10.156.0.2","id.orig_p":33438,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58036,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[13.0,18.0,8.0],"rejected":false} {"ts":1617105592.973919,"uid":"CO5TE748RoJEZuOThl","id.orig_h":"10.156.0.2","id.orig_p":60444,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":35744,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[296.0,287.0,287.0],"rejected":false} -{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","81.2.69.143","89.160.20.156","1.128.3.4","89.160.20.156","1.128.3.435","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} {"ts":1617105593.106256,"uid":"ChP0cl4j5mbXSZ9TGf","id.orig_h":"10.156.0.2","id.orig_p":36364,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":8791,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[12.0,17.0,7.0],"rejected":false} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dns.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index 0bbb198f401..4d875df9bb5 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -482,7 +482,7 @@ "ttl": 243 }, { - "data": "81.2.69.143", + "data": "1.128.31.143", "ttl": 243 }, { @@ -490,7 +490,7 @@ "ttl": 243 }, { - "data": "1.128.3.4", + "data": "1.128.31.1", "ttl": 243 }, { @@ -498,7 +498,7 @@ "ttl": 243 }, { - "data": "1.128.3.435", + "data": "1.128.31.135", "ttl": 243 }, { @@ -522,10 +522,11 @@ }, "resolved_ip": [ "89.160.20.156", - "81.2.69.143", + "1.128.31.143", "89.160.20.156", - "1.128.3.4", + "1.128.31.1", "89.160.20.156", + "1.128.31.135", "81.2.69.193", "89.160.20.156" ], @@ -542,7 +543,7 @@ "created": "2020-04-28T11:07:58.223Z", "id": "CG1jsmeHcBCGnWXmk", "kind": "event", - "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"81.2.69.143\",\"89.160.20.156\",\"1.128.3.4\",\"89.160.20.156\",\"1.128.3.435\",\"81.2.69.193\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", + "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"1.128.31.143\",\"89.160.20.156\",\"1.128.31.1\",\"89.160.20.156\",\"1.128.31.135\",\"81.2.69.193\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", "outcome": "success", "type": [ "connection", @@ -593,11 +594,11 @@ "prda.aadg.msidentity.com", "www.tm.a.prd.aadg.trafficmanager.net", "89.160.20.156", - "81.2.69.143", + "1.128.31.143", "89.160.20.156", - "1.128.3.4", + "1.128.31.1", "89.160.20.156", - "1.128.3.435", + "1.128.31.135", "81.2.69.193", "89.160.20.156" ], From 67ed6055bea0898f6360a17426e55d247ed3754c Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 25 May 2022 18:40:56 +0200 Subject: [PATCH 3/5] Update elastic-package --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 72708fcab7d..2d6a0c42158 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/elastic/go-sysinfo v1.7.1 // indirect github.com/elastic/go-ucfg v0.8.5 // indirect github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/package-spec v1.9.0 // indirect + github.com/elastic/package-spec v1.10.0 // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect @@ -167,4 +167,4 @@ require ( sigs.k8s.io/yaml v1.3.0 // indirect ) -replace github.com/elastic/elastic-package => github.com/jsoriano/elastic-package v0.0.0-20220524105445-ecc0ba08cfb1 +replace github.com/elastic/elastic-package => github.com/jsoriano/elastic-package v0.0.0-20220525163722-cb196961cb7b diff --git a/go.sum b/go.sum index 13c70b30453..7aee9e577ce 100644 --- a/go.sum +++ b/go.sum @@ -427,8 +427,8 @@ github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUt github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= github.com/elastic/package-registry v1.8.0 h1:c2nUbBZct3c2LZ6uw0HotB+11PmYM8xh0ynvyeuzFBY= github.com/elastic/package-registry v1.8.0/go.mod h1:zh8h1v9v2VYBQvlZK2KoD/uDJlYC7re5PLf4eDALEFA= -github.com/elastic/package-spec v1.9.0 h1:mW0X6ELiJ8UCwpk1nJRxNxJbfW9ZchyC1Y3cN6S9KWM= -github.com/elastic/package-spec v1.9.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= +github.com/elastic/package-spec v1.10.0 h1:fkCZRmxN4jesLuylGOEX5g31iITCXZFMbkgX6qvzkZI= +github.com/elastic/package-spec v1.10.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= @@ -791,8 +791,8 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/ github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/jsoriano/elastic-package v0.0.0-20220524105445-ecc0ba08cfb1 h1:rxmEv5GtkTr5pDQAydpxnooGYuuSirnilm/FUjU+f0U= -github.com/jsoriano/elastic-package v0.0.0-20220524105445-ecc0ba08cfb1/go.mod h1:3ry+GYdaybSqqTJ7ArkL8fLcNJJoHZbAqVLQu9qlagA= +github.com/jsoriano/elastic-package v0.0.0-20220525163722-cb196961cb7b h1:+2suMIUBa5/DLUMJ0AKnmvtEM+gXOgtyXbSqOXuW7sc= +github.com/jsoriano/elastic-package v0.0.0-20220525163722-cb196961cb7b/go.mod h1:ft5YhPGis26RJUiOpLZgTir16y+rM03o40eK7C8fTGo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= From 5d9e0b36b973009293f280fc474ed3971e11bea5 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 25 May 2022 19:47:13 +0200 Subject: [PATCH 4/5] Fix more ips, remove duplicates --- .../_dev/test/pipeline/test-route53.log | 6 +- .../pipeline/test-route53.log-expected.json | 20 +-- .../route53_resolver_logs/sample_event.json | 6 +- packages/aws/docs/route53.md | 6 +- .../test-sysmon-operational-events.json | 48 ++++---- ...smon-operational-events.json-expected.json | 114 +++++++++--------- .../_dev/test/pipeline/test-events.json | 48 ++++---- .../pipeline/test-events.json-expected.json | 114 +++++++++--------- .../_dev/deploy/docker/sample_logs/dns.log | 2 +- .../dns/_dev/test/pipeline/test-dns.log | 2 +- .../test/pipeline/test-dns.log-expected.json | 8 +- 11 files changed, 187 insertions(+), 187 deletions(-) diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log index 54d8ccf9e70..7778657771d 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log @@ -23,12 +23,12 @@ {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.13","Type":"A","Class":"IN"},{"Rdata":"216.160.83.57","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:47:41Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.159","srcport":"39685","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"58350","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:12Z","query_name":"test.example.com.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"38200","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"143.69.2.81.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:33Z","query_name":"abcd.example.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"test.example.com.","Type":"CNAME","Class":"IN"},{"Rdata":"1.128.3.4","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"52785","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} -{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"15.3.4.32.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} +{"srcaddr":"81.2.69.143","vpc_id":"vpc-7example","answers":[{"Rdata":"203.0.113.9","Type":"PTR","Class":"IN"}],"firewall_rule_group_id":"rslvr-frg-01234567890abcdef","firewall_rule_action":"BLOCK","query_name":"15.199.16.175.in-addr.arpa.","firewall_domain_list_id":"rslvr-fdl-01234567890abcdef","query_class":"IN","srcids":{"instance":"i-0d15cd0d3example"},"rcode":"NOERROR","query_type":"PTR","transport":"UDP","version":"1.100000","account_id":"111122223333","srcport":"56067","query_timestamp":"2021-02-04T17:51:55Z","region":"us-east-1"} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:48:30Z","query_name":"6.c.f.6.a.9.0.e.2.b.9.a.2.f.1.9.2.0.0.4.d.d.a.0.0.4.f.c.2.0.a.2.ip6.arpa","query_type":"PTR","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"ec2-89.160.20.112.compute-1.amazonaws.com.","Type":"PTR","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"47882","transport":"UDP","srcids":{"instance":"i-079c44232510ca8ff"}} \ No newline at end of file diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json index 1350412569e..6d177e47984 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json @@ -1636,12 +1636,12 @@ }, { "class": "IN", - "data": "175.16.199.1", + "data": "67.43.156.12", "type": "A" }, { "class": "IN", - "data": "67.43.156.12", + "data": "175.16.199.1", "type": "A" } ], @@ -1663,7 +1663,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"1.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"46159\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"1.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"46159\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1682,8 +1682,8 @@ "ip": [ "175.16.199.1", "81.2.69.143", - "175.16.199.1", "67.43.156.12", + "175.16.199.1", "172.31.86.159" ] }, @@ -1727,7 +1727,7 @@ }, { "class": "IN", - "data": "67.43.156.12", + "data": "175.16.199.1", "type": "A" } ], @@ -1749,7 +1749,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"81.2.69.143\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"216.160.83.61\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"67.43.156.12\",\"Type\":\"A\",\"Class\":\"IN\"},{\"Rdata\":\"175.16.199.1\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" @@ -1769,7 +1769,7 @@ "81.2.69.143", "216.160.83.61", "67.43.156.12", - "67.43.156.12", + "175.16.199.1", "172.31.86.159" ] }, @@ -2154,7 +2154,7 @@ ], "question": { "class": "IN", - "name": "15.3.4.32.in-addr.arpa", + "name": "15.199.16.175.in-addr.arpa", "type": "PTR" }, "response_code": "NOERROR" @@ -2167,7 +2167,7 @@ "network" ], "kind": "event", - "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"81.2.69.143\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.199.16.175.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "outcome": "success", "type": [ "protocol" @@ -2185,7 +2185,7 @@ ], "ip": [ "81.2.69.143", - "32.4.3.15" + "175.16.199.15" ] }, "source": { diff --git a/packages/aws/data_stream/route53_resolver_logs/sample_event.json b/packages/aws/data_stream/route53_resolver_logs/sample_event.json index 8a7b227dcac..77e86321a09 100644 --- a/packages/aws/data_stream/route53_resolver_logs/sample_event.json +++ b/packages/aws/data_stream/route53_resolver_logs/sample_event.json @@ -44,7 +44,7 @@ }, "dns": { "question": { - "name": "15.3.4.32.in-addr.arpa", + "name": "15.199.16.175.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -71,7 +71,7 @@ "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.199.16.175.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -94,7 +94,7 @@ }, "related": { "hosts": [ - "15.3.4.32.in-addr.arpa" + "15.199.16.175.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/aws/docs/route53.md b/packages/aws/docs/route53.md index 0c0ab49f5f7..c341320116c 100644 --- a/packages/aws/docs/route53.md +++ b/packages/aws/docs/route53.md @@ -256,7 +256,7 @@ An example event for `route53_resolver` looks as following: }, "dns": { "question": { - "name": "15.3.4.32.in-addr.arpa", + "name": "15.199.16.175.in-addr.arpa", "subdomain": "15.3.4", "registered_domain": "32.in-addr.arpa", "type": "PTR", @@ -283,7 +283,7 @@ An example event for `route53_resolver` looks as following: "event": { "agent_id_status": "verified", "ingested": "2021-12-12T00:28:02.201047005Z", - "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.3.4.32.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", + "original": "{\"srcaddr\":\"4.5.64.102\",\"vpc_id\":\"vpc-7example\",\"answers\":[{\"Rdata\":\"203.0.113.9\",\"Type\":\"PTR\",\"Class\":\"IN\"}],\"firewall_rule_group_id\":\"rslvr-frg-01234567890abcdef\",\"firewall_rule_action\":\"BLOCK\",\"query_name\":\"15.199.16.175.in-addr.arpa.\",\"firewall_domain_list_id\":\"rslvr-fdl-01234567890abcdef\",\"query_class\":\"IN\",\"srcids\":{\"instance\":\"i-0d15cd0d3example\"},\"rcode\":\"NOERROR\",\"query_type\":\"PTR\",\"transport\":\"UDP\",\"version\":\"1.100000\",\"account_id\":\"111122223333\",\"srcport\":\"56067\",\"query_timestamp\":\"2021-02-04T17:51:55Z\",\"region\":\"us-east-1\"}", "category": [ "network" ], @@ -306,7 +306,7 @@ An example event for `route53_resolver` looks as following: }, "related": { "hosts": [ - "15.3.4.32.in-addr.arpa" + "15.199.16.175.in-addr.arpa" ], "ip": [ "4.5.64.102" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json index 27cff6dcef5..f8cd0aa2eab 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json @@ -1268,7 +1268,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1287,7 +1287,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1837,7 +1837,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1864,7 +1864,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1927,7 +1927,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1955,7 +1955,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4112,7 +4112,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4126,7 +4126,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5104,7 +5104,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5115,7 +5115,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5387,7 +5387,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5409,7 +5409,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5650,7 +5650,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5661,7 +5661,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -6440,7 +6440,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6456,7 +6456,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6588,7 +6588,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6609,7 +6609,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6998,7 +6998,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -7015,7 +7015,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7127,7 +7127,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7155,7 +7155,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7164,7 +7164,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7188,7 +7188,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index e920631aaa5..0839ad6d78a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -3109,7 +3109,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -3134,7 +3134,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -3148,7 +3148,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3183,7 +3183,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4706,7 +4706,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -4731,7 +4731,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4745,7 +4745,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4780,7 +4780,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4951,7 +4951,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -4972,7 +4972,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -4985,7 +4985,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -5021,7 +5021,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -9646,7 +9646,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -9668,7 +9668,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -9681,7 +9681,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9716,7 +9716,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -11934,7 +11934,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -11959,7 +11959,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -11973,7 +11973,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12008,7 +12008,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -12762,7 +12762,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -12783,7 +12783,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -12796,7 +12796,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12831,7 +12831,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -13566,7 +13566,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -13587,7 +13587,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -13600,7 +13600,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13635,7 +13635,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -15630,7 +15630,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -15655,7 +15655,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15669,7 +15669,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15704,7 +15704,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15989,7 +15989,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -16010,7 +16010,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -16023,7 +16023,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -16058,7 +16058,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -17173,7 +17173,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17198,7 +17198,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17212,7 +17212,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17247,7 +17247,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17602,7 +17602,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -17624,7 +17624,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -17637,7 +17637,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17672,7 +17672,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -17760,7 +17760,7 @@ "type": "A" }, { - "data": "216.160.83.61", + "data": "216.160.83.59", "type": "A" }, { @@ -17876,7 +17876,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17900,7 +17900,7 @@ "type": "A" }, { - "data": "2001:502:8cc::30", + "data": "2a02:cf40:8cc::30", "type": "AAAA" }, { @@ -17916,7 +17916,7 @@ "type": "A" }, { - "data": "2001:502:7094::30", + "data": "2a02:cf40:7094::30", "type": "AAAA" } ], @@ -17939,7 +17939,7 @@ "89.160.20.156", "89.160.20.156", "89.160.20.156", - "216.160.83.61", + "216.160.83.59", "216.160.83.61", "89.160.20.156", "89.160.20.156", @@ -17968,17 +17968,17 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", "2a02:cf40:d414::30", "192.168.93.30", "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "ecs": { @@ -17991,7 +17991,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -18018,7 +18018,7 @@ ], "ip": [ "89.160.20.156", - "216.160.83.61", + "216.160.83.59", "216.160.83.61", "192.168.6.30", "2a02:cf40:a83e::2:30", @@ -18029,17 +18029,17 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", "2a02:cf40:d414::30", "192.168.93.30", "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "sysmon": { diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index 3697a353c8b..f1398176156 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -1193,7 +1193,7 @@ "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" }, "winlog": { "version": 5, @@ -1212,7 +1212,7 @@ "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:02.792" }, @@ -1762,7 +1762,7 @@ { "@timestamp": "2021-05-05T15:30:51.697Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1789,7 +1789,7 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.093", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -1852,7 +1852,7 @@ "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryStatus": "0", - "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "channel": "Microsoft-Windows-Sysmon/Operational", @@ -1880,7 +1880,7 @@ }, "event": { "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event" } @@ -4037,7 +4037,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -4051,7 +4051,7 @@ "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:03.902", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}" @@ -5029,7 +5029,7 @@ "event_data": { "QueryName": "idsync.rlcdn.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.237", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5040,7 +5040,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5312,7 +5312,7 @@ "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "event_id": "22", @@ -5334,7 +5334,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "kind": "event", "provider": "Microsoft-Windows-Sysmon", "code": "22" @@ -5575,7 +5575,7 @@ "event_data": { "QueryName": "tags.rd.linksynergy.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:04.601", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -5586,7 +5586,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "code": "22", "kind": "event" @@ -6365,7 +6365,7 @@ { "@timestamp": "2021-05-05T15:30:51.709Z", "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6381,7 +6381,7 @@ "event_data": { "QueryName": "rp.gwallet.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.943", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6513,7 +6513,7 @@ }, "event_data": { "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:07.955", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -6534,7 +6534,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -6923,7 +6923,7 @@ "event": { "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22" }, "winlog": { @@ -6940,7 +6940,7 @@ "time_created": "2019-07-18T03:34:09.067Z", "level": "information", "event_data": { - "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;", + "QueryResults": "::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "UtcTime": "2019-07-18 03:34:08.544", "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", @@ -7052,7 +7052,7 @@ "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryStatus": "0", - "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;", + "QueryResults": "::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "version": 5, @@ -7080,7 +7080,7 @@ "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" } }, { @@ -7089,7 +7089,7 @@ "level": "information" }, "event": { - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7113,7 +7113,7 @@ "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryStatus": "0", - "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5", "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "process": { diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index 656ad42a023..1faa38016bf 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -2997,7 +2997,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -3022,7 +3022,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -3036,7 +3036,7 @@ "code": "22", "created": "2019-07-18T03:34:03.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -3071,7 +3071,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4594,7 +4594,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -4619,7 +4619,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4633,7 +4633,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4668,7 +4668,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -4839,7 +4839,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -4860,7 +4860,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -4873,7 +4873,7 @@ "code": "22", "created": "2019-07-18T03:34:03.802Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -4909,7 +4909,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -9534,7 +9534,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -9556,7 +9556,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -9569,7 +9569,7 @@ "code": "22", "created": "2019-07-18T03:34:04.029Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -9604,7 +9604,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -11822,7 +11822,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -11847,7 +11847,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -11861,7 +11861,7 @@ "code": "22", "created": "2019-07-18T03:34:04.692Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -11896,7 +11896,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -12650,7 +12650,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -12671,7 +12671,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -12684,7 +12684,7 @@ "code": "22", "created": "2019-07-18T03:34:04.693Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -12719,7 +12719,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -13454,7 +13454,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -13475,7 +13475,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -13488,7 +13488,7 @@ "code": "22", "created": "2019-07-18T03:34:04.836Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -13523,7 +13523,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -15518,7 +15518,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -15543,7 +15543,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15557,7 +15557,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15592,7 +15592,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -15877,7 +15877,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -15898,7 +15898,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -15911,7 +15911,7 @@ "code": "22", "created": "2019-07-18T03:34:08.054Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -15946,7 +15946,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -17061,7 +17061,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17086,7 +17086,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17100,7 +17100,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17135,7 +17135,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30" ] }, @@ -17490,7 +17490,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" } ], @@ -17512,7 +17512,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "ecs": { @@ -17525,7 +17525,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17560,7 +17560,7 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30" + "2a02:cf40:1ca1::30" ] }, "sysmon": { @@ -17648,7 +17648,7 @@ "type": "A" }, { - "data": "216.160.83.61", + "data": "216.160.83.59", "type": "A" }, { @@ -17764,7 +17764,7 @@ "type": "A" }, { - "data": "2001:502:1ca1::30", + "data": "2a02:cf40:1ca1::30", "type": "AAAA" }, { @@ -17788,7 +17788,7 @@ "type": "A" }, { - "data": "2001:502:8cc::30", + "data": "2a02:cf40:8cc::30", "type": "AAAA" }, { @@ -17804,7 +17804,7 @@ "type": "A" }, { - "data": "2001:502:7094::30", + "data": "2a02:cf40:7094::30", "type": "AAAA" } ], @@ -17827,7 +17827,7 @@ "89.160.20.156", "89.160.20.156", "89.160.20.156", - "216.160.83.61", + "216.160.83.59", "216.160.83.61", "89.160.20.156", "89.160.20.156", @@ -17856,17 +17856,17 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", "2a02:cf40:d414::30", "192.168.93.30", "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "ecs": { @@ -17879,7 +17879,7 @@ "code": "22", "created": "2019-07-18T03:34:09.067Z", "kind": "event", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.61;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:216.160.83.59;::ffff:216.160.83.61;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2a02:cf40:a83e::2:30;192.168.14.30;2a02:cf40:231d::2:30;192.168.92.30;2a02:cf40:83eb::30;192.168.80.30;2a02:cf40:856e::30;192.168.94.30;2a02:cf40:1ca1::30;192.168.51.30;2a02:cf40:d414::30;192.168.93.30;2a02:cf40:eea3::30;192.168.112.30;2a02:cf40:8cc::30;192.168.172.30;2a02:cf40:39c1::30;192.168.79.30;2a02:cf40:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", @@ -17906,7 +17906,7 @@ ], "ip": [ "89.160.20.156", - "216.160.83.61", + "216.160.83.59", "216.160.83.61", "192.168.6.30", "2a02:cf40:a83e::2:30", @@ -17917,17 +17917,17 @@ "192.168.80.30", "2a02:cf40:856e::30", "192.168.94.30", - "2001:502:1ca1::30", + "2a02:cf40:1ca1::30", "192.168.51.30", "2a02:cf40:d414::30", "192.168.93.30", "2a02:cf40:eea3::30", "192.168.112.30", - "2001:502:8cc::30", + "2a02:cf40:8cc::30", "192.168.172.30", "2a02:cf40:39c1::30", "192.168.79.30", - "2001:502:7094::30" + "2a02:cf40:7094::30" ] }, "sysmon": { diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log index f8154be5dac..9b3913467f5 100644 --- a/packages/zeek/_dev/deploy/docker/sample_logs/dns.log +++ b/packages/zeek/_dev/deploy/docker/sample_logs/dns.log @@ -6,4 +6,4 @@ {"ts":1617105597.390017,"uid":"CkQ7DU1qCEGKL5xgg6","id.orig_h":"10.156.0.2","id.orig_p":42609,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":23824,"rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} {"ts":1617105597.389796,"uid":"CfFSjicQIGB8hU7L6","id.orig_h":"10.156.0.2","id.orig_p":52269,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":7284,"query":"portal.swiftcrypto.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["89.160.20.156"],"TTLs":[119.0],"rejected":false} {"ts":1617105597.761449,"uid":"C86PHA3q1KAtU7gAkb","id.orig_h":"10.156.0.2","id.orig_p":41064,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":46754,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[250.0,250.0,250.0],"rejected":false} -{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105597.761544,"uid":"Cna5vz1pk7Z32m8HZ6","id.orig_h":"10.156.0.2","id.orig_p":33681,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":53055,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","1.128.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log index 6be5e4f04d6..82d4ad43f1d 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log @@ -3,6 +3,6 @@ {"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false} {"ts":1617105592.091052,"uid":"CpwXdW4LQaJkaIgpk","id.orig_h":"10.156.0.2","id.orig_p":33438,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58036,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[13.0,18.0,8.0],"rejected":false} {"ts":1617105592.973919,"uid":"CO5TE748RoJEZuOThl","id.orig_h":"10.156.0.2","id.orig_p":60444,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":35744,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.akadns.net"],"TTLs":[296.0,287.0,287.0],"rejected":false} -{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","81.2.69.193","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} +{"ts":1617105592.9742,"uid":"CG1jsmeHcBCGnWXmk","id.orig_h":"10.156.0.2","id.orig_p":44310,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":58458,"query":"login.microsoftonline.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["a.privatelink.msidentity.com","prda.aadg.msidentity.com","www.tm.a.prd.aadg.trafficmanager.net","89.160.20.156","1.128.31.143","89.160.20.156","1.128.31.1","89.160.20.156","1.128.31.135","1.128.31.6","89.160.20.156"],"TTLs":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],"rejected":false} {"ts":1617105593.106256,"uid":"ChP0cl4j5mbXSZ9TGf","id.orig_h":"10.156.0.2","id.orig_p":36364,"id.resp_h":"169.254.169.254","id.resp_p":53,"proto":"udp","trans_id":8791,"query":"manage.office.com","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":false,"RA":true,"Z":0,"answers":["manage.office.com.trafficmanager.net","o365adtapiproddeu001.cloudapp.net","89.160.20.156"],"TTLs":[12.0,17.0,7.0],"rejected":false} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/dns.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index 4d875df9bb5..9a37fb0ac59 100644 --- a/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zeek/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -502,7 +502,7 @@ "ttl": 243 }, { - "data": "81.2.69.193", + "data": "1.128.31.6", "ttl": 243 }, { @@ -527,7 +527,7 @@ "1.128.31.1", "89.160.20.156", "1.128.31.135", - "81.2.69.193", + "1.128.31.6", "89.160.20.156" ], "response_code": "NOERROR", @@ -543,7 +543,7 @@ "created": "2020-04-28T11:07:58.223Z", "id": "CG1jsmeHcBCGnWXmk", "kind": "event", - "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"1.128.31.143\",\"89.160.20.156\",\"1.128.31.1\",\"89.160.20.156\",\"1.128.31.135\",\"81.2.69.193\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", + "original": "{\"ts\":1617105592.9742,\"uid\":\"CG1jsmeHcBCGnWXmk\",\"id.orig_h\":\"10.156.0.2\",\"id.orig_p\":44310,\"id.resp_h\":\"169.254.169.254\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":58458,\"query\":\"login.microsoftonline.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"a.privatelink.msidentity.com\",\"prda.aadg.msidentity.com\",\"www.tm.a.prd.aadg.trafficmanager.net\",\"89.160.20.156\",\"1.128.31.143\",\"89.160.20.156\",\"1.128.31.1\",\"89.160.20.156\",\"1.128.31.135\",\"1.128.31.6\",\"89.160.20.156\"],\"TTLs\":[299.0,214.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0,243.0],\"rejected\":false}", "outcome": "success", "type": [ "connection", @@ -599,7 +599,7 @@ "1.128.31.1", "89.160.20.156", "1.128.31.135", - "81.2.69.193", + "1.128.31.6", "89.160.20.156" ], "query": "login.microsoftonline.com", From 8c549ed8f1eaa3cadcfac998c8232be7c6fbbda4 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 30 May 2022 12:08:26 +0200 Subject: [PATCH 5/5] Revert changes in dependencies --- go.mod | 4 +--- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 2d6a0c42158..60ab7c5d2fb 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/elastic/go-sysinfo v1.7.1 // indirect github.com/elastic/go-ucfg v0.8.5 // indirect github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/package-spec v1.10.0 // indirect + github.com/elastic/package-spec v1.9.0 // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect @@ -166,5 +166,3 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) - -replace github.com/elastic/elastic-package => github.com/jsoriano/elastic-package v0.0.0-20220525163722-cb196961cb7b diff --git a/go.sum b/go.sum index 7aee9e577ce..962b9cfe873 100644 --- a/go.sum +++ b/go.sum @@ -411,6 +411,8 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elastic/elastic-package v0.51.2 h1:R9LUhtOFIDL10T45rPwU316KEtABJ0eInHWbQsGT9H4= +github.com/elastic/elastic-package v0.51.2/go.mod h1:3ry+GYdaybSqqTJ7ArkL8fLcNJJoHZbAqVLQu9qlagA= github.com/elastic/go-elasticsearch/v7 v7.17.1 h1:49mHcHx7lpCL8cW1aioEwSEVKQF3s+Igi4Ye/QTWwmk= github.com/elastic/go-elasticsearch/v7 v7.17.1/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= @@ -427,8 +429,8 @@ github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUt github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= github.com/elastic/package-registry v1.8.0 h1:c2nUbBZct3c2LZ6uw0HotB+11PmYM8xh0ynvyeuzFBY= github.com/elastic/package-registry v1.8.0/go.mod h1:zh8h1v9v2VYBQvlZK2KoD/uDJlYC7re5PLf4eDALEFA= -github.com/elastic/package-spec v1.10.0 h1:fkCZRmxN4jesLuylGOEX5g31iITCXZFMbkgX6qvzkZI= -github.com/elastic/package-spec v1.10.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= +github.com/elastic/package-spec v1.9.0 h1:mW0X6ELiJ8UCwpk1nJRxNxJbfW9ZchyC1Y3cN6S9KWM= +github.com/elastic/package-spec v1.9.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= @@ -791,8 +793,6 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/ github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/jsoriano/elastic-package v0.0.0-20220525163722-cb196961cb7b h1:+2suMIUBa5/DLUMJ0AKnmvtEM+gXOgtyXbSqOXuW7sc= -github.com/jsoriano/elastic-package v0.0.0-20220525163722-cb196961cb7b/go.mod h1:ft5YhPGis26RJUiOpLZgTir16y+rM03o40eK7C8fTGo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=