diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 69964be8c8d..937b2d3fd06 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -396,8 +396,17 @@ func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) Record { e.RenderErr = append(e.RenderErr, recoveredErr.Error()) } + md, err := win.NewPublisherMetadataStore(win.NilHandle, e.Provider.Name, logp.L()) + if err != nil { + // Return an empty store on error (can happen in cases where the + // log was forwarded and the provider doesn't exist on collector). + md = win.NewEmptyPublisherMetadataStore(e.Provider.Name, logp.L()) + logp.Warn("failed to load publisher metadata for %v "+ + "(returning an empty metadata store): %v", e.Provider.Name, err) + } + // Get basic string values for raw fields. - winevent.EnrichRawValuesWithNames(nil, &e) + winevent.EnrichRawValuesWithNames(&md.WinMeta, &e) if e.Level == "" { // Fallback on LevelRaw if the Level is not set in the RenderingInfo. e.Level = win.EventLevel(e.LevelRaw).String() diff --git a/x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go b/x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go new file mode 100644 index 00000000000..9051917e247 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go @@ -0,0 +1,44 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package test + +import ( + "strings" + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" + "github.com/elastic/go-sysinfo/providers/windows" + + // Register required processors. + _ "github.com/elastic/beats/v7/libbeat/cmd/instance" + _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" +) + +// Ignore these fields because they can be different on different versions +// of windows. +var ignoreFields = []string{ + "message", +} + +func TestPowerShell(t *testing.T) { + // FIXME: We do not get opcode strings in the XML on Windows 2022, so ignore that + // field there. Only apply this to that platform to avoid regressions elsewhere. + // This means that golden values should be generated on a non-2022 version of + // Windows to ensure that this field is properly rendered. This is checked in + // the module.TestPipeline function. + // + // See https://github.com/elastic/beats/issues/31490 for tracking issue. + os, err := windows.OperatingSystem() + if err != nil { + t.Fatalf("failed to get operating system info: %v", err) + } + t.Logf("running tests on %s", os.Name) + if strings.Contains(os.Name, "2022") { + ignoreFields = append(ignoreFields, "winlog.opcode") + t.Log("ignoring winlog.opcode") + } + + module.TestPipeline(t, "testdata/*.evtx", module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json index 4e6582e6cd2..cbc03931712 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json @@ -3,17 +3,9 @@ "@timestamp": "2020-05-14T07:00:30.8914235Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "400", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 13, - "type": [ - "start" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -21,31 +13,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Available", - "previous_state": "None", - "version": "5.1.17763.1007" - }, - "process": { - "executable_version": "1.0.0.0" - }, - "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" - }, - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", - "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519", - "title": "ServerRemoteHost" - }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "400", "keywords": [ "Classic" @@ -60,17 +37,9 @@ "@timestamp": "2020-05-14T07:01:14.3715076Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "400", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 13, - "type": [ - "start" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -78,33 +47,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Available", - "previous_state": "None", - "version": "5.1.17763.1007" - }, - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "056a5045-a7bb-49c6-9a9d-2ea95acea751" - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-noexit", - "-command", - "'C:\\Gopath\\src\\github.com\\elastic\\beats'" - ], - "args_count": 4, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", - "entity_id": "83c6a631-910d-4530-bec2-18b2d0fc380a", - "title": "ConsoleHost" - }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "400", "keywords": [ "Classic" @@ -119,17 +71,9 @@ "@timestamp": "2020-05-14T11:32:51.9892568Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "400", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 13, - "type": [ - "start" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -137,31 +81,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Available", - "previous_state": "None", - "version": "5.1.17763.1007" - }, - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "24067d05-e98a-4fbb-9cda-020e4c65017d" - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", - "C:\\Users\\vagrant\\Desktop\\patata.ps1" - ], - "args_count": 2, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1", - "entity_id": "f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab", - "title": "Windows PowerShell ISE Host" - }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "400", "keywords": [ "Classic" @@ -176,17 +105,9 @@ "@timestamp": "2020-06-04T07:20:27.7472275Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "400", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 9, - "type": [ - "start" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -194,25 +115,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Available", - "previous_state": "None", - "version": "2.0" - }, - "process": { - "executable_version": "2.0" - }, - "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" - }, - "process": { - "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", - "title": "ConsoleHost" - }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "400", "keywords": [ "Classic" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json index 5c0c895856f..f2841989e1e 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json @@ -3,17 +3,9 @@ "@timestamp": "2020-05-14T15:31:22.4269238Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "403", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 33, - "type": [ - "end" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -21,30 +13,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Stopped", - "previous_state": "Available", - "version": "5.1.17763.1007" - }, - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "6f14a54e-5992-42dd-b38c-68830a28b1b6" - }, - "process": { - "args": [ - "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" - ], - "args_count": 1, - "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", - "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", - "title": "Windows PowerShell ISE Host" - }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "403", "keywords": [ "Classic" @@ -59,17 +37,9 @@ "@timestamp": "2020-05-15T08:11:47.932007Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "403", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 37, - "type": [ - "end" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -77,31 +47,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Stopped", - "previous_state": "Available", - "version": "5.1.17763.1007" - }, - "process": { - "executable_version": "1.0.0.0" - }, - "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" - }, - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", - "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", - "title": "ServerRemoteHost" - }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "403", "keywords": [ "Classic" @@ -116,17 +71,9 @@ "@timestamp": "2020-05-15T08:28:53.6266982Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "403", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 37, - "type": [ - "end" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -134,38 +81,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Stopped", - "previous_state": "Available", - "version": "5.1.17763.1007" - }, - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "8228a4bd-3125-4d1a-997b-3a4df8c085f2" - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-executionpolicy", - "bypass", - "-encodedCommand", - "IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA=", - "-inputFormat", - "xml", - "-outputFormat", - "text" - ], - "args_count": 9, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text", - "entity_id": "f9cd0d65-6665-4b88-9142-f03a2d20f8b8", - "title": "ConsoleHost" - }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "403", "keywords": [ "Classic" @@ -180,17 +105,9 @@ "@timestamp": "2020-06-04T07:20:28.6861939Z", "event": { "action": "Engine Lifecycle", - "category": [ - "process" - ], "code": "403", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 10, - "type": [ - "end" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -198,25 +115,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "new_state": "Stopped", - "previous_state": "Available", - "version": "2.0" - }, - "process": { - "executable_version": "2.0" - }, - "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" - }, - "process": { - "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", - "title": "ConsoleHost" - }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "403", "keywords": [ "Classic" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json index 46d290b1f5a..9bed8372c84 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json @@ -1,25 +1,11 @@ [ { "@timestamp": "2020-05-15T08:11:47.8979495Z", - "destination": { - "user": { - "domain": "VAGRANT", - "name": "vagrant" - } - }, "event": { "action": "Executing Pipeline", - "category": [ - "process" - ], "code": "4103", "kind": "event", - "module": "powershell", - "provider": "Microsoft-Windows-PowerShell", - "sequence": 34, - "type": [ - "info" - ] + "provider": "Microsoft-Windows-PowerShell" }, "host": { "name": "vagrant" @@ -27,73 +13,16 @@ "log": { "level": "information" }, - "powershell": { - "command": { - "invocation_details": [ - { - "related_command": "cmd.exe", - "type": "CommandInvocation", - "value": "\"cmd.exe\"" - }, - { - "related_command": "Out-Null", - "type": "CommandInvocation", - "value": "\"Out-Null\"" - }, - { - "name": "\"InputObject\"", - "related_command": "Out-Null", - "type": "ParameterBinding", - "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" - } - ], - "name": "cmd.exe", - "path": "C:\\Windows\\system32\\cmd.exe", - "type": "Application" - }, - "connected_user": { - "domain": "VAGRANT", - "name": "vagrant" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "id": "Microsoft.PowerShell", - "pipeline_id": "1", - "process": { - "executable_version": "1.0.0.0" - }, - "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" - }, - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", - "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", - "title": "ServerRemoteHost" - }, - "related": { - "user": "vagrant" - }, - "source": { - "user": { - "domain": "VAGRANT", - "name": "vagrant" - } - }, - "user": { - "domain": "VAGRANT", - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", - "name": "vagrant" - }, + "message": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"\n\n\nContext:\n Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name = \n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", "winlog": { "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", + "event_data": { + "ContextInfo": " Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name = \n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell", + "Payload": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" + }, "event_id": "4103", "opcode": "To be used when operation is just executing a method", "process": { @@ -116,17 +45,9 @@ "@timestamp": "2020-05-15T08:13:06.7032939Z", "event": { "action": "Executing Pipeline", - "category": [ - "process" - ], "code": "4103", "kind": "event", - "module": "powershell", - "provider": "Microsoft-Windows-PowerShell", - "sequence": 22, - "type": [ - "info" - ] + "provider": "Microsoft-Windows-PowerShell" }, "host": { "name": "vagrant" @@ -134,89 +55,16 @@ "log": { "level": "information" }, - "powershell": { - "command": { - "invocation_details": [ - { - "related_command": "Resolve-Path", - "type": "CommandInvocation", - "value": "\"Resolve-Path\"" - }, - { - "name": "\"ErrorAction\"", - "related_command": "Resolve-Path", - "type": "ParameterBinding", - "value": "\"Ignore\"" - }, - { - "name": "\"WarningAction\"", - "related_command": "Resolve-Path", - "type": "ParameterBinding", - "value": "\"Ignore\"" - }, - { - "name": "\"InformationAction\"", - "related_command": "Resolve-Path", - "type": "ParameterBinding", - "value": "\"Ignore\"" - }, - { - "name": "\"Verbose\"", - "related_command": "Resolve-Path", - "type": "ParameterBinding", - "value": "\"False\"" - }, - { - "name": "\"Debug\"", - "related_command": "Resolve-Path", - "type": "ParameterBinding", - "value": "\"False\"" - }, - { - "name": "\"Path\"", - "related_command": "Resolve-Path", - "type": "ParameterBinding", - "value": "\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"" - } - ], - "name": "Resolve-Path", - "type": "Cmdlet" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "id": "Microsoft.PowerShell", - "pipeline_id": "9", - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf" - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-noexit", - "-command", - "'C:\\Gopath\\src\\github.com\\elastic\\beats'" - ], - "args_count": 4, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", - "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", - "title": "ConsoleHost" - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", - "name": "vagrant" - }, + "message": "CommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\n\nContext:\n Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", "winlog": { "activity_id": "{1aca0717-2acb-0003-db0b-ca1acb2ad601}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", + "event_data": { + "ContextInfo": " Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User = \n Shell ID = Microsoft.PowerShell", + "Payload": "CommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"" + }, "event_id": "4103", "opcode": "To be used when operation is just executing a method", "process": { diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json index 94621ee16e1..38c7997fca7 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json @@ -3,16 +3,9 @@ "@timestamp": "2020-05-14T11:33:51.3892662Z", "event": { "action": "Execute a Remote Command", - "category": [ - "process" - ], "code": "4104", "kind": "event", - "module": "powershell", - "provider": "Microsoft-Windows-PowerShell", - "type": [ - "info" - ] + "provider": "Microsoft-Windows-PowerShell" }, "host": { "name": "vagrant" @@ -20,22 +13,18 @@ "log": { "level": "verbose" }, - "powershell": { - "file": { - "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", - "script_block_text": ".\\patata.ps1" - }, - "sequence": 1, - "total": 1 - }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - }, + "message": "Creating Scriptblock text (1 of 1):\n.\\patata.ps1\n\nScriptBlock ID: 50d2dbda-7361-4926-a94d-d9eadfdb43fa\nPath: ", "winlog": { "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", + "event_data": { + "MessageNumber": "1", + "MessageTotal": "1", + "ScriptBlockId": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "ScriptBlockText": ".\\patata.ps1" + }, "event_id": "4104", "opcode": "On create calls", "process": { @@ -58,22 +47,9 @@ "@timestamp": "2020-05-14T11:33:51.3938848Z", "event": { "action": "Execute a Remote Command", - "category": [ - "process" - ], "code": "4104", "kind": "event", - "module": "powershell", - "provider": "Microsoft-Windows-PowerShell", - "type": [ - "info" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\Desktop", - "extension": "ps1", - "name": "patata.ps1", - "path": "C:\\Users\\vagrant\\Desktop\\patata.ps1" + "provider": "Microsoft-Windows-PowerShell" }, "host": { "name": "vagrant" @@ -81,21 +57,18 @@ "log": { "level": "verbose" }, - "powershell": { - "file": { - "script_block_id": "f5521cbd-656e-4296-b74d-9ffb4eec23b0" - }, - "sequence": 1, - "total": 1 - }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - }, + "message": "Creating Scriptblock text (1 of 1):\n\n\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\nPath: C:\\Users\\vagrant\\Desktop\\patata.ps1", "winlog": { "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", + "event_data": { + "MessageNumber": "1", + "MessageTotal": "1", + "Path": "C:\\Users\\vagrant\\Desktop\\patata.ps1", + "ScriptBlockId": "f5521cbd-656e-4296-b74d-9ffb4eec23b0" + }, "event_id": "4104", "opcode": "On create calls", "process": { diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json index 09f158eb7ca..51224088788 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json @@ -3,16 +3,9 @@ "@timestamp": "2020-05-13T09:04:04.7552325Z", "event": { "action": "Starting Command", - "category": [ - "process" - ], "code": "4105", "kind": "event", - "module": "powershell", - "provider": "Microsoft-Windows-PowerShell", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-PowerShell" }, "host": { "name": "vagrant" @@ -20,20 +13,16 @@ "log": { "level": "verbose" }, - "powershell": { - "file": { - "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" - }, - "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" - }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - }, + "message": "Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623", "winlog": { "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", + "event_data": { + "RunspaceId": "9c031e5c-8d5a-4b91-a12e-b3624970b623", + "ScriptBlockId": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, "event_id": "4105", "opcode": "On create calls", "process": { diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json index bca224a07ce..9b67fbec9bd 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json @@ -3,16 +3,9 @@ "@timestamp": "2020-05-13T10:40:32.5957152Z", "event": { "action": "Stopping Command", - "category": [ - "process" - ], "code": "4106", "kind": "event", - "module": "powershell", - "provider": "Microsoft-Windows-PowerShell", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-PowerShell" }, "host": { "name": "vagrant" @@ -20,20 +13,16 @@ "log": { "level": "verbose" }, - "powershell": { - "file": { - "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" - }, - "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" - }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - }, + "message": "Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332", "winlog": { "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "api": "wineventlog", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", + "event_data": { + "RunspaceId": "3f1a9181-0523-4645-a42c-2c1868c39332", + "ScriptBlockId": "4c487c13-46f7-4485-925b-34855c7e873c" + }, "event_id": "4106", "opcode": "On create calls", "process": { diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json index c6fa28aab3d..e11d977fa87 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/600.evtx.golden.json @@ -3,17 +3,9 @@ "@timestamp": "2020-05-13T13:21:43.1831809Z", "event": { "action": "Provider Lifecycle", - "category": [ - "process" - ], "code": "600", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 35, - "type": [ - "info" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -21,34 +13,16 @@ "log": { "level": "information" }, - "powershell": { - "engine": { - "version": "5.1.17763.1007" - }, - "pipeline_id": "15", - "process": { - "executable_version": "5.1.17763.1007" - }, - "provider": { - "name": "Certificate", - "new_state": "Started" - }, - "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", - "C:\\Users\\vagrant\\Desktop\\lateral.ps1" - ], - "args_count": 2, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", - "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", - "title": "Windows PowerShell ISE Host" - }, + "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Certificate", + "param2": "Started", + "param3": "\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "600", "keywords": [ "Classic" @@ -63,17 +37,9 @@ "@timestamp": "2020-05-13T13:25:04.6564269Z", "event": { "action": "Provider Lifecycle", - "category": [ - "process" - ], "code": "600", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 1, - "type": [ - "info" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -81,31 +47,16 @@ "log": { "level": "information" }, - "powershell": { - "process": { - "executable_version": "5.1.17763.1007" - }, - "provider": { - "name": "Registry", - "new_state": "Started" - } - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-noexit", - "-command", - "'C:\\Gopath\\src\\github.com\\elastic\\beats'" - ], - "args_count": 4, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", - "entity_id": "44b8d66c-f5a2-4abb-ac7d-6db73990a6d3", - "title": "ConsoleHost" - }, + "message": "Provider \"Registry\" is Started. \n\nDetails: \n\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Registry", + "param2": "Started", + "param3": "\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "600", "keywords": [ "Classic" @@ -120,17 +71,9 @@ "@timestamp": "2020-06-04T07:25:04.8574302Z", "event": { "action": "Provider Lifecycle", - "category": [ - "process" - ], "code": "600", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 8, - "type": [ - "info" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -138,23 +81,16 @@ "log": { "level": "information" }, - "powershell": { - "process": { - "executable_version": "2.0" - }, - "provider": { - "name": "Certificate", - "new_state": "Started" - } - }, - "process": { - "entity_id": "99a16837-7392-463d-afe5-5f3ed24bd358", - "title": "ConsoleHost" - }, + "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Certificate", + "param2": "Started", + "param3": "\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, "event_id": "600", "keywords": [ "Classic" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json index 48b36cc8e2a..b58df13122a 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/800.evtx.golden.json @@ -3,23 +3,9 @@ "@timestamp": "2020-02-26T09:37:40.4872415Z", "event": { "action": "Pipeline Execution Details", - "category": [ - "process" - ], "code": "800", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 17, - "type": [ - "info" - ] - }, - "file": { - "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", - "extension": "psm1", - "name": "Microsoft.PowerShell.Archive.psm1", - "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1" + "provider": "PowerShell" }, "host": { "name": "vagrant-2019" @@ -27,70 +13,16 @@ "log": { "level": "information" }, - "powershell": { - "command": { - "invocation_details": [ - { - "related_command": "Add-Type", - "type": "CommandInvocation", - "value": "\"Add-Type\"" - }, - { - "name": "\"AssemblyName\"", - "related_command": "Add-Type", - "type": "ParameterBinding", - "value": "\"System.IO.Compression.FileSystem\"" - } - ], - "value": "Add-Type -AssemblyName System.IO.Compression.FileSystem" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "pipeline_id": "1", - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", - "sequence": 1, - "total": 1 - }, - "process": { - "args": [ - "powershell", - "-executionpolicy", - "bypass", - "\u0026", - "{", - "if", - "(Test-Path", - "variable:global:ProgressPreference){set-variable", - "-name", - "variable:global:ProgressPreference", - "-value", - "'SilentlyContinue'};.", - "c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1;", - "\u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1';", - "exit", - "$LastExitCode", - "}" - ], - "args_count": 17, - "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }", - "entity_id": "ac3c99ce-7983-4996-807e-6a689eaba50b", - "title": "ConsoleHost" - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT-2019", - "name": "vagrant" - }, + "message": "Pipeline execution details for command line: Add-Type -AssemblyName System.IO.Compression.FileSystem\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n \n\nDetails: \nCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant-2019", + "event_data": { + "param1": " Add-Type -AssemblyName System.IO.Compression.FileSystem", + "param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem", + "param3": "CommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"" + }, "event_id": "800", "keywords": [ "Classic" @@ -105,17 +37,9 @@ "@timestamp": "2020-05-15T08:33:26.3769931Z", "event": { "action": "Pipeline Execution Details", - "category": [ - "process" - ], "code": "800", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 135, - "type": [ - "info" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -123,57 +47,16 @@ "log": { "level": "information" }, - "powershell": { - "command": { - "invocation_details": [ - { - "related_command": "Set-StrictMode", - "type": "CommandInvocation", - "value": "\"Set-StrictMode\"" - }, - { - "name": "\"Version\"", - "related_command": "Set-StrictMode", - "type": "ParameterBinding", - "value": "\"1.0\"" - } - ], - "value": "\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "pipeline_id": "71", - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", - "sequence": 1, - "total": 1 - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-noexit", - "-command", - "'C:\\Gopath\\src\\github.com\\elastic\\beats'" - ], - "args_count": 4, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", - "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", - "title": "ConsoleHost" - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "name": "vagrant" - }, + "message": "Pipeline execution details for command line: \u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails } \n\nDetails: \nCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }", + "param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }", + "param3": "CommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"" + }, "event_id": "800", "keywords": [ "Classic" @@ -188,17 +71,9 @@ "@timestamp": "2020-05-15T08:33:26.393089Z", "event": { "action": "Pipeline Execution Details", - "category": [ - "process" - ], "code": "800", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 141, - "type": [ - "info" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -206,68 +81,16 @@ "log": { "level": "information" }, - "powershell": { - "command": { - "invocation_details": [ - { - "related_command": "Import-LocalizedData", - "type": "CommandInvocation", - "value": "\"Import-LocalizedData\"" - }, - { - "name": "\"FileName\"", - "related_command": "Import-LocalizedData", - "type": "ParameterBinding", - "value": "\"ArchiveResources\"" - }, - { - "name": "\"BindingVariable\"", - "related_command": "Import-LocalizedData", - "type": "ParameterBinding", - "value": "\"LocalizedData\"" - }, - { - "related_command": "Import-LocalizedData", - "type": "NonTerminatingError", - "value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" - } - ], - "value": "Import-LocalizedData LocalizedData -filename ArchiveResources" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "pipeline_id": "71", - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", - "sequence": 1, - "total": 1 - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-noexit", - "-command", - "'C:\\Gopath\\src\\github.com\\elastic\\beats'" - ], - "args_count": 4, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", - "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", - "title": "ConsoleHost" - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "name": "vagrant" - }, + "message": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param1": "Import-LocalizedData LocalizedData -filename ArchiveResources", + "param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources", + "param3": "CommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" + }, "event_id": "800", "keywords": [ "Classic" @@ -282,17 +105,9 @@ "@timestamp": "2020-05-15T08:33:26.393089Z", "event": { "action": "Pipeline Execution Details", - "category": [ - "process" - ], "code": "800", "kind": "event", - "module": "powershell", - "provider": "PowerShell", - "sequence": 143, - "type": [ - "info" - ] + "provider": "PowerShell" }, "host": { "name": "vagrant" @@ -300,56 +115,15 @@ "log": { "level": "information" }, - "powershell": { - "command": { - "invocation_details": [ - { - "related_command": "Out-Default", - "type": "CommandInvocation", - "value": "\"Out-Default\"" - }, - { - "name": "\"InputObject\"", - "related_command": "Out-Default", - "type": "ParameterBinding", - "value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" - } - ] - }, - "engine": { - "version": "5.1.17763.1007" - }, - "pipeline_id": "71", - "process": { - "executable_version": "5.1.17763.1007" - }, - "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", - "sequence": 1, - "total": 1 - }, - "process": { - "args": [ - "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "-noexit", - "-command", - "'C:\\Gopath\\src\\github.com\\elastic\\beats'" - ], - "args_count": 4, - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", - "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", - "title": "ConsoleHost" - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "name": "vagrant" - }, + "message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", "winlog": { "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", + "event_data": { + "param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=", + "param3": "CommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" + }, "event_id": "800", "keywords": [ "Classic" diff --git a/x-pack/winlogbeat/module/security/test/security_windows_test.go b/x-pack/winlogbeat/module/security/test/security_windows_test.go new file mode 100644 index 00000000000..feface0b31c --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/security_windows_test.go @@ -0,0 +1,25 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package test + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" + + // Register required processors. + _ "github.com/elastic/beats/v7/libbeat/cmd/instance" + _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" +) + +// Ignore these fields because they can be different on different versions +// of windows. +var ignoreFields = []string{ + "message", +} + +func TestSecurity(t *testing.T) { + module.TestPipeline(t, "testdata/*.evtx", module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json index 1f9244e47b8..4aa5ac0739b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1100.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-11-07T10:37:04.2260925Z", "event": { - "action": "logging-service-shutdown", - "category": [ - "process" - ], + "action": "Service shutdown", "code": "1100", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Eventlog" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -21,6 +14,7 @@ "log": { "level": "information" }, + "message": "The event logging service has shut down.", "winlog": { "api": "wineventlog", "channel": "Security", diff --git a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json index e65b84849db..aae6080485c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1102.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-11-07T10:34:29.0559196Z", "event": { - "action": "audit-log-cleared", - "category": [ - "iam" - ], + "action": "Log clear", "code": "1102", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Eventlog" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -22,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50E87", "winlog": { "api": "wineventlog", "channel": "Security", @@ -38,9 +23,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x50e87" - }, "opcode": "Info", "process": { "pid": 1144, diff --git a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json index 53e3d2d85c7..66384ef29c7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1104.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-11-08T07:56:17.3217049Z", "event": { - "action": "logging-full", - "category": [ - "iam" - ], + "action": "Event processing", "code": "1104", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "admin" - ] + "provider": "Microsoft-Windows-Eventlog" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -21,6 +14,7 @@ "log": { "level": "error" }, + "message": "The security log is now full.", "winlog": { "api": "wineventlog", "channel": "Security", diff --git a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json index 3dd8eea6c62..d803ecf42a4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/1105.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-11-07T16:22:14.8425353Z", "event": { - "action": "auditlog-archieved", - "category": [ - "iam" - ], + "action": "Log automatic backup", "code": "1105", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Eventlog", - "type": [ - "admin" - ] + "provider": "Microsoft-Windows-Eventlog" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -21,6 +14,7 @@ "log": { "level": "information" }, + "message": "Event log automatic backup\n\tLog:\tSecurity\n\tFile:\tC:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", "winlog": { "api": "wineventlog", "channel": "Security", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json index 01df17a0767..354b9572b3a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-07-28T13:22:18.7993488Z", "event": { - "action": "permissions-changed", - "category": [ - "iam", - "configuration" - ], + "action": "Authorization Policy Change", "code": "4670", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,19 +14,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 764 - }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x56c\n\nProcess:\n\tProcess ID:\t0x2fc\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", "winlog": { "api": "wineventlog", "channel": "Security", @@ -43,15 +22,12 @@ "event_data": { "HandleId": "0x56c", "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", - "NewSdDacl0": "Local system :Access Allowed (Generic All)", - "NewSdDacl1": "OW :Access Allowed (Read Permissions)", - "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed (Generic All)", "ObjectName": "-", "ObjectServer": "Security", "ObjectType": "Token", "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", - "OldSdDacl0": "Local system :Access Allowed (Generic All)", - "OldSdDacl1": "Network service account :Access Allowed (Generic All)", + "ProcessId": "0x2fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "TEST", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-BVM4LI1L1Q6$", @@ -61,9 +37,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 4, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json index 8f81e3e5f42..f16352f0a1b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-07-27T09:42:48.3690009Z", "event": { - "action": "domain-trust-added", - "category": [ - "configuration" - ], + "action": "Authentication Policy Change", "code": "4706", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "creation" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -21,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, + "message": "A new trust was created to a domain.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0\n\nTrust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\tDisabled", "winlog": { "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", "api": "wineventlog", @@ -50,9 +36,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x6a868" - }, "opcode": "Info", "process": { "pid": 776, @@ -63,10 +46,7 @@ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 6017, - "task": "Authentication Policy Change", - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT" + "task": "Authentication Policy Change" } } ] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json index 71e408d7aba..4afbc8e37e5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-07-28T06:18:04.600444Z", "event": { - "action": "domain-trust-removed", - "category": [ - "configuration" - ], + "action": "Authentication Policy Change", "code": "4707", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -21,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, + "message": "A trust to a domain was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nDomain Information:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0", "winlog": { "api": "wineventlog", "channel": "Security", @@ -45,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x6a868" - }, "opcode": "Info", "process": { "pid": 776, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json index 0c935d1c79b..d661971b2d5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-07-28T10:15:43.4951882Z", "event": { - "action": "kerberos-policy-changed", - "category": [ - "configuration" - ], + "action": "Authentication Policy Change", "code": "4713", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -21,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "Kerberos policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nChanges Made:\n('--' means no changes, otherwise each change is shown as:\n(Parameter Name):\t(new value) (old value))\nKerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", "winlog": { "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", "api": "wineventlog", @@ -45,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 776, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json index 854155dd9b7..40c587f11f4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-07-28T08:17:00.4706442Z", "event": { - "action": "trusted-domain-information-changed", - "category": [ - "configuration" - ], + "action": "Authentication Policy Change", "code": "4716", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -21,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, + "message": "Trusted domain information was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t-\n\tDomain ID:\t\tS-1-0-0\n\nNew Trust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\t-", "winlog": { "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", "api": "wineventlog", @@ -50,9 +36,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x6a868" - }, "opcode": "Info", "process": { "pid": 776, @@ -63,10 +46,7 @@ "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 14929, - "task": "Authentication Policy Change", - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", - "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT" + "task": "Authentication Policy Change" } } ] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json index b8cdb29aef6..59b512bf45d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-07-27T09:30:41.9034803Z", "event": { - "action": "system-security-access-granted", - "category": [ - "iam", - "configuration" - ], + "action": "Authentication Policy Change", "code": "4717", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "System security access was granted to an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-9\n\nAccess Granted:\n\tAccess Right:\t\tSeNetworkLogonRight", "winlog": { "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", "api": "wineventlog", @@ -48,9 +32,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 776, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json index f6a9d5e5f11..136e11b2fcb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-07-27T09:30:41.8778082Z", "event": { - "action": "system-security-access-removed", - "category": [ - "iam", - "configuration" - ], + "action": "Authentication Policy Change", "code": "4718", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "System security access was removed from an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-32-545\n\nAccess Removed:\n\tAccess Right:\t\tSeNetworkLogonRight", "winlog": { "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", "api": "wineventlog", @@ -48,9 +32,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 776, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json index 98dfdac7e0c..073122df8dd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4719.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2019-11-07T15:22:57.6553291Z", "event": { - "action": "changed-audit-config", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4719", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-41OB2LO92CR$" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" - }, + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\nAudit Policy Change:\n\tCategory:\t\tLogon/Logoff\n\tSubcategory:\t\tNetwork Policy Server\n\tSubcategory GUID:\t{0cce9243-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess Added, Failure added", "winlog": { "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", "api": "wineventlog", @@ -38,13 +22,7 @@ "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { "AuditPolicyChanges": "%%8449, %%8451", - "AuditPolicyChangesDescription": [ - "Success Added", - "Failure Added" - ], - "Category": "Logon/Logoff", "CategoryId": "%%8273", - "SubCategory": "Network Policy Server", "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", "SubcategoryId": "%%12552", "SubjectDomainName": "WLBEAT", @@ -56,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json index 67de3cde4ec..19d1bc6220f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-18T13:45:57.4803543Z", "event": { - "action": "changed-audit-config", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4719", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500", - "name": "Administrator" - }, + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x44D7D\n\nAudit Policy Change:\n\tCategory:\t\tObject Access\n\tSubcategory:\t\tOther Object Access Events\n\tSubcategory GUID:\t{0cce9227-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess removed", "winlog": { "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", "api": "wineventlog", @@ -38,12 +22,7 @@ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { "AuditPolicyChanges": "%%8448", - "AuditPolicyChangesDescription": [ - "Success removed" - ], - "Category": "Object Access", "CategoryId": "%%8274", - "SubCategory": "Other Object Access Events", "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", "SubcategoryId": "%%12804", "SubjectDomainName": "TEST", @@ -55,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x44d7d" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json index 5f42d66c8b7..d6264bc9d77 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-07-27T09:34:50.1578005Z", "event": { - "action": "domain-policy-changed", - "category": [ - "configuration" - ], + "action": "Authentication Policy Change", "code": "4739", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -21,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "Domain Policy was changed.\n\nChange Type:\t\tPassword Policy modified\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nDomain:\n\tDomain Name:\t\tTEST\n\tDomain ID:\t\tS-1-5-21-2024912787-2692429404-2351956786\n\nChanged Attributes:\n\tMin. Password Age:\t\n\tMax. Password Age:\t\n\tForce Logoff:\t\t\n\tLockout Threshold:\t\n\tLockout Observation Window:\t\n\tLockout Duration:\t\n\tPassword Properties:\t\n\tMin. Password Length:\t\n\tPassword History Length:\t-\n\tMachine Account Quota:\t-\n\tMixed Domain Mode:\t-\n\tDomain Behavior Version:\t-\n\tOEM Information:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -52,9 +38,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 776, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json index 6a63c8b5498..87b50d46fe9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4741.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-12-18T16:22:12.3112534Z", "event": { - "action": "added-computer-account", - "category": [ - "iam" - ], + "action": "Computer Account Management", "code": "4741", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "creation", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -22,22 +14,10 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A computer account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Computer Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\tTESTCOMPUTEROBJ$\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t515\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x85\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\u003cvalue not set\u003e\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", - "computerObject": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2902", - "name": "TESTCOMPUTEROBJ$" - }, "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { "AccountExpires": "%%1794", @@ -47,17 +27,11 @@ "HomeDirectory": "-", "HomePath": "-", "LogonHours": "%%1793", - "NewUACList": [ - "SCRIPT", - "ENCRYPTED_TEXT_PWD_ALLOWED" - ], "NewUacValue": "0x85", "OldUacValue": "0x0", "PasswordLastSet": "%%1794", "PrimaryGroupId": "515", - "PrivilegeList": [ - "-" - ], + "PrivilegeList": "-", "ProfilePath": "-", "SamAccountName": "TESTCOMPUTEROBJ$", "ScriptPath": "-", @@ -70,11 +44,7 @@ "TargetDomainName": "TEST", "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", "TargetUserName": "TESTCOMPUTEROBJ$", - "UserAccountControl": [ - "2080", - "2082", - "2087" - ], + "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2087", "UserParameters": "-", "UserPrincipalName": "-", "UserWorkstations": "-" @@ -83,9 +53,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json index f082165f553..e316d4c3797 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4742.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-12-18T16:22:12.3425087Z", "event": { - "action": "changed-computer-account", - "category": [ - "iam" - ], + "action": "Computer Account Management", "code": "4742", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -22,22 +14,10 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", - "computerObject": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2902", - "name": "TESTCOMPUTEROBJ$" - }, "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { "AccountExpires": "-", @@ -48,16 +28,11 @@ "HomeDirectory": "-", "HomePath": "-", "LogonHours": "-", - "NewUACList": [ - "ENCRYPTED_TEXT_PWD_ALLOWED" - ], "NewUacValue": "0x84", "OldUacValue": "0x85", "PasswordLastSet": "-", "PrimaryGroupId": "-", - "PrivilegeList": [ - "-" - ], + "PrivilegeList": "-", "ProfilePath": "-", "SamAccountName": "-", "ScriptPath": "-", @@ -70,9 +45,7 @@ "TargetDomainName": "TEST", "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", "TargetUserName": "TESTCOMPUTEROBJ$", - "UserAccountControl": [ - "2048" - ], + "UserAccountControl": "\n\t\t%%2048", "UserParameters": "-", "UserPrincipalName": "-", "UserWorkstations": "-" @@ -81,9 +54,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json index dac7143a053..548e0508f84 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4743.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-12-18T16:25:21.5781833Z", "event": { - "action": "deleted-computer-account", - "category": [ - "iam" - ], + "action": "Computer Account Management", "code": "4743", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "deletion", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -22,27 +14,13 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A computer account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nTarget Computer:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", - "computerObject": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2902", - "name": "TESTCOMPUTEROBJ$" - }, "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "PrivilegeList": [ - "-" - ], + "PrivilegeList": "-", "SubjectDomainName": "TEST", "SubjectLogonId": "0x2e67800", "SubjectUserName": "at_adm", @@ -55,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json index 21d74faa49e..60e7ce71869 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4744.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-18T16:26:46.8744233Z", "event": { - "action": "added-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4744", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json index 243a144f3bd..a16ffee64d5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4745.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-18T16:29:05.0175739Z", "event": { - "action": "changed-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4745", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestdistlocal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json index b6187500440..c6db9e34a73 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4746.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-18T16:31:01.6117458Z", "event": { - "action": "added-member-to-distribution-group", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4746", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,26 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "at_adm", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "name": "Administrator" - } - }, + "message": "A member was added to a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -67,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json index 712f63844ee..b023a51a0b8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4747.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-18T16:35:16.6816525Z", "event": { - "action": "removed-member-from-distribution-group", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4747", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,26 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "at_adm", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" - }, - "name": "Administrator" - } - }, + "message": "A member was removed from a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -67,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json index d7c141fafb3..8128bb7e5b4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4748.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:01:45.9824133Z", "event": { - "action": "deleted-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4748", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903", - "name": "testdistlocal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -53,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json index 5e6814e3ca1..befee4e3a70 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4749.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:03:42.7234679Z", "event": { - "action": "added-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4749", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestglobal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json index 078264fa437..1208e6795fb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4750.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:10:57.4737631Z", "event": { - "action": "changed-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4750", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json index f2d158c8ef9..8e5bbf3ec05 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4751.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:20:29.0889568Z", "event": { - "action": "added-member-to-distribution-group", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4751", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,26 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "at_adm", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "name": "Administrator" - } - }, + "message": "A member was added to a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -67,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json index 4da882d11c7..beccfa4f1e9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4752.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:21:23.6444225Z", "event": { - "action": "removed-member-from-distribution-group", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4752", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,26 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "at_adm", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" - }, - "name": "Administrator" - } - }, + "message": "A member was removed from a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -67,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json index 03fc30897eb..155347456dd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4753.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:24:36.5952761Z", "event": { - "action": "deleted-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4753", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904", - "name": "testglobal1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -53,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json index 3d187783ada..0767acdc651 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4759.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:26:26.1432582Z", "event": { - "action": "added-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4759", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestuni\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json index 0ebcf954136..89f70d8faca 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4760.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:28:21.0305977Z", "event": { - "action": "changed-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4760", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestuni2\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json index 4c79ebb81e2..c7935e8ace1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4761.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:29:38.4487328Z", "event": { - "action": "added-member-to-distribution-group", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4761", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,26 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "at_adm", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "name": "Administrator" - } - }, + "message": "A member was added to a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -67,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json index e473bc5a443..60ea376b685 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4762.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:33:25.9678735Z", "event": { - "action": "removed-member-from-distribution-group", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4762", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,26 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "at_adm", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm", - "target": { - "domain": "SAAS", - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" - }, - "name": "Administrator" - } - }, + "message": "A member was removed from a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -67,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json index 7ccc6fd7af1..3a794e4426d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4763.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-12-19T08:34:23.1623432Z", "event": { - "action": "deleted-distribution-group-account", - "category": [ - "iam" - ], + "action": "Distribution Group Management", "code": "4763", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905", - "name": "testuni2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A security-disabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -53,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2e67800" - }, "opcode": "Info", "process": { "pid": 492, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json index ee535792e69..1dc96389769 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-17T12:49:09.4942066Z", "event": { - "action": "object-audit-changed", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4817", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,17 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$", - "Administrator" - ] - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tLSA\n\tObject Type:\tGlobal SACL\n\tObject Name:\tFile\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", "winlog": { "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", "api": "wineventlog", @@ -41,8 +22,6 @@ "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", - "NewSdSacl0": "Administrator :System Audit (Create All Child Objects,Delete All Child Objects,List Contents,All Validated,Read All Properties,Write All Properties,Delete Subtree,List Object,All Extended Rights,Delete,Read Permissions,Modify Permissions,Modify Owner)", - "NewSdSacl1": "S-1-5-21-2024912787-2692429404-2351956786-1000 :System Audit (Create All Child Objects,Delete All Child Objects,List Contents,All Validated,Read All Properties,Write All Properties,Delete Subtree,List Object,All Extended Rights,Delete,Read Permissions,Modify Permissions,Modify Owner)", "ObjectName": "File", "ObjectServer": "LSA", "ObjectType": "Global SACL", @@ -55,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 776, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json index 8e8140a27ee..c2fca0a8ae7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-19T06:07:08.801981Z", "event": { - "action": "user-audit-policy-created", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4902", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "creation" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,6 +14,7 @@ "log": { "level": "information" }, + "message": "The Per-user audit policy table was created.\n\nNumber of Elements:\t0\nPolicy ID:\t0x9FD2", "winlog": { "api": "wineventlog", "channel": "Security", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json index 8c11f07c03d..c393596c326 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-19T07:56:52.019802Z", "event": { - "action": "security-event-source-added", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4904", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,19 +14,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", - "name": "inetinfo.exe", - "pid": 3608 - }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "An attempt was made to register a security event source.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0xe18\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x460422", "winlog": { "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", "api": "wineventlog", @@ -44,6 +23,8 @@ "event_data": { "AuditSourceName": "IIS-METABASE", "EventSourceId": "0x460422", + "ProcessId": "0xe18", + "ProcessName": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", "SubjectDomainName": "TEST", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-BVM4LI1L1Q6$", @@ -53,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 784, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json index 4698280b181..b6121ab0db8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-19T07:56:51.5792901Z", "event": { - "action": "security-event-source-removed", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4905", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,19 +14,7 @@ "log": { "level": "information" }, - "process": { - "executable": "-", - "name": "-", - "pid": 4964 - }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "An attempt was made to unregister a security event source.\n\nSubject\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0x1364\n\tProcess Name:\t-\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x457B22", "winlog": { "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", "api": "wineventlog", @@ -44,6 +23,8 @@ "event_data": { "AuditSourceName": "IIS-METABASE", "EventSourceId": "0x457b22", + "ProcessId": "0x1364", + "ProcessName": "-", "SubjectDomainName": "TEST", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-BVM4LI1L1Q6$", @@ -53,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 784, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json index 4cb2d598a10..c228cc42f27 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-18T09:19:00.2372249Z", "event": { - "action": "crash-on-audit-changed", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4906", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,6 +14,7 @@ "log": { "level": "information" }, + "message": "The CrashOnAuditFail value has changed.\n\nNew Value of CrashOnAuditFail:\t1", "winlog": { "api": "wineventlog", "channel": "Security", diff --git a/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json index 14d46cdaed9..2d95363f93e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-19T07:56:17.1121901Z", "event": { - "action": "audit-setting-changed", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4907", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,19 +14,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", - "name": "TiWorker.exe", - "pid": 4300 - }, - "related": { - "user": "WIN-BVM4LI1L1Q6$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "WIN-BVM4LI1L1Q6$" - }, + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1\n\tHandle ID:\t0x93c\n\nProcess Information:\n\tProcess ID:\t0x10cc\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", "winlog": { "api": "wineventlog", "channel": "Security", @@ -43,10 +22,11 @@ "event_data": { "HandleId": "0x93c", "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "NewSdSacl0": "Everyone :System Audit (Delete All Child Objects,List Contents,Read All Properties,All Extended Rights,Delete,Modify Permissions,Modify Owner)", "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", "ObjectServer": "Security", "ObjectType": "File", + "ProcessId": "0x10cc", + "ProcessName": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", "SubjectDomainName": "TEST", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-BVM4LI1L1Q6$", @@ -56,9 +36,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 4, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json index 95226ee04fe..283fe0bf3ea 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-08-19T06:07:25.0461779Z", "event": { - "action": "special-group-table-changed", - "category": [ - "iam", - "configuration" - ], + "action": "Audit Policy Change", "code": "4908", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-BVM4LI1L1Q6.TEST.local" @@ -23,20 +14,13 @@ "log": { "level": "information" }, + "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { - "SidList": [ - "", - "%{S-1-5-32-544}", - "%{S-1-5-32-123-54-65}" - ], - "SidListDesc": [ - "Administrators", - "S-1-5-32-123-54-65" - ] + "SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}" }, "event_id": "4908", "keywords": [ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json index 58c8cf3a943..60cc5ec5249 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-04-06T06:39:04.5491199Z", "event": { - "action": "privileged-service-called", - "category": [ - "iam" - ], + "action": "Sensitive Privilege Use", "code": "4673", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,28 +14,16 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\lsass.exe", - "name": "lsass.exe", - "pid": 496 - }, - "related": { - "user": "DC_TEST2K12$" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-18", - "name": "DC_TEST2K12$" - }, + "message": "A privileged service was called.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDC_TEST2K12$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nService:\n\tServer:\tNT Local Security Authority / Authentication Service\n\tService Name:\tLsaRegisterLogonProcess()\n\nProcess:\n\tProcess ID:\t0x1f0\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\n\nService Request Information:\n\tPrivileges:\t\tSeTcbPrivilege", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { "ObjectServer": "NT Local Security Authority / Authentication Service", - "PrivilegeList": [ - "SeTcbPrivilege" - ], + "PrivilegeList": "SeTcbPrivilege", + "ProcessId": "0x1f0", + "ProcessName": "C:\\Windows\\System32\\lsass.exe", "Service": "LsaRegisterLogonProcess()", "SubjectDomainName": "TEST", "SubjectLogonId": "0x3e7", @@ -53,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json index ed2322be1d0..d468e326678 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4674.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-04-06T06:38:31.1087891Z", "event": { - "action": "privileged-operation", - "category": [ - "iam" - ], + "action": "Sensitive Privilege Use", "code": "4674", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,39 +14,20 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 884 - }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x8AA365B\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1ee0\n\nProcess Information:\n\tProcess ID:\t0x374\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t\n\tPrivileges:\t\tSeSecurityPrivilege", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "AccessMask": [ - "1538", - "1542" - ], - "AccessMaskDescription": [ - "READ_CONTROL", - "ACCESS_SYS_SEC" - ], + "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", "HandleId": "0x1ee0", "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", "ObjectServer": "Security", "ObjectType": "File", - "PrivilegeList": [ - "SeSecurityPrivilege" - ], + "PrivilegeList": "SeSecurityPrivilege", + "ProcessId": "0x374", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "SubjectDomainName": "TEST", "SubjectLogonId": "0x8aa365b", "SubjectUserName": "at_adm", @@ -63,9 +37,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x8aa365b" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json index ba39ae77524..875004f1077 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-04-02T14:34:08.8896056Z", "event": { - "action": "service-installed", - "category": [ - "iam", - "configuration" - ], + "action": "Security System Extension", "code": "4697", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -23,18 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "service": { - "name": "winlogbeat", - "type": "Win32 Own Process" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4C323\n\nService Information:\n\tService Name: \t\twinlogbeat\n\tService File Name:\t\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\n\tService Type: \t\t0x10\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem", "winlog": { "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", "api": "wineventlog", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4c323" - }, "opcode": "Info", "process": { "pid": 792, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json index 91f5f7b2623..20549b99df4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4698.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-04-01T14:34:34.6061085Z", "event": { - "action": "scheduled-task-created", - "category": [ - "iam", - "configuration" - ], + "action": "Other Object Access Events", "code": "4698", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "creation", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A scheduled task was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { "api": "wineventlog", "channel": "Security", @@ -47,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x60d1ca6" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json index 6698fcaa505..892782dc7dd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4699.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-04-01T14:35:47.822282Z", "event": { - "action": "scheduled-task-deleted", - "category": [ - "iam", - "configuration" - ], + "action": "Other Object Access Events", "code": "4699", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "deletion", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A scheduled task was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { "api": "wineventlog", "channel": "Security", @@ -47,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x60d1ca6" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json index 6dddbae12c0..4bca5b681ef 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4700.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-04-01T14:35:14.8732455Z", "event": { - "action": "scheduled-task-enabled", - "category": [ - "iam", - "configuration" - ], + "action": "Other Object Access Events", "code": "4700", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A scheduled task was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { "api": "wineventlog", "channel": "Security", @@ -47,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x60d1ca6" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json index 84053e9367b..73bd8327834 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4701.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-04-01T14:35:04.7030004Z", "event": { - "action": "scheduled-task-disabled", - "category": [ - "iam", - "configuration" - ], + "action": "Other Object Access Events", "code": "4701", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A scheduled task was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { "api": "wineventlog", "channel": "Security", @@ -47,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x60d1ca6" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json index ff7b0391d18..d1de2298e1f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4702.evtx.golden.json @@ -2,20 +2,11 @@ { "@timestamp": "2020-04-01T14:35:36.2637108Z", "event": { - "action": "scheduled-task-updated", - "category": [ - "iam", - "configuration" - ], + "action": "Other Object Access Events", "code": "4702", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "change", - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -23,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A scheduled task was updated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask New Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { "api": "wineventlog", "channel": "Security", @@ -47,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x60d1ca6" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json index d91d0349720..1ca523c9348 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-04-01T08:45:44.1717416Z", "event": { - "action": "kerberos-authentication-ticket-requested", - "category": [ - "authentication" - ], + "action": "Kerberos Authentication Service", "code": "4768", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,41 +14,23 @@ "log": { "level": "information" }, - "related": { - "ip": "::1", - "user": "at_adm" - }, - "source": { - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "TEST.SAAS", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", - "name": "at_adm" - }, + "message": "A Kerberos authentication ticket (TGT) was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm\n\tSupplied Realm Name:\tTEST.SAAS\n\tUser ID:\t\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\nService Information:\n\tService Name:\t\tkrbtgt\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-502\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tResult Code:\t\t0x0\n\tTicket Encryption Type:\t0x12\n\tPre-Authentication Type:\t2\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number:\t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { + "IpAddress": "::1", + "IpPort": "0", "PreAuthType": "2", "ServiceName": "krbtgt", "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", "Status": "0x0", - "StatusDescription": "KDC_ERR_NONE", "TargetDomainName": "TEST.SAAS", "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", "TargetUserName": "at_adm", "TicketEncryptionType": "0x12", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", - "TicketOptions": "0x40810010", - "TicketOptionsDescription": [ - "Renewable-ok", - "Name-canonicalize", - "Renewable", - "Forwardable" - ] + "TicketOptions": "0x40810010" }, "event_id": "4768", "keywords": [ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json index 064cbd79ae3..9f66d92329d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-04-01T08:45:44.1717416Z", "event": { - "action": "kerberos-service-ticket-requested", - "category": [ - "authentication" - ], + "action": "Kerberos Service Ticket Operations", "code": "4769", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,38 +14,22 @@ "log": { "level": "information" }, - "related": { - "ip": "::1", - "user": "at_adm" - }, - "source": { - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "TEST.SAAS", - "name": "at_adm" - }, + "message": "A Kerberos service ticket was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\tLogon GUID:\t\t{46f85809-d26e-96f5-fbf2-73bd761a2d68}\n\nService Information:\n\tService Name:\t\tDC_TEST2K12$\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-1110\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810000\n\tTicket Encryption Type:\t0x12\n\tFailure Code:\t\t0x0\n\tTransited Services:\t-\n\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\n\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\n\nTicket options, encryption types, and failure codes are defined in RFC 4120.", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { + "IpAddress": "::1", + "IpPort": "0", "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", "ServiceName": "DC_TEST2K12$", "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", "Status": "0x0", - "StatusDescription": "KDC_ERR_NONE", "TargetDomainName": "TEST.SAAS", "TargetUserName": "at_adm@TEST.SAAS", "TicketEncryptionType": "0x12", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", "TicketOptions": "0x40810000", - "TicketOptionsDescription": [ - "Name-canonicalize", - "Renewable", - "Forwardable" - ], "TransmittedServices": "-" }, "event_id": "4769", diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json index 49db848f27a..120b9547367 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-04-01T07:32:55.0104462Z", "event": { - "action": "kerberos-service-ticket-renewed", - "category": [ - "authentication" - ], + "action": "Kerberos Service Ticket Operations", "code": "4770", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,34 +14,20 @@ "log": { "level": "information" }, - "related": { - "ip": "::1", - "user": "DC_TEST2K12$" - }, - "source": { - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "TEST.SAAS", - "name": "DC_TEST2K12$" - }, + "message": "A Kerberos service ticket was renewed.\n\nAccount Information:\n\tAccount Name:\t\tDC_TEST2K12$@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\nService Information:\n\tService Name:\t\tkrbtgt\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-502\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x10002\n\tTicket Encryption Type:\t0x12\n\nTicket options and encryption types are defined in RFC 4120.", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { + "IpAddress": "::1", + "IpPort": "0", "ServiceName": "krbtgt", "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", "TargetDomainName": "TEST.SAAS", "TargetUserName": "DC_TEST2K12$@TEST.SAAS", "TicketEncryptionType": "0x12", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", - "TicketOptions": "0x10002", - "TicketOptionsDescription": [ - "Renew", - "Name-canonicalize" - ] + "TicketOptions": "0x10002" }, "event_id": "4770", "keywords": [ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json index ccfaf136948..d206f98b3a7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-03-31T07:50:27.1681182Z", "event": { - "action": "kerberos-preauth-failed", - "category": [ - "authentication" - ], + "action": "Kerberos Authentication Service", "code": "4771", "kind": "event", - "module": "security", "outcome": "failure", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,36 +14,20 @@ "log": { "level": "information" }, - "related": { - "ip": "192.168.5.44", - "user": "MPUIG" - }, - "source": { - "ip": "192.168.5.44", - "port": 53366 - }, - "user": { - "id": "S-1-5-21-1717121054-434620538-60925301-3057", - "name": "MPUIG" - }, + "message": "Kerberos pre-authentication failed.\n\nAccount Information:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-3057\n\tAccount Name:\t\tMPUIG\n\nService Information:\n\tService Name:\t\tkrbtgt/test.saas\n\nNetwork Information:\n\tClient Address:\t\t::ffff:192.168.5.44\n\tClient Port:\t\t53366\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tFailure Code:\t\t0x12\n\tPre-Authentication Type:\t0\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number: \t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\n\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { + "IpAddress": "::ffff:192.168.5.44", + "IpPort": "53366", "PreAuthType": "0", "ServiceName": "krbtgt/test.saas", "Status": "0x12", - "StatusDescription": "KDC_ERR_CLIENT_REVOKED", "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", "TargetUserName": "MPUIG", - "TicketOptions": "0x40810010", - "TicketOptionsDescription": [ - "Renewable-ok", - "Name-canonicalize", - "Renewable", - "Forwardable" - ] + "TicketOptions": "0x40810010" }, "event_id": "4771", "keywords": [ diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json index 1c6fd453275..618462ebfcc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2020-04-01T08:45:42.1873153Z", "event": { - "action": "credential-validated", - "category": [ - "authentication" - ], + "action": "Credential Validation", "code": "4776", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -21,12 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "at_adm" - }, - "user": { - "name": "at_adm" - }, + "message": "The computer attempted to validate the credentials for an account.\n\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\nLogon Account:\tat_adm\nSource Workstation:\tEQP01777\nError Code:\t0x0", "winlog": { "api": "wineventlog", "channel": "Security", @@ -41,11 +29,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "failure": { - "status": "Status OK." - } - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json index 54160cc68e9..6252de2b248 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2020-04-05T16:33:32.3888253Z", "event": { - "action": "session-reconnected", - "category": [ - "authentication", - "session" - ], + "action": "Other Logon/Logoff Events", "code": "4778", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -22,18 +14,7 @@ "log": { "level": "information" }, - "related": { - "ip": "10.100.150.9", - "user": "at_adm" - }, - "source": { - "domain": "EQP01777", - "ip": "10.100.150.9" - }, - "user": { - "domain": "TEST", - "name": "at_adm" - }, + "message": "A session was reconnected to a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x76FEA87\n\nSession:\n\tSession Name:\t\tRDP-Tcp#127\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.9\n\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -50,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x76fea87" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json index 7f753b7e5fe..32121d9b7fb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2020-04-03T10:18:01.8822336Z", "event": { - "action": "session-disconnected", - "category": [ - "authentication", - "session" - ], + "action": "Other Logon/Logoff Events", "code": "4779", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "DC_TEST2k12.TEST.SAAS" @@ -22,18 +14,7 @@ "log": { "level": "information" }, - "related": { - "ip": "10.100.150.17", - "user": "at_adm" - }, - "source": { - "domain": "EQP01777", - "ip": "10.100.150.17" - }, - "user": { - "domain": "TEST", - "name": "at_adm" - }, + "message": "A session was disconnected from a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CCB\n\nSession:\n\tSession Name:\t\tRDP-Tcp#116\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.17\n\n\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -50,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x60d1ccb" - }, "opcode": "Info", "process": { "pid": 496, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json index cc4d8079f0b..cd8ab55a9fe 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-03-29T21:10:39.7868321Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -21,22 +14,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -51,6 +29,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -65,10 +45,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -86,18 +62,11 @@ { "@timestamp": "2019-03-29T21:10:40.2555609Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -105,22 +74,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -135,6 +89,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -149,10 +105,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -170,18 +122,11 @@ { "@timestamp": "2019-03-29T21:10:40.3805426Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -189,28 +134,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 448 - }, - "related": { - "ip": "127.0.0.1", - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ] - }, - "source": { - "domain": "VAGRANT-2012-R2", - "ip": "127.0.0.1", - "port": 0 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -218,11 +142,15 @@ "event_data": { "AuthenticationPackageName": "Negotiate", "ImpersonationLevel": "%%1833", + "IpAddress": "127.0.0.1", + "IpPort": "0", "KeyLength": "0", "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "User32 ", "LogonType": "2", + "ProcessId": "0x1c0", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -231,16 +159,13 @@ "TargetLogonId": "0x1008e", "TargetUserName": "vagrant", "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" + "TransmittedServices": "-", + "WorkstationName": "VAGRANT-2012-R2" }, "event_id": "4624", "keywords": [ "Audit Success" ], - "logon": { - "id": "0x1008e", - "type": "Interactive" - }, "opcode": "Info", "process": { "pid": 516, @@ -258,18 +183,11 @@ { "@timestamp": "2019-03-29T21:10:40.5055514Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -277,22 +195,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -307,6 +210,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -321,10 +226,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -342,18 +243,11 @@ { "@timestamp": "2019-03-29T21:10:40.6305447Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -361,19 +255,7 @@ "log": { "level": "information" }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": "ANONYMOUS LOGON" - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-7", - "name": "ANONYMOUS LOGON" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129F1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -388,6 +270,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", @@ -402,10 +286,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x129f1", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 516, @@ -423,18 +303,11 @@ { "@timestamp": "2019-03-29T21:10:53.6617957Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -442,19 +315,7 @@ "log": { "level": "information" }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28D31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -469,6 +330,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", @@ -483,10 +346,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x28d31", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 516, @@ -504,18 +363,11 @@ { "@timestamp": "2019-03-29T21:10:54.6618303Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -523,19 +375,7 @@ "log": { "level": "information" }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29F0F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -550,6 +390,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", @@ -564,10 +406,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x29f0f", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 516, @@ -585,18 +423,11 @@ { "@timestamp": "2019-03-29T21:10:55.4587259Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -604,19 +435,7 @@ "log": { "level": "information" }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2A362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -631,6 +450,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", @@ -645,10 +466,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x2a362", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 516, @@ -666,18 +483,11 @@ { "@timestamp": "2019-03-29T21:13:17.3025591Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -685,22 +495,7 @@ "log": { "level": "information" }, - "process": { - "executable": "-", - "name": "-", - "pid": 0 - }, - "related": { - "user": "vagrant" - }, - "source": { - "domain": "127.0.0.1" - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324F8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -715,6 +510,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", "LogonType": "3", + "ProcessId": "0x0", + "ProcessName": "-", "SubjectDomainName": "-", "SubjectLogonId": "0x0", "SubjectUserName": "-", @@ -723,16 +520,13 @@ "TargetLogonId": "0x324f8", "TargetUserName": "vagrant", "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" + "TransmittedServices": "-", + "WorkstationName": "127.0.0.1" }, "event_id": "4624", "keywords": [ "Audit Success" ], - "logon": { - "id": "0x324f8", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 516, @@ -750,18 +544,11 @@ { "@timestamp": "2019-03-29T21:13:17.5213056Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -769,22 +556,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 2812 - }, - "related": { - "user": [ - "DWM-2", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "Window Manager", - "id": "S-1-5-90-2", - "name": "DWM-2" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -799,6 +571,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "2", + "ProcessId": "0xafc", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -813,10 +587,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x33444", - "type": "Interactive" - }, "opcode": "Info", "process": { "pid": 516, @@ -834,18 +604,11 @@ { "@timestamp": "2019-03-29T21:13:17.6149946Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -853,28 +616,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 2812 - }, - "related": { - "ip": "10.0.2.2", - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ] - }, - "source": { - "domain": "VAGRANT-2012-R2", - "ip": "10.0.2.2", - "port": 0 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "name": "vagrant" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -882,11 +624,15 @@ "event_data": { "AuthenticationPackageName": "Negotiate", "ImpersonationLevel": "%%1833", + "IpAddress": "10.0.2.2", + "IpPort": "0", "KeyLength": "0", "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "User32 ", "LogonType": "10", + "ProcessId": "0xafc", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -895,16 +641,13 @@ "TargetLogonId": "0x3444f", "TargetUserName": "vagrant", "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "TransmittedServices": "-" + "TransmittedServices": "-", + "WorkstationName": "VAGRANT-2012-R2" }, "event_id": "4624", "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3444f", - "type": "RemoteInteractive" - }, "opcode": "Info", "process": { "pid": 516, @@ -922,18 +665,11 @@ { "@timestamp": "2019-03-29T21:13:18.7869259Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -941,22 +677,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\winlogon.exe", - "name": "winlogon.exe", - "pid": 2188 - }, - "related": { - "user": [ - "DWM-3", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "Window Manager", - "id": "S-1-5-90-3", - "name": "DWM-3" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357FD\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -971,6 +692,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "2", + "ProcessId": "0x88c", + "ProcessName": "C:\\Windows\\System32\\winlogon.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -985,10 +708,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x357fd", - "type": "Interactive" - }, "opcode": "Info", "process": { "pid": 516, @@ -1006,18 +725,11 @@ { "@timestamp": "2019-03-29T21:20:48.7402309Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -1025,22 +737,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -1055,6 +752,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -1069,10 +768,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -1090,18 +785,11 @@ { "@timestamp": "2019-03-29T21:20:48.7402309Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -1109,22 +797,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -1139,6 +812,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -1153,10 +828,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -1174,18 +845,11 @@ { "@timestamp": "2019-03-29T21:20:50.5840151Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -1193,22 +857,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -1223,6 +872,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -1237,10 +888,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -1258,18 +905,11 @@ { "@timestamp": "2019-03-29T21:23:42.5201798Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -1277,22 +917,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -1307,6 +932,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -1321,10 +948,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -1342,18 +965,11 @@ { "@timestamp": "2019-03-29T21:26:24.1764267Z", "event": { - "action": "logged-in", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4624", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -1361,22 +977,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 508 - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -1391,6 +992,8 @@ "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", "LogonType": "5", + "ProcessId": "0x1fc", + "ProcessName": "C:\\Windows\\System32\\services.exe", "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", "SubjectUserName": "VAGRANT-2012-R2$", @@ -1405,10 +1008,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7", - "type": "Service" - }, "opcode": "Info", "process": { "pid": 516, @@ -1426,18 +1025,11 @@ { "@timestamp": "2019-03-29T21:45:35.177054Z", "event": { - "action": "logon-failed", - "category": [ - "authentication" - ], + "action": "Logon", "code": "4625", "kind": "event", - "module": "security", "outcome": "failure", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2012-r2" @@ -1445,25 +1037,7 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 836 - }, - "related": { - "ip": "::1", - "user": "bosch" - }, - "source": { - "domain": "VAGRANT-2012-R2", - "ip": "::1", - "port": 0 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-0-0", - "name": "bosch" - }, + "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -1471,10 +1045,14 @@ "event_data": { "AuthenticationPackageName": "Negotiate", "FailureReason": "%%2313", + "IpAddress": "::1", + "IpPort": "0", "KeyLength": "0", "LmPackageName": "-", "LogonProcessName": "seclogo", "LogonType": "2", + "ProcessId": "0x344", + "ProcessName": "C:\\Windows\\System32\\svchost.exe", "Status": "0xc000006d", "SubStatus": "0xc0000064", "SubjectDomainName": "VAGRANT-2012-R2", @@ -1484,21 +1062,13 @@ "TargetDomainName": "VAGRANT-2012-R2", "TargetUserName": "bosch", "TargetUserSid": "S-1-0-0", - "TransmittedServices": "-" + "TransmittedServices": "-", + "WorkstationName": "VAGRANT-2012-R2" }, "event_id": "4625", "keywords": [ "Audit Failure" ], - "logon": { - "failure": { - "reason": "Unknown user name or bad password.", - "status": "This is either due to a bad username or authentication information", - "sub_status": "User logon with misspelled or bad user account" - }, - "id": "0x1008e", - "type": "Interactive" - }, "opcode": "Info", "process": { "pid": 516, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json index 067fd84a092..ff7be09f6f2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2018-05-18T23:09:03.2086661Z", "event": { - "action": "logged-in-special", - "category": [ - "iam" - ], + "action": "Special Logon", "code": "4672", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant-2016" @@ -21,31 +14,14 @@ "log": { "level": "information" }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT-2016", - "id": "S-1-5-21-1766348727-1038078804-3833492317-1000", - "name": "vagrant" - }, + "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76A087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", "winlog": { "activity_id": "{3be96152-eefc-0002-c061-e93bfceed301}", "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2016", "event_data": { - "PrivilegeList": [ - "SeSecurityPrivilege", - "SeTakeOwnershipPrivilege", - "SeLoadDriverPrivilege", - "SeBackupPrivilege", - "SeRestorePrivilege", - "SeDebugPrivilege", - "SeSystemEnvironmentPrivilege", - "SeImpersonatePrivilege", - "SeDelegateSessionUserImpersonatePrivilege" - ], + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", "SubjectDomainName": "VAGRANT-2016", "SubjectLogonId": "0x76a087", "SubjectUserName": "vagrant", @@ -55,9 +31,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x76a087" - }, "opcode": "Info", "process": { "pid": 596, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json index 58ee48a1620..7832330412f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-05-17T11:06:58.210768Z", "event": { - "action": "logged-out", - "category": [ - "authentication" - ], + "action": "Logoff", "code": "4634", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -21,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "audittest" - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000", - "name": "audittest" - }, + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -44,10 +30,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x767a77", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 776, @@ -64,18 +46,11 @@ { "@timestamp": "2019-05-19T16:15:38.542273Z", "event": { - "action": "logged-out", - "category": [ - "authentication" - ], + "action": "Logoff", "code": "4634", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -83,14 +58,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -106,10 +74,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x104a4a6", - "type": "Network" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json index 5c8382b776e..f623d544d0e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:24:39.2933111Z", "event": { - "action": "added-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4720", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "creation" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -50,10 +27,6 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ - "SCRIPT", - "LOCKOUT" - ], "NewUacValue": "0x15", "OldUacValue": "0x0", "PasswordLastSet": "%%1794", @@ -70,11 +43,7 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", "TargetUserName": "elastictest1", - "UserAccountControl": [ - "2080", - "2082", - "2084" - ], + "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084", "UserParameters": "%%1793", "UserPrincipalName": "-", "UserWorkstations": "%%1793" @@ -83,9 +52,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -102,19 +68,11 @@ { "@timestamp": "2019-09-06T13:25:21.8672707Z", "event": { - "action": "added-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4720", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "creation" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -122,22 +80,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006", - "name": "audittest0609" - } - }, + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -150,10 +93,6 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ - "SCRIPT", - "LOCKOUT" - ], "NewUacValue": "0x15", "OldUacValue": "0x0", "PasswordLastSet": "%%1794", @@ -170,11 +109,7 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", "TargetUserName": "audittest0609", - "UserAccountControl": [ - "2080", - "2082", - "2084" - ], + "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084", "UserParameters": "%%1793", "UserPrincipalName": "-", "UserWorkstations": "%%1793" @@ -183,9 +118,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json index 9e50bcb1a04..7a6369d697b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:28:46.1631928Z", "event": { - "action": "enabled-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4722", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000", - "name": "audittest" - } - }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -56,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -75,19 +49,11 @@ { "@timestamp": "2019-09-06T13:29:08.5737904Z", "event": { - "action": "enabled-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4722", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -95,22 +61,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006", - "name": "audittest0609" - } - }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -129,9 +80,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json index 73cf17f61eb..45bda06e097 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:32:13.8554125Z", "event": { - "action": "changed-password", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4723", "kind": "event", - "module": "security", "outcome": "failure", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,19 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - } - }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -54,9 +34,6 @@ "keywords": [ "Audit Failure" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -73,19 +50,11 @@ { "@timestamp": "2019-09-06T13:32:23.8855201Z", "event": { - "action": "changed-password", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4723", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -93,19 +62,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - } - }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -125,9 +82,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json index 5c5cbe31da8..c3121ff056b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:24:39.339071Z", "event": { - "action": "reset-password", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4724", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -56,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -75,19 +49,11 @@ { "@timestamp": "2019-09-06T13:25:21.9005914Z", "event": { - "action": "reset-password", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4724", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -95,22 +61,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006", - "name": "audittest0609" - } - }, + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -129,9 +80,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json index c25e266f83a..c36a9a4b955 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:28:40.0015275Z", "event": { - "action": "disabled-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4725", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000", - "name": "audittest" - } - }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -56,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -75,19 +49,11 @@ { "@timestamp": "2019-09-06T13:28:55.2644212Z", "event": { - "action": "disabled-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4725", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -95,22 +61,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006", - "name": "audittest0609" - } - }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -129,9 +80,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json index 7e9c82f86f6..3cc6039b21f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:35:25.5153959Z", "event": { - "action": "deleted-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4726", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest23" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1001", - "name": "audittest23" - } - }, + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -57,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -76,19 +50,11 @@ { "@timestamp": "2019-09-06T13:35:29.6900555Z", "event": { - "action": "deleted-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4726", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "deletion" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -96,22 +62,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000", - "name": "audittest" - } - }, + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -131,9 +82,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json index b0d74712ed9..718d9b0dfeb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:26:12.4955445Z", "event": { - "action": "added-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4727", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1110", - "name": "DnsUpdateProxy" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-41OB2LO92CR$" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" - }, + "message": "A security-enabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x27438\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1110\n\tGroup Name:\t\tDnsUpdateProxy\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tDnsUpdateProxy\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x27438" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json index 59c58efcf4b..ee6e66a9c55 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:33:26.8613751Z", "event": { - "action": "added-member-to-group", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4728", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,23 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2" - }, - "name": "Administrator" - } - }, + "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -64,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json index e3ac9be9101..a0a65b40c8c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:33:45.5433159Z", "event": { - "action": "removed-member-from-group", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4729", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,23 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" - }, - "name": "Administrator" - } - }, + "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -64,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json index bd9445230a3..874ec3c5971 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:34:01.6107262Z", "event": { - "action": "deleted-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4730", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -53,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json index cc5d7868300..97a3216b486 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:29:49.3586766Z", "event": { - "action": "added-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4731", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json index 1d97aa773ea..5302a537019 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:31:58.0398598Z", "event": { - "action": "added-member-to-group", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4732", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,23 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "name": "Administrator" - } - }, + "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -64,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json index 9225f75661f..876f22bf384 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:32:14.8941288Z", "event": { - "action": "removed-member-from-group", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4733", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,23 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1" - }, - "name": "Administrator" - } - }, + "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -64,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json index 1831a592009..8a513e05f13 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:32:35.1274042Z", "event": { - "action": "deleted-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4734", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1v1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -53,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json index 019d650e000..067b2c67947 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:32:30.425487Z", "event": { - "action": "modified-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4735", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111", - "name": "test_group1v1" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json index 8009d198537..1b8c86523b6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:33:57.2710608Z", "event": { - "action": "modified-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4737", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json index 786a77df8db..067f7666da5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:36:17.5667652Z", "event": { - "action": "modified-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4738", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -51,10 +28,6 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ - "LOCKOUT", - "NORMAL_ACCOUNT" - ], "NewUacValue": "0x210", "OldUacValue": "0x210", "PasswordLastSet": "6/9/2019 10:30:28", @@ -71,9 +44,7 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", "TargetUserName": "elastictest1", - "UserAccountControl": [ - "-" - ], + "UserAccountControl": "-", "UserParameters": "%%1793", "UserPrincipalName": "-", "UserWorkstations": "%%1793" @@ -82,9 +53,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -101,19 +69,11 @@ { "@timestamp": "2019-09-06T13:36:36.3634107Z", "event": { - "action": "modified-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4738", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -121,22 +81,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006", - "name": "audittest0609" - } - }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -150,10 +95,6 @@ "HomeDirectory": "%%1793", "HomePath": "%%1793", "LogonHours": "%%1797", - "NewUACList": [ - "LOCKOUT", - "NORMAL_ACCOUNT" - ], "NewUacValue": "0x210", "OldUacValue": "0x10", "PasswordLastSet": "6/9/2019 10:25:21", @@ -170,9 +111,7 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", "TargetUserName": "audittest0609", - "UserAccountControl": [ - "2089" - ], + "UserAccountControl": "\n\t\t%%2089", "UserParameters": "%%1793", "UserPrincipalName": "-", "UserWorkstations": "%%1793" @@ -181,9 +120,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json index 1c91cbf9cee..567fc6b451c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:39:43.0856521Z", "event": { - "action": "locked-out-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4740", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, + "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -56,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json index 6e6839ba380..d0dab573e83 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:34:33.783048Z", "event": { - "action": "added-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4754", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "creation" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json index c5102a88701..e77ca5006b4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:35:09.0701134Z", "event": { - "action": "modified-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4755", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json index 5ffb623eb18..8c3c76be483 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:34:58.4130288Z", "event": { - "action": "added-member-to-group", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4756", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,23 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "name": "Administrator" - } - }, + "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -64,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json index 40cbe2246a4..caf16c483e2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:35:09.0701919Z", "event": { - "action": "removed-member-from-group", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4757", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,23 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "local", - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" - }, - "name": "Administrator" - } - }, + "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -64,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json index 65df4a27ada..9eb30b44795 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:35:13.5502867Z", "event": { - "action": "deleted-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4758", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "deletion" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113", - "name": "Test_group3v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -53,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json index 76d78d4ff4e..d03794d48f3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-22T11:33:57.271141Z", "event": { - "action": "type-changed-group-account", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4764", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "change" - ] - }, - "group": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112", - "name": "test_group2v2" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "api": "wineventlog", "channel": "Security", @@ -54,9 +34,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x4a727" - }, "opcode": "Info", "process": { "pid": 772, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json index 75feedba72a..78d7902fc75 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:40:52.3149485Z", "event": { - "action": "unlocked-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4767", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "user": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, + "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -56,9 +33,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json index 95d2603832a..2895c8eb423 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-09-06T13:38:17.5566269Z", "event": { - "action": "renamed-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4781", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,24 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest06", - "audittest0609" - ] - }, - "user": { - "changes": { - "name": "audittest06" - }, - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "name": "audittest0609" - } - }, + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -60,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, @@ -79,19 +51,11 @@ { "@timestamp": "2019-09-06T13:38:23.5161066Z", "event": { - "action": "renamed-user-account", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4781", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "change" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -99,24 +63,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "Administrator", - "audittest0609", - "audittest06" - ] - }, - "user": { - "changes": { - "name": "audittest0609" - }, - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator", - "target": { - "name": "audittest06" - } - }, + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "api": "wineventlog", @@ -137,9 +84,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x264b2" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json index 385560f46b0..5cb8bf3e03e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2019-10-08T10:20:34.0535453Z", "event": { - "action": "group-membership-enumerated", - "category": [ - "iam" - ], + "action": "User Account Management", "code": "4798", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "user", - "info" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -22,22 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$", - "target": { - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005", - "name": "elastictest1" - } - }, + "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe", "winlog": { "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", "api": "wineventlog", @@ -58,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json index 58c1703e50d..73e2d0b83f3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.evtx.golden.json @@ -2,24 +2,11 @@ { "@timestamp": "2019-10-08T10:20:44.4724208Z", "event": { - "action": "user-member-enumerated", - "category": [ - "iam" - ], + "action": "Security Group Management", "code": "4799", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "group", - "info" - ] - }, - "group": { - "domain": "Builtin", - "id": "S-1-5-32-544", - "name": "Administrators" + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR" @@ -27,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "WIN-41OB2LO92CR$" - }, - "user": { - "domain": "WORKGROUP", - "id": "S-1-5-18", - "name": "WIN-41OB2LO92CR$" - }, + "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe", "winlog": { "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", "api": "wineventlog", @@ -55,9 +35,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x3e7" - }, "opcode": "Info", "process": { "pid": 780, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json index 167c80da0b1..917749bec45 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4964.evtx.golden.json @@ -2,19 +2,11 @@ { "@timestamp": "2020-03-21T23:50:34.347458Z", "event": { - "action": "logged-in-special", - "category": [ - "iam" - ], + "action": "Special Logon", "code": "4964", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "group" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -22,14 +14,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1D22ED\n\tLogon GUID:\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", "winlog": { "activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}", "api": "wineventlog", @@ -52,9 +37,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x1d22ed" - }, "opcode": "Info", "process": { "pid": 788, @@ -71,19 +53,11 @@ { "@timestamp": "2020-03-24T16:36:59.5703294Z", "event": { - "action": "logged-in-special", - "category": [ - "iam" - ], + "action": "Special Logon", "code": "4964", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "admin", - "group" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "WIN-41OB2LO92CR.wlbeat.local" @@ -91,14 +65,7 @@ "log": { "level": "information" }, - "related": { - "user": "Administrator" - }, - "user": { - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "name": "Administrator" - }, + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x7C0BE\n\tLogon GUID:\t{38fec9bc-577f-76f6-5d29-e0175ce19797}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", "winlog": { "activity_id": "{a22b4bf4-ffdc-0000-ee4d-2ba2dcffd501}", "api": "wineventlog", @@ -121,9 +88,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x7c0be" - }, "opcode": "Info", "process": { "pid": 784, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json index 6290dc3226a..1c49eefb442 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-11-14T17:10:15.1515514Z", "event": { - "action": "created-process", - "category": [ - "process" - ], + "action": "Process Creation", "code": "4688", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "start" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant" @@ -21,33 +14,7 @@ "log": { "level": "information" }, - "process": { - "args": [ - "C:\\Windows\\system32\\wevtutil.exe", - "cl", - "Security" - ], - "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", - "executable": "C:\\Windows\\System32\\wevtutil.exe", - "name": "wevtutil.exe", - "parent": { - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "name": "powershell.exe", - "pid": 4652 - }, - "pid": 4556 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "effective": { - "id": "S-1-0-0" - }, - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "name": "vagrant" - }, + "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\t%%1937\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", "winlog": { "api": "wineventlog", "channel": "Security", @@ -55,6 +22,9 @@ "event_data": { "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", "MandatoryLabel": "S-1-16-12288", + "NewProcessId": "0x11cc", + "NewProcessName": "C:\\Windows\\System32\\wevtutil.exe", + "ParentProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "ProcessId": "0x122c", "SubjectDomainName": "VAGRANT", "SubjectLogonId": "0x274a2", @@ -70,9 +40,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x274a2" - }, "opcode": "Info", "process": { "pid": 4, diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json index 5e20ec050f6..2869ca32749 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json @@ -2,18 +2,11 @@ { "@timestamp": "2019-11-14T21:26:49.4961966Z", "event": { - "action": "exited-process", - "category": [ - "process" - ], + "action": "Process Termination", "code": "4689", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant" @@ -21,24 +14,14 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\wevtutil.exe", - "name": "wevtutil.exe", - "pid": 5412 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "name": "vagrant" - }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { + "ProcessId": "0x1524", + "ProcessName": "C:\\Windows\\System32\\wevtutil.exe", "Status": "0x0", "SubjectDomainName": "VAGRANT", "SubjectLogonId": "0x274a2", @@ -49,9 +32,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x274a2" - }, "opcode": "Info", "process": { "pid": 4, @@ -68,18 +48,11 @@ { "@timestamp": "2019-11-14T21:27:46.9609089Z", "event": { - "action": "exited-process", - "category": [ - "process" - ], + "action": "Process Termination", "code": "4689", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant" @@ -87,24 +60,14 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\taskhostw.exe", - "name": "taskhostw.exe", - "pid": 3988 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "name": "vagrant" - }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274F1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { + "ProcessId": "0xf94", + "ProcessName": "C:\\Windows\\System32\\taskhostw.exe", "Status": "0x0", "SubjectDomainName": "VAGRANT", "SubjectLogonId": "0x274f1", @@ -115,9 +78,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x274f1" - }, "opcode": "Info", "process": { "pid": 4, @@ -134,18 +94,11 @@ { "@timestamp": "2019-11-14T21:28:18.4605129Z", "event": { - "action": "exited-process", - "category": [ - "process" - ], + "action": "Process Termination", "code": "4689", "kind": "event", - "module": "security", "outcome": "success", - "provider": "Microsoft-Windows-Security-Auditing", - "type": [ - "end" - ] + "provider": "Microsoft-Windows-Security-Auditing" }, "host": { "name": "vagrant" @@ -153,24 +106,14 @@ "log": { "level": "information" }, - "process": { - "executable": "C:\\Windows\\System32\\wevtutil.exe", - "name": "wevtutil.exe", - "pid": 2760 - }, - "related": { - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "name": "vagrant" - }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", "winlog": { "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { + "ProcessId": "0xac8", + "ProcessName": "C:\\Windows\\System32\\wevtutil.exe", "Status": "0x0", "SubjectDomainName": "VAGRANT", "SubjectLogonId": "0x274a2", @@ -181,9 +124,6 @@ "keywords": [ "Audit Success" ], - "logon": { - "id": "0x274a2" - }, "opcode": "Info", "process": { "pid": 4, diff --git a/x-pack/winlogbeat/module/sysmon/test/sysmon_windows_test.go b/x-pack/winlogbeat/module/sysmon/test/sysmon_windows_test.go new file mode 100644 index 00000000000..3aec5278964 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/sysmon_windows_test.go @@ -0,0 +1,33 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package test + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" + + // Register required processors. + _ "github.com/elastic/beats/v7/libbeat/cmd/instance" + _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" +) + +// Ignore these fields so that the tests will pass if Sysmon is not installed. +var ignoreFields = []string{ + "event.action", + "message", + "winlog.opcode", + "winlog.task", + + // Ignore these fields as under some circumstances they are not populated. + // (observed under Windows 7). + "winlog.user.type", + "winlog.user.name", + "winlog.user.domain", +} + +func TestSysmon(t *testing.T) { + module.TestPipeline(t, "testdata/*.evtx", module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json index 09d44c965d0..fde0b84006f 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json @@ -1,44 +1,10 @@ [ { - "@timestamp": "2019-07-18T03:34:01.239Z", - "dns": { - "answers": [ - { - "data": "go.microsoft.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e11290.dspg.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.223.14.67", - "type": "A" - } - ], - "question": { - "name": "go.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "go", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.223.14.67" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0252239Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -46,25 +12,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 356 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessId": "356", + "QueryName": "go.microsoft.com", + "QueryResults": "type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.239" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -75,51 +37,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 66, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.261Z", - "dns": { - "answers": [ - { - "data": "www-msn-com.a-0003.a-msedge.net", - "type": "CNAME" - }, - { - "data": "a-0003.a-msedge.net", - "type": "CNAME" - }, - { - "data": "204.79.197.203", - "type": "A" - } - ], - "question": { - "name": "www.msn.com", - "registered_domain": "msn.com", - "subdomain": "www", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.79.197.203" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0252377Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -127,25 +58,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "www.msn.com", + "QueryResults": "type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.261" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -156,52 +83,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 67, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.449Z", - "dns": { - "answers": [ - { - "data": "a1999.dscg2.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.192", - "type": "A" - }, - { - "data": "23.50.53.195", - "type": "A" - } - ], - "question": { - "name": "static-global-s-msn-com.akamaized.net", - "registered_domain": "akamaized.net", - "subdomain": "static-global-s-msn-com", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.50.53.192", - "23.50.53.195" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0252623Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -209,25 +104,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "static-global-s-msn-com.akamaized.net", + "QueryResults": "type: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.449" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -238,56 +129,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 68, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.457Z", - "dns": { - "answers": [ - { - "data": "a-0001.a-afdentry.net.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "dual-a-0001.a-msedge.net", - "type": "CNAME" - }, - { - "data": "204.79.197.200", - "type": "A" - }, - { - "data": "13.107.21.200", - "type": "A" - } - ], - "question": { - "name": "www.bing.com", - "registered_domain": "bing.com", - "subdomain": "www", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0252736Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -295,25 +150,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 356 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessId": "356", + "QueryName": "www.bing.com", + "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.457" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -324,51 +175,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 69, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.494Z", - "dns": { - "answers": [ - { - "data": "linkmaker.itunes.apple.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e4541.dsce9.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.64.104.249", - "type": "A" - } - ], - "question": { - "name": "linkmaker.itunes.apple.com", - "registered_domain": "apple.com", - "subdomain": "linkmaker.itunes", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.64.104.249" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0252842Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -376,25 +196,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "linkmaker.itunes.apple.com", + "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.494" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -405,57 +221,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 70, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.81Z", - "dns": { - "answers": [ - { - "data": "151.101.1.194", - "type": "A" - }, - { - "data": "151.101.65.194", - "type": "A" - }, - { - "data": "151.101.129.194", - "type": "A" - }, - { - "data": "151.101.193.194", - "type": "A" - } - ], - "question": { - "name": "confiant-integrations.global.ssl.fastly.net", - "registered_domain": "confiant-integrations.global.ssl.fastly.net", - "top_level_domain": "global.ssl.fastly.net" - }, - "resolved_ip": [ - "151.101.1.194", - "151.101.65.194", - "151.101.129.194", - "151.101.193.194" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0253173Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -463,25 +242,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "confiant-integrations.global.ssl.fastly.net", + "QueryResults": "::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.810" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -492,47 +267,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 71, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.894Z", - "dns": { - "answers": [ - { - "data": "c.msn.com.nsatc.net", - "type": "CNAME" - }, - { - "data": "20.36.253.92", - "type": "A" - } - ], - "question": { - "name": "c.msn.com", - "registered_domain": "msn.com", - "subdomain": "c", - "top_level_domain": "com" - }, - "resolved_ip": [ - "20.36.253.92" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0253304Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -540,25 +288,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "c.msn.com", + "QueryResults": "type: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.894" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -569,56 +313,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 72, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:01.948Z", - "dns": { - "answers": [ - { - "data": "c-bing-com.a-0001.a-msedge.net", - "type": "CNAME" - }, - { - "data": "dual-a-0001.a-msedge.net", - "type": "CNAME" - }, - { - "data": "13.107.21.200", - "type": "A" - }, - { - "data": "204.79.197.200", - "type": "A" - } - ], - "question": { - "name": "c.bing.com", - "registered_domain": "bing.com", - "subdomain": "c", - "top_level_domain": "com" - }, - "resolved_ip": [ - "13.107.21.200", - "204.79.197.200" - ] - }, + "@timestamp": "2019-07-18T03:34:02.0253473Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -626,25 +334,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "c.bing.com", + "QueryResults": "type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:01.948" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -655,43 +359,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 73, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.085Z", - "dns": { - "answers": [ - { - "data": "23.52.167.93", - "type": "A" - } - ], - "question": { - "name": "contextual.media.net", - "registered_domain": "media.net", - "subdomain": "contextual", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.52.167.93" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0281901Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -699,25 +380,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "contextual.media.net", + "QueryResults": "::ffff:23.52.167.93;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.085" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -728,59 +405,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 74, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.174Z", - "dns": { - "answers": [ - { - "data": "glb-ads.atwola.adtechus.com", - "type": "CNAME" - }, - { - "data": "cs670.wac.thetacdn.net", - "type": "CNAME" - }, - { - "data": "cs670.lb.wac.apr-1b09e.edgecastdns.net", - "type": "CNAME" - }, - { - "data": "cs935.wac.thetacdn.net", - "type": "CNAME" - }, - { - "data": "152.195.32.120", - "type": "A" - } - ], - "question": { - "name": "at.atwola.com", - "registered_domain": "atwola.com", - "subdomain": "at", - "top_level_domain": "com" - }, - "resolved_ip": [ - "152.195.32.120" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0282747Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -788,25 +426,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "at.atwola.com", + "QueryResults": "type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.174" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -817,91 +451,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 75, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.274Z", - "dns": { - "answers": [ - { - "data": "microsoft.geo.appnexusgslb.net", - "type": "CNAME" - }, - { - "data": "m.anycast.adnxs.com", - "type": "CNAME" - }, - { - "data": "204.13.192.56", - "type": "A" - }, - { - "data": "204.13.192.120", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - } - ], - "question": { - "name": "m.adnxs.com", - "registered_domain": "adnxs.com", - "subdomain": "m", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "204.13.192.56", - "204.13.192.120", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0283589Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -909,25 +472,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "m.adnxs.com", + "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.274" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -938,47 +497,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 76, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.291Z", - "dns": { - "answers": [ - { - "data": "spcms-global.pbp.gysm.yahoodns.net", - "type": "CNAME" - }, - { - "data": "74.6.137.78", - "type": "A" - } - ], - "question": { - "name": "cms.analytics.yahoo.com", - "registered_domain": "yahoo.com", - "subdomain": "cms.analytics", - "top_level_domain": "com" - }, - "resolved_ip": [ - "74.6.137.78" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0284128Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -986,25 +518,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cms.analytics.yahoo.com", + "QueryResults": "type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.291" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1015,51 +543,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 77, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.413Z", - "dns": { - "answers": [ - { - "data": "cvision.media.net.edgekey.net", - "type": "CNAME" - }, - { - "data": "e607.d.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.167.93", - "type": "A" - } - ], - "question": { - "name": "cvision.media.net", - "registered_domain": "media.net", - "subdomain": "cvision", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.52.167.93" - ] - }, + "@timestamp": "2019-07-18T03:34:03.028501Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1067,25 +564,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cvision.media.net", + "QueryResults": "type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.413" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1096,56 +589,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 78, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.424Z", - "dns": { - "answers": [ - { - "data": "g-bing-com.a-0001.a-msedge.net", - "type": "CNAME" - }, - { - "data": "dual-a-0001.a-msedge.net", - "type": "CNAME" - }, - { - "data": "204.79.197.200", - "type": "A" - }, - { - "data": "13.107.21.200", - "type": "A" - } - ], - "question": { - "name": "g.bing.com", - "registered_domain": "bing.com", - "subdomain": "g", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0285856Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1153,25 +610,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "g.bing.com", + "QueryResults": "type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.424" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1182,43 +635,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 79, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.427Z", - "dns": { - "answers": [ - { - "data": "23.52.167.93", - "type": "A" - } - ], - "question": { - "name": "lg3.media.net", - "registered_domain": "media.net", - "subdomain": "lg3", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.52.167.93" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0289003Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1226,25 +656,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "lg3.media.net", + "QueryResults": "::ffff:23.52.167.93;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.427" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1255,57 +681,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 80, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.469Z", - "dns": { - "answers": [ - { - "data": "service.sp.aolp-ds-prd.aws.oath.cloud", - "type": "CNAME" - }, - { - "data": "54.88.96.255", - "type": "A" - }, - { - "data": "34.233.100.168", - "type": "A" - }, - { - "data": "54.209.58.223", - "type": "A" - } - ], - "question": { - "name": "service.sp.advertising.com", - "registered_domain": "advertising.com", - "subdomain": "service.sp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "54.88.96.255", - "34.233.100.168", - "54.209.58.223" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0290311Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1313,25 +702,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "service.sp.advertising.com", + "QueryResults": "type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.469" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1342,51 +727,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 81, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.485Z", - "dns": { - "answers": [ - { - "data": "sb.scorecardresearch.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e1879.e7.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "184.25.176.117", - "type": "A" - } - ], - "question": { - "name": "sb.scorecardresearch.com", - "registered_domain": "scorecardresearch.com", - "subdomain": "sb", - "top_level_domain": "com" - }, - "resolved_ip": [ - "184.25.176.117" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0290984Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1394,25 +748,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sb.scorecardresearch.com", + "QueryResults": "type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.485" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1423,51 +773,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 82, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.5Z", - "dns": { - "answers": [ - { - "data": "iceotf-prod-fe-tm.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "iceotf-prod-fe-eastus.cloudapp.net", - "type": "CNAME" - }, - { - "data": "40.114.54.223", - "type": "A" - } - ], - "question": { - "name": "otf.msn.com", - "registered_domain": "msn.com", - "subdomain": "otf", - "top_level_domain": "com" - }, - "resolved_ip": [ - "40.114.54.223" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0291129Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1475,25 +794,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "otf.msn.com", + "QueryResults": "type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.500" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1504,78 +819,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 83, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.58Z", - "dns": { - "answers": [ - { - "data": "35.171.101.225", - "type": "A" - }, - { - "data": "34.196.57.87", - "type": "A" - }, - { - "data": "34.194.164.46", - "type": "A" - }, - { - "data": "34.233.181.142", - "type": "A" - }, - { - "data": "34.194.167.169", - "type": "A" - }, - { - "data": "34.193.242.172", - "type": "A" - }, - { - "data": "34.234.152.11", - "type": "A" - }, - { - "data": "34.206.12.124", - "type": "A" - } - ], - "question": { - "name": "ping.chartbeat.net", - "registered_domain": "chartbeat.net", - "subdomain": "ping", - "top_level_domain": "net" - }, - "resolved_ip": [ - "35.171.101.225", - "34.196.57.87", - "34.194.164.46", - "34.233.181.142", - "34.194.167.169", - "34.193.242.172", - "34.234.152.11", - "34.206.12.124" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0291263Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1583,25 +840,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ping.chartbeat.net", + "QueryResults": "::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.580" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1612,57 +865,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 84, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.628Z", - "dns": { - "answers": [ - { - "data": "151.101.194.79", - "type": "A" - }, - { - "data": "151.101.2.79", - "type": "A" - }, - { - "data": "151.101.66.79", - "type": "A" - }, - { - "data": "151.101.130.79", - "type": "A" - } - ], - "question": { - "name": "clarium.freetls.fastly.net", - "registered_domain": "clarium.freetls.fastly.net", - "top_level_domain": "freetls.fastly.net" - }, - "resolved_ip": [ - "151.101.194.79", - "151.101.2.79", - "151.101.66.79", - "151.101.130.79" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0291485Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1670,25 +886,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "clarium.freetls.fastly.net", + "QueryResults": "::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.628" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1699,103 +911,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 85, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.633Z", - "dns": { - "answers": [ - { - "data": "68.67.178.252", - "type": "A" - }, - { - "data": "68.67.179.11", - "type": "A" - }, - { - "data": "68.67.179.228", - "type": "A" - }, - { - "data": "68.67.178.184", - "type": "A" - }, - { - "data": "204.13.192.141", - "type": "A" - }, - { - "data": "68.67.180.43", - "type": "A" - }, - { - "data": "68.67.179.23", - "type": "A" - }, - { - "data": "68.67.179.197", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - } - ], - "question": { - "name": "nym1-ib.adnxs.com", - "registered_domain": "adnxs.com", - "subdomain": "nym1-ib", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "68.67.178.252", - "68.67.179.11", - "68.67.179.228", - "68.67.178.184", - "204.13.192.141", - "68.67.180.43", - "68.67.179.23", - "68.67.179.197", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0291591Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1803,25 +932,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "nym1-ib.adnxs.com", + "QueryResults": "::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.633" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1832,91 +957,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 86, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.716Z", - "dns": { - "answers": [ - { - "data": "us-east-eb2.3lift.com", - "type": "CNAME" - }, - { - "data": "dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "34.196.86.129", - "type": "A" - }, - { - "data": "34.233.250.110", - "type": "A" - }, - { - "data": "18.209.244.108", - "type": "A" - }, - { - "data": "34.224.204.11", - "type": "A" - }, - { - "data": "34.237.44.255", - "type": "A" - }, - { - "data": "3.210.231.21", - "type": "A" - }, - { - "data": "54.172.198.255", - "type": "A" - }, - { - "data": "34.199.186.227", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - } - ], - "question": { - "name": "eb2.3lift.com", - "registered_domain": "3lift.com", - "subdomain": "eb2", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "34.196.86.129", - "34.233.250.110", - "18.209.244.108", - "34.224.204.11", - "34.237.44.255", - "3.210.231.21", - "54.172.198.255", - "34.199.186.227", - "192.5.6.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0292405Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -1924,25 +978,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "eb2.3lift.com", + "QueryResults": "type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.716" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -1953,96 +1003,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 87, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.727Z", - "dns": { - "answers": [ - { - "data": "mix.linkedin.com", - "type": "CNAME" - }, - { - "data": "any-na.mix.linkedin.com", - "type": "CNAME" - }, - { - "data": "108.174.10.14", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "px.ads.linkedin.com", - "registered_domain": "linkedin.com", - "subdomain": "px.ads", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "108.174.10.14", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0292514Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2050,25 +1024,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "px.ads.linkedin.com", + "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.727" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2079,61 +1049,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 88, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.733Z", - "dns": { - "answers": [ - { - "data": "login.msa.msidentity.com", - "type": "CNAME" - }, - { - "data": "lgin.msa.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "40.90.23.239", - "type": "A" - }, - { - "data": "40.90.23.213", - "type": "A" - }, - { - "data": "40.90.23.154", - "type": "A" - } - ], - "question": { - "name": "login.live.com", - "registered_domain": "live.com", - "subdomain": "login", - "top_level_domain": "com" - }, - "resolved_ip": [ - "40.90.23.239", - "40.90.23.213", - "40.90.23.154" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0292602Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2141,25 +1070,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "login.live.com", + "QueryResults": "type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.733" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2170,98 +1095,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 89, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.792Z", - "dns": { - "answers": [ - { - "data": "74.119.119.150", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - }, - { - "data": "192.35.51.30", - "type": "A" - } - ], - "question": { - "name": "dis.criteo.com", - "registered_domain": "criteo.com", - "subdomain": "dis", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "74.119.119.150", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30", - "192.35.51.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0293152Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2269,25 +1116,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dis.criteo.com", + "QueryResults": "::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.792" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2298,101 +1141,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 90, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.792Z", - "dns": { - "answers": [ - { - "data": "g.geogslb.com", - "type": "CNAME" - }, - { - "data": "ib.anycast.adnxs.com", - "type": "CNAME" - }, - { - "data": "68.67.180.12", - "type": "A" - }, - { - "data": "68.67.179.228", - "type": "A" - }, - { - "data": "68.67.180.44", - "type": "A" - }, - { - "data": "204.13.192.141", - "type": "A" - }, - { - "data": "68.67.178.230", - "type": "A" - }, - { - "data": "68.67.178.252", - "type": "A" - }, - { - "data": "68.67.179.23", - "type": "A" - }, - { - "data": "68.67.179.232", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "ib.adnxs.com", - "registered_domain": "adnxs.com", - "subdomain": "ib", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "68.67.180.12", - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0293311Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2400,25 +1162,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ib.adnxs.com", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.792" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2429,47 +1187,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 91, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.809Z", - "dns": { - "answers": [ - { - "data": "pagead.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.10.34", - "type": "A" - } - ], - "question": { - "name": "cm.g.doubleclick.net", - "registered_domain": "doubleclick.net", - "subdomain": "cm.g", - "top_level_domain": "net" - }, - "resolved_ip": [ - "172.217.10.34" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0293399Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2477,25 +1208,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cm.g.doubleclick.net", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.809" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2506,92 +1233,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 92, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.821Z", - "dns": { - "answers": [ - { - "data": "match-975362022.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "54.208.129.24", - "type": "A" - }, - { - "data": "54.175.5.93", - "type": "A" - }, - { - "data": "52.86.210.96", - "type": "A" - }, - { - "data": "3.93.252.59", - "type": "A" - }, - { - "data": "54.86.97.130", - "type": "A" - }, - { - "data": "34.194.239.194", - "type": "A" - }, - { - "data": "3.94.67.102", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "match.adsrvr.org", - "registered_domain": "adsrvr.org", - "subdomain": "match", - "top_level_domain": "org" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "54.208.129.24", - "54.175.5.93", - "52.86.210.96", - "3.93.252.59", - "54.86.97.130", - "34.194.239.194", - "3.94.67.102", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0293501Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2599,25 +1254,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "match.adsrvr.org", + "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.821" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2628,51 +1279,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 93, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.821Z", - "dns": { - "answers": [ - { - "data": "ssum-sec.casalemedia.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e8037.g.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.162.21", - "type": "A" - } - ], - "question": { - "name": "ssum-sec.casalemedia.com", - "registered_domain": "casalemedia.com", - "subdomain": "ssum-sec", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.52.162.21" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0293589Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2680,25 +1300,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ssum-sec.casalemedia.com", + "QueryResults": "type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.821" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2709,92 +1325,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 94, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:02.828Z", - "dns": { - "answers": [ - { - "data": "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "18.204.130.216", - "type": "A" - }, - { - "data": "18.209.246.43", - "type": "A" - }, - { - "data": "107.23.153.61", - "type": "A" - }, - { - "data": "18.235.141.27", - "type": "A" - }, - { - "data": "3.210.79.248", - "type": "A" - }, - { - "data": "18.209.146.43", - "type": "A" - }, - { - "data": "18.210.64.206", - "type": "A" - }, - { - "data": "18.214.161.226", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - } - ], - "question": { - "name": "protected-by.clarium.io", - "registered_domain": "clarium.io", - "subdomain": "protected-by", - "top_level_domain": "io" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "18.204.130.216", - "18.209.246.43", - "107.23.153.61", - "18.235.141.27", - "3.210.79.248", - "18.209.146.43", - "18.210.64.206", - "18.214.161.226", - "192.5.6.30", - "2001:503:a83e::2:30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.0293695Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2802,25 +1346,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "protected-by.clarium.io", + "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.828" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2831,47 +1371,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 95, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.838Z", - "dns": { - "answers": [ - { - "data": "pagead46.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.10.66", - "type": "A" - } - ], - "question": { - "name": "pagead2.googlesyndication.com", - "registered_domain": "googlesyndication.com", - "subdomain": "pagead2", - "top_level_domain": "com" - }, - "resolved_ip": [ - "172.217.10.66" - ] - }, + "@timestamp": "2019-07-18T03:34:03.029379Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2879,25 +1392,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pagead2.googlesyndication.com", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.838" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2908,47 +1417,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 96, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.839Z", - "dns": { - "answers": [ - { - "data": "pagead46.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.10.66", - "type": "A" - } - ], - "question": { - "name": "googleads.g.doubleclick.net", - "registered_domain": "doubleclick.net", - "subdomain": "googleads.g", - "top_level_domain": "net" - }, - "resolved_ip": [ - "172.217.10.66" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0293885Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -2956,25 +1438,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "googleads.g.doubleclick.net", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.839" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -2985,86 +1463,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 97, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } }, { - "@timestamp": "2019-07-18T03:34:02.841Z", - "dns": { - "answers": [ - { - "data": "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", - "type": "CNAME" - }, - { - "data": "prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud", - "type": "CNAME" - }, - { - "data": "52.22.184.73", - "type": "A" - }, - { - "data": "54.152.30.174", - "type": "A" - }, - { - "data": "3.213.70.197", - "type": "A" - }, - { - "data": "54.158.57.141", - "type": "A" - }, - { - "data": "52.6.39.34", - "type": "A" - }, - { - "data": "52.0.113.251", - "type": "A" - }, - { - "data": "3.213.8.28", - "type": "A" - }, - { - "data": "3.215.246.105", - "type": "A" - } - ], - "question": { - "name": "pixel.advertising.com", - "registered_domain": "advertising.com", - "subdomain": "pixel", - "top_level_domain": "com" - }, - "resolved_ip": [ - "52.22.184.73", - "54.152.30.174", - "3.213.70.197", - "54.158.57.141", - "52.6.39.34", - "52.0.113.251", - "3.213.8.28", - "3.215.246.105" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0293988Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3072,25 +1484,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pixel.advertising.com", + "QueryResults": "type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.841" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3101,75 +1509,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 98, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.844Z", - "dns": { - "answers": [ - { - "data": "uplynk.adaptv.advertising.com", - "type": "CNAME" - }, - { - "data": "uplynk-geo.adap.tv", - "type": "CNAME" - }, - { - "data": "uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "54.210.214.197", - "type": "A" - }, - { - "data": "52.202.202.147", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "onevideosync.uplynk.com", - "registered_domain": "uplynk.com", - "subdomain": "onevideosync", - "top_level_domain": "com" - }, - "resolved_ip": [ - "54.210.214.197", - "52.202.202.147", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0294086Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3177,25 +1530,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "onevideosync.uplynk.com", + "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.844" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3206,47 +1555,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 99, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:02.956Z", - "dns": { - "answers": [ - { - "data": "ad.turn.com.akadns.net", - "type": "CNAME" - }, - { - "data": "50.116.194.21", - "type": "A" - } - ], - "question": { - "name": "ad.turn.com", - "registered_domain": "turn.com", - "subdomain": "ad", - "top_level_domain": "com" - }, - "resolved_ip": [ - "50.116.194.21" - ] - }, + "@timestamp": "2019-07-18T03:34:03.0294167Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3254,25 +1576,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ad.turn.com", + "QueryResults": "type: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:02.956" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3283,82 +1601,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 100, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.005Z", - "dns": { - "answers": [ - { - "data": "prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud", - "type": "CNAME" - }, - { - "data": "34.225.20.218", - "type": "A" - }, - { - "data": "3.216.14.125", - "type": "A" - }, - { - "data": "52.200.28.150", - "type": "A" - }, - { - "data": "3.216.103.132", - "type": "A" - }, - { - "data": "52.4.86.222", - "type": "A" - }, - { - "data": "52.21.200.160", - "type": "A" - }, - { - "data": "3.216.249.238", - "type": "A" - }, - { - "data": "3.94.175.146", - "type": "A" - } - ], - "question": { - "name": "ups.analytics.yahoo.com", - "registered_domain": "yahoo.com", - "subdomain": "ups.analytics", - "top_level_domain": "com" - }, - "resolved_ip": [ - "34.225.20.218", - "3.216.14.125", - "52.200.28.150", - "3.216.103.132", - "52.4.86.222", - "52.21.200.160", - "3.216.249.238", - "3.94.175.146" - ] - }, + "@timestamp": "2019-07-18T03:34:03.6116197Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3366,25 +1622,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ups.analytics.yahoo.com", + "QueryResults": "type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.005" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3395,97 +1647,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 101, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.07Z", - "dns": { - "answers": [ - { - "data": "dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "34.237.248.89", - "type": "A" - }, - { - "data": "35.153.21.25", - "type": "A" - }, - { - "data": "52.200.238.112", - "type": "A" - }, - { - "data": "52.206.93.38", - "type": "A" - }, - { - "data": "34.227.35.137", - "type": "A" - }, - { - "data": "35.169.96.208", - "type": "A" - }, - { - "data": "52.22.206.42", - "type": "A" - }, - { - "data": "52.201.81.61", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "pm.w55c.net", - "registered_domain": "w55c.net", - "subdomain": "pm", - "top_level_domain": "net" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "34.237.248.89", - "35.153.21.25", - "52.200.238.112", - "52.206.93.38", - "34.227.35.137", - "35.169.96.208", - "52.22.206.42", - "52.201.81.61", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8023696Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3493,25 +1668,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pm.w55c.net", + "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.070" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3522,98 +1693,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 102, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.093Z", - "dns": { - "answers": [ - { - "data": "35.186.239.238", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - }, - { - "data": "192.35.51.30", - "type": "A" - } - ], - "question": { - "name": "cm.eyereturn.com", - "registered_domain": "eyereturn.com", - "subdomain": "cm", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "35.186.239.238", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30", - "192.35.51.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8023918Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3621,25 +1714,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cm.eyereturn.com", + "QueryResults": "::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.093" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3650,47 +1739,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 103, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.099Z", - "dns": { - "answers": [ - { - "data": "pagead46.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.10.66", - "type": "A" - } - ], - "question": { - "name": "www.googletagservices.com", - "registered_domain": "googletagservices.com", - "subdomain": "www", - "top_level_domain": "com" - }, - "resolved_ip": [ - "172.217.10.66" - ] - }, + "@timestamp": "2019-07-18T03:34:03.802402Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3698,25 +1760,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "www.googletagservices.com", + "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.099" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3727,97 +1785,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 104, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.107Z", - "dns": { - "answers": [ - { - "data": "rtb.adgrx.com", - "type": "CNAME" - }, - { - "data": "173.231.178.117", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - } - ], - "question": { - "name": "cm.adgrx.com", - "registered_domain": "adgrx.com", - "subdomain": "cm", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "173.231.178.117", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.802413Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3825,25 +1806,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cm.adgrx.com", + "QueryResults": "type: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.107" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3854,91 +1831,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 105, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.107Z", - "dns": { - "answers": [ - { - "data": "j2waycm.netmng.com", - "type": "CNAME" - }, - { - "data": "j2waycm-us-wdc.netmng.com", - "type": "CNAME" - }, - { - "data": "104.193.83.156", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - } - ], - "question": { - "name": "csm2waycm-atl.netmng.com", - "registered_domain": "netmng.com", - "subdomain": "csm2waycm-atl", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "104.193.83.156", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8024239Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -3946,25 +1852,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "csm2waycm-atl.netmng.com", + "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.107" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -3975,47 +1877,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 106, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.112Z", - "dns": { - "answers": [ - { - "data": "ds-pr-bh.ybp.gysm.yahoodns.net", - "type": "CNAME" - }, - { - "data": "72.30.2.182", - "type": "A" - } - ], - "question": { - "name": "pr-bh.ybp.yahoo.com", - "registered_domain": "yahoo.com", - "subdomain": "pr-bh.ybp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.30.2.182" - ] - }, + "@timestamp": "2019-07-18T03:34:03.802433Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4023,25 +1898,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pr-bh.ybp.yahoo.com", + "QueryResults": "type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.112" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4052,43 +1923,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 107, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.113Z", - "dns": { - "answers": [ - { - "data": "3.83.220.223", - "type": "A" - } - ], - "question": { - "name": "ps.eyeota.net", - "registered_domain": "eyeota.net", - "subdomain": "ps", - "top_level_domain": "net" - }, - "resolved_ip": [ - "3.83.220.223" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8024412Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4096,25 +1944,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ps.eyeota.net", + "QueryResults": "::ffff:3.83.220.223;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.113" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4125,60 +1969,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 108, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.146Z", - "dns": { - "answers": [ - { - "data": "idpix.media6degrees.com.cdn.cloudflare.net", - "type": "CNAME" - }, - { - "data": "map.media6degrees.com", - "type": "CNAME" - }, - { - "data": "map.media6degrees.com.cdn.cloudflare.net", - "type": "CNAME" - }, - { - "data": "204.2.197.201", - "type": "A" - }, - { - "data": "204.2.197.211", - "type": "A" - } - ], - "question": { - "name": "idpix.media6degrees.com", - "registered_domain": "media6degrees.com", - "subdomain": "idpix", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.2.197.201", - "204.2.197.211" - ] - }, + "@timestamp": "2019-07-18T03:34:03.802456Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4186,25 +1990,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "idpix.media6degrees.com", + "QueryResults": "type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.146" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4215,87 +2015,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 109, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.146Z", - "dns": { - "answers": [ - { - "data": "pagead-googlehosted.l.google.com", - "type": "CNAME" - }, - { - "data": "172.217.10.1", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - } - ], - "question": { - "name": "tpc.googlesyndication.com", - "registered_domain": "googlesyndication.com", - "subdomain": "tpc", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "172.217.10.1", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8024662Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4303,25 +2036,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tpc.googlesyndication.com", + "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.146" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4332,91 +2061,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 110, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.182Z", - "dns": { - "answers": [ - { - "data": "pug44000nfc.pubmatic.com", - "type": "CNAME" - }, - { - "data": "pug44000nf.pubmatic.com", - "type": "CNAME" - }, - { - "data": "162.248.19.147", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - } - ], - "question": { - "name": "image2.pubmatic.com", - "registered_domain": "pubmatic.com", - "subdomain": "image2", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "162.248.19.147", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8024806Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4424,25 +2082,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "image2.pubmatic.com", + "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.182" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4453,55 +2107,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 111, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.183Z", - "dns": { - "answers": [ - { - "data": "www.msn.com", - "type": "CNAME" - }, - { - "data": "www-msn-com.a-0003.a-msedge.net", - "type": "CNAME" - }, - { - "data": "a-0003.a-msedge.net", - "type": "CNAME" - }, - { - "data": "204.79.197.203", - "type": "A" - } - ], - "question": { - "name": "sam.msn.com", - "registered_domain": "msn.com", - "subdomain": "sam", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.79.197.203" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8024961Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4509,25 +2128,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sam.msn.com", + "QueryResults": "type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.183" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4538,98 +2153,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 112, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.222Z", - "dns": { - "answers": [ - { - "data": "52.85.89.250", - "type": "A" - }, - { - "data": "52.85.89.94", - "type": "A" - }, - { - "data": "52.85.89.22", - "type": "A" - }, - { - "data": "52.85.89.139", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - } - ], - "question": { - "name": "ocsp.sca1b.amazontrust.com", - "registered_domain": "amazontrust.com", - "subdomain": "ocsp.sca1b", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "52.85.89.250", - "52.85.89.94", - "52.85.89.22", - "52.85.89.139", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8025162Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4637,25 +2174,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.sca1b.amazontrust.com", + "QueryResults": "::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.222" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4666,56 +2199,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 113, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.271Z", - "dns": { - "answers": [ - { - "data": "track.adformnet.akadns.net", - "type": "CNAME" - }, - { - "data": "track-us.adformnet.akadns.net", - "type": "CNAME" - }, - { - "data": "185.167.164.43", - "type": "A" - }, - { - "data": "185.167.164.42", - "type": "A" - } - ], - "question": { - "name": "c1.adform.net", - "registered_domain": "adform.net", - "subdomain": "c1", - "top_level_domain": "net" - }, - "resolved_ip": [ - "185.167.164.43", - "185.167.164.42" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8025402Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4723,25 +2220,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "c1.adform.net", + "QueryResults": "type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.271" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4752,76 +2245,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 114, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.271Z", - "dns": { - "answers": [ - { - "data": "wd-prod-ss.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com", - "type": "CNAME" - }, - { - "data": "40.84.140.84", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - } - ], - "question": { - "name": "urs.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "urs", - "top_level_domain": "com" - }, - "resolved_ip": [ - "40.84.140.84", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8025508Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4829,25 +2266,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "urs.microsoft.com", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.271" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4858,51 +2291,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 115, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.29Z", - "dns": { - "answers": [ - { - "data": "dsum-sec.casalemedia.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e8037.g.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.162.21", - "type": "A" - } - ], - "question": { - "name": "dsum-sec.casalemedia.com", - "registered_domain": "casalemedia.com", - "subdomain": "dsum-sec", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.52.162.21" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8025607Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4910,25 +2312,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dsum-sec.casalemedia.com", + "QueryResults": "type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.290" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -4939,47 +2337,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 116, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.292Z", - "dns": { - "answers": [ - { - "data": "ocsp.godaddy.com.akadns.net", - "type": "CNAME" - }, - { - "data": "72.167.239.239", - "type": "A" - } - ], - "question": { - "name": "ocsp.godaddy.com", - "registered_domain": "godaddy.com", - "subdomain": "ocsp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.167.239.239" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8025698Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -4987,25 +2358,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.godaddy.com", + "QueryResults": "type: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.292" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5016,34 +2383,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 117, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.315Z", - "dns": { - "question": { - "name": "googleads.g.doubleclick.net", - "registered_domain": "doubleclick.net", - "subdomain": "googleads.g", - "top_level_domain": "net" - } - }, + "@timestamp": "2019-07-18T03:34:03.8025871Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5051,25 +2404,20 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "googleads.g.doubleclick.net", + "QueryStatus": "9701", + "UtcTime": "2019-07-18 03:34:03.315" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5080,34 +2428,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 118, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.315Z", - "dns": { - "question": { - "name": "tpc.googlesyndication.com", - "registered_domain": "googlesyndication.com", - "subdomain": "tpc", - "top_level_domain": "com" - } - }, + "@timestamp": "2019-07-18T03:34:03.8026787Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5115,25 +2449,20 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tpc.googlesyndication.com", + "QueryStatus": "9701", + "UtcTime": "2019-07-18 03:34:03.315" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5144,92 +2473,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 119, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.333Z", - "dns": { - "answers": [ - { - "data": "t3j2g9x7.stackpathcdn.com", - "type": "CNAME" - }, - { - "data": "151.139.128.14", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ocsp.usertrust.com", - "registered_domain": "usertrust.com", - "subdomain": "ocsp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8027002Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5237,25 +2494,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.usertrust.com", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.333" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5266,56 +2519,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 120, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.343Z", - "dns": { - "answers": [ - { - "data": "isrg.trustid.ocsp.identrust.com.edgesuite.net", - "type": "CNAME" - }, - { - "data": "a279.dscq.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.179", - "type": "A" - }, - { - "data": "23.50.53.176", - "type": "A" - } - ], - "question": { - "name": "isrg.trustid.ocsp.identrust.com", - "registered_domain": "identrust.com", - "subdomain": "isrg.trustid.ocsp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.50.53.179", - "23.50.53.176" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8027154Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5323,25 +2540,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "isrg.trustid.ocsp.identrust.com", + "QueryResults": "type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.343" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5352,47 +2565,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 121, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.391Z", - "dns": { - "answers": [ - { - "data": "dart.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.6.198", - "type": "A" - } - ], - "question": { - "name": "ad.doubleclick.net", - "registered_domain": "doubleclick.net", - "subdomain": "ad", - "top_level_domain": "net" - }, - "resolved_ip": [ - "172.217.6.198" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8027291Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5400,25 +2586,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ad.doubleclick.net", + "QueryResults": "type: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.391" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5429,92 +2611,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 122, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.393Z", - "dns": { - "answers": [ - { - "data": "t3j2g9x7.stackpathcdn.com", - "type": "CNAME" - }, - { - "data": "151.139.128.14", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ocsp.sectigo.com", - "registered_domain": "sectigo.com", - "subdomain": "ocsp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.802739Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5522,25 +2632,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.sectigo.com", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.393" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5551,56 +2657,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 123, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.468Z", - "dns": { - "answers": [ - { - "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net", - "type": "CNAME" - }, - { - "data": "a771.dscq.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.179", - "type": "A" - }, - { - "data": "23.50.53.177", - "type": "A" - } - ], - "question": { - "name": "ocsp.int-x3.letsencrypt.org", - "registered_domain": "letsencrypt.org", - "subdomain": "ocsp.int-x3", - "top_level_domain": "org" - }, - "resolved_ip": [ - "23.50.53.179", - "23.50.53.177" - ] - }, + "@timestamp": "2019-07-18T03:34:03.8027538Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5608,25 +2678,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.int-x3.letsencrypt.org", + "QueryResults": "type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.468" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5637,92 +2703,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 124, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.581Z", - "dns": { - "answers": [ - { - "data": "pki-goog.l.google.com", - "type": "CNAME" - }, - { - "data": "172.217.12.195", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ocsp.pki.goog", - "registered_domain": "pki.goog", - "subdomain": "ocsp", - "top_level_domain": "goog" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "172.217.12.195", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.8027683Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5730,25 +2724,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.pki.goog", + "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.581" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5759,47 +2749,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 125, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.872Z", - "dns": { - "answers": [ - { - "data": "pagead.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.10.34", - "type": "A" - } - ], - "question": { - "name": "googleads4.g.doubleclick.net", - "registered_domain": "doubleclick.net", - "subdomain": "googleads4.g", - "top_level_domain": "net" - }, - "resolved_ip": [ - "172.217.10.34" - ] - }, + "@timestamp": "2019-07-18T03:34:04.0298288Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5807,25 +2770,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "googleads4.g.doubleclick.net", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.872" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5836,62 +2795,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 126, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.889Z", - "dns": { - "answers": [ - { - "data": "f2.taboola.map.fastly.net", - "type": "CNAME" - }, - { - "data": "151.101.2.2", - "type": "A" - }, - { - "data": "151.101.66.2", - "type": "A" - }, - { - "data": "151.101.130.2", - "type": "A" - }, - { - "data": "151.101.194.2", - "type": "A" - } - ], - "question": { - "name": "images.taboola.com", - "registered_domain": "taboola.com", - "subdomain": "images", - "top_level_domain": "com" - }, - "resolved_ip": [ - "151.101.2.2", - "151.101.66.2", - "151.101.130.2", - "151.101.194.2" - ] - }, + "@timestamp": "2019-07-18T03:34:04.0298513Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5899,25 +2816,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "images.taboola.com", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.889" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -5928,62 +2841,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 127, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.89Z", - "dns": { - "answers": [ - { - "data": "f2.taboola.map.fastly.net", - "type": "CNAME" - }, - { - "data": "151.101.66.2", - "type": "A" - }, - { - "data": "151.101.130.2", - "type": "A" - }, - { - "data": "151.101.194.2", - "type": "A" - }, - { - "data": "151.101.2.2", - "type": "A" - } - ], - "question": { - "name": "api-s2s.taboola.com", - "registered_domain": "taboola.com", - "subdomain": "api-s2s", - "top_level_domain": "com" - }, - "resolved_ip": [ - "151.101.66.2", - "151.101.130.2", - "151.101.194.2", - "151.101.2.2" - ] - }, + "@timestamp": "2019-07-18T03:34:04.0298619Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -5991,25 +2862,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "api-s2s.taboola.com", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.890" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6020,48 +2887,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 128, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.892Z", - "dns": { - "answers": [ - { - "data": "35.231.30.22", - "type": "A" - }, - { - "data": "35.196.212.198", - "type": "A" - } - ], - "question": { - "name": "x.bidswitch.net", - "registered_domain": "bidswitch.net", - "subdomain": "x", - "top_level_domain": "net" - }, - "resolved_ip": [ - "35.231.30.22", - "35.196.212.198" - ] - }, + "@timestamp": "2019-07-18T03:34:04.02987Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6069,25 +2908,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "x.bidswitch.net", + "QueryResults": "::ffff:35.231.30.22;::ffff:35.196.212.198;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.892" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6098,92 +2933,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 129, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.894Z", - "dns": { - "answers": [ - { - "data": "anycast.pixel.adsafeprotected.com", - "type": "CNAME" - }, - { - "data": "199.166.0.26", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "pixel.adsafeprotected.com", - "registered_domain": "adsafeprotected.com", - "subdomain": "pixel", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "199.166.0.26", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.0298806Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6191,25 +2954,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pixel.adsafeprotected.com", + "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.894" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6220,97 +2979,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 130, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.894Z", - "dns": { - "answers": [ - { - "data": "35.171.48.231", - "type": "A" - }, - { - "data": "52.206.107.32", - "type": "A" - }, - { - "data": "35.175.80.59", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ml314.com", - "registered_domain": "ml314.com", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "35.171.48.231", - "52.206.107.32", - "35.175.80.59", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.0298901Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6318,25 +3000,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ml314.com", + "QueryResults": "::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.894" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6347,98 +3025,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 131, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.902Z", - "dns": { - "answers": [ - { - "data": "156.154.200.36", - "type": "A" - }, - { - "data": "63.251.88.56", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - } - ], - "question": { - "name": "aa.agkn.com", - "registered_domain": "agkn.com", - "subdomain": "aa", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "156.154.200.36", - "63.251.88.56", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.0299Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6446,25 +3046,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "aa.agkn.com", + "QueryResults": "::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.902" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6475,92 +3071,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 132, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:03.911Z", - "dns": { - "answers": [ - { - "data": "s0-2mdn-net.l.google.com", - "type": "CNAME" - }, - { - "data": "172.217.10.134", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "s0.2mdn.net", - "registered_domain": "2mdn.net", - "subdomain": "s0", - "top_level_domain": "net" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "172.217.10.134", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.0299099Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6568,25 +3092,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "s0.2mdn.net", + "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.911" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6597,56 +3117,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 133, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.911Z", - "dns": { - "answers": [ - { - "data": "b.scorecardresearch.com.edgesuite.net", - "type": "CNAME" - }, - { - "data": "a1294.w20.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.195", - "type": "A" - }, - { - "data": "23.50.53.185", - "type": "A" - } - ], - "question": { - "name": "b.scorecardresearch.com", - "registered_domain": "scorecardresearch.com", - "subdomain": "b", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.50.53.195", - "23.50.53.185" - ] - }, + "@timestamp": "2019-07-18T03:34:04.0299204Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6654,25 +3138,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "b.scorecardresearch.com", + "QueryResults": "type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.911" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6683,62 +3163,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 134, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:03.921Z", - "dns": { - "answers": [ - { - "data": "f2.shared.global.fastly.net", - "type": "CNAME" - }, - { - "data": "151.101.130.2", - "type": "A" - }, - { - "data": "151.101.194.2", - "type": "A" - }, - { - "data": "151.101.2.2", - "type": "A" - }, - { - "data": "151.101.66.2", - "type": "A" - } - ], - "question": { - "name": "edw.edmunds.com", - "registered_domain": "edmunds.com", - "subdomain": "edw", - "top_level_domain": "com" - }, - "resolved_ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" - ] - }, + "@timestamp": "2019-07-18T03:34:04.5489581Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6746,25 +3184,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "edw.edmunds.com", + "QueryResults": "type: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:03.921" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6775,47 +3209,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 135, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.101Z", - "dns": { - "answers": [ - { - "data": "cs9.wac.phicdn.net", - "type": "CNAME" - }, - { - "data": "72.21.91.29", - "type": "A" - } - ], - "question": { - "name": "ocsp.digicert.com", - "registered_domain": "digicert.com", - "subdomain": "ocsp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.21.91.29" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6927125Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6823,25 +3230,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.digicert.com", + "QueryResults": "type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.101" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6852,92 +3255,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 136, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.137Z", - "dns": { - "answers": [ - { - "data": "usermatch.targeting.unrulymedia.com", - "type": "CNAME" - }, - { - "data": "35.167.55.0", - "type": "A" - }, - { - "data": "52.24.219.168", - "type": "A" - }, - { - "data": "52.43.21.209", - "type": "A" - }, - { - "data": "54.200.225.167", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - } - ], - "question": { - "name": "pre-usermatch.targeting.unrulymedia.com", - "registered_domain": "unrulymedia.com", - "subdomain": "pre-usermatch.targeting", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "35.167.55.0", - "52.24.219.168", - "52.43.21.209", - "54.200.225.167", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6927502Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -6945,25 +3276,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pre-usermatch.targeting.unrulymedia.com", + "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.137" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -6974,102 +3301,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 137, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.141Z", - "dns": { - "answers": [ - { - "data": "farm-hetzner.plista.com", - "type": "CNAME" - }, - { - "data": "144.76.67.119", - "type": "A" - }, - { - "data": "148.251.77.207", - "type": "A" - }, - { - "data": "148.251.15.115", - "type": "A" - }, - { - "data": "176.9.103.51", - "type": "A" - }, - { - "data": "88.198.208.110", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - } - ], - "question": { - "name": "farm.plista.com", - "registered_domain": "plista.com", - "subdomain": "farm", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "144.76.67.119", - "148.251.77.207", - "148.251.15.115", - "176.9.103.51", - "88.198.208.110", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6927629Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7077,25 +3322,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "farm.plista.com", + "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.141" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7106,91 +3347,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 138, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.168Z", - "dns": { - "answers": [ - { - "data": "beacon-n-ash.lb.krxd.net", - "type": "CNAME" - }, - { - "data": "beacon-17-537698933.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "50.17.180.35", - "type": "A" - }, - { - "data": "50.19.103.40", - "type": "A" - }, - { - "data": "50.19.210.19", - "type": "A" - }, - { - "data": "50.19.117.149", - "type": "A" - }, - { - "data": "50.19.222.244", - "type": "A" - }, - { - "data": "50.19.222.88", - "type": "A" - }, - { - "data": "50.19.81.100", - "type": "A" - }, - { - "data": "54.204.10.30", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - } - ], - "question": { - "name": "beacon.krxd.net", - "registered_domain": "krxd.net", - "subdomain": "beacon", - "top_level_domain": "net" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "50.17.180.35", - "50.19.103.40", - "50.19.210.19", - "50.19.117.149", - "50.19.222.244", - "50.19.222.88", - "50.19.81.100", - "54.204.10.30", - "192.5.6.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6927805Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7198,25 +3368,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "beacon.krxd.net", + "QueryResults": "type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.168" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7227,51 +3393,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 139, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.169Z", - "dns": { - "answers": [ - { - "data": "dsum.casalemedia.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e8037.g.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.162.21", - "type": "A" - } - ], - "question": { - "name": "dsum.casalemedia.com", - "registered_domain": "casalemedia.com", - "subdomain": "dsum", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.52.162.21" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6927914Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7279,25 +3414,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dsum.casalemedia.com", + "QueryResults": "type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.169" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7308,97 +3439,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 140, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.169Z", - "dns": { - "answers": [ - { - "data": "pixel-origin.mathtag.com", - "type": "CNAME" - }, - { - "data": "216.200.232.235", - "type": "A" - }, - { - "data": "216.200.232.201", - "type": "A" - }, - { - "data": "74.121.138.26", - "type": "A" - }, - { - "data": "216.200.232.185", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - } - ], - "question": { - "name": "sync.mathtag.com", - "registered_domain": "mathtag.com", - "subdomain": "sync", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "216.200.232.235", - "216.200.232.201", - "74.121.138.26", - "216.200.232.185", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6928031Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7406,25 +3460,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync.mathtag.com", + "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.169" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7435,51 +3485,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 141, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.184Z", - "dns": { - "answers": [ - { - "data": "ocsp.digicert.com", - "type": "CNAME" - }, - { - "data": "cs9.wac.phicdn.net", - "type": "CNAME" - }, - { - "data": "72.21.91.29", - "type": "A" - } - ], - "question": { - "name": "status.rapidssl.com", - "registered_domain": "rapidssl.com", - "subdomain": "status", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.21.91.29" - ] - }, + "@timestamp": "2019-07-18T03:34:04.692814Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7487,25 +3506,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "status.rapidssl.com", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.184" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7516,97 +3531,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 142, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.184Z", - "dns": { - "answers": [ - { - "data": "cookiesyncing-1395500543.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "34.197.195.131", - "type": "A" - }, - { - "data": "34.192.39.82", - "type": "A" - }, - { - "data": "34.199.231.204", - "type": "A" - }, - { - "data": "34.199.113.81", - "type": "A" - }, - { - "data": "34.197.3.157", - "type": "A" - }, - { - "data": "34.205.112.156", - "type": "A" - }, - { - "data": "34.195.29.8", - "type": "A" - }, - { - "data": "34.201.247.123", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "sync.extend.tv", - "registered_domain": "extend.tv", - "subdomain": "sync", - "top_level_domain": "tv" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "34.197.195.131", - "34.192.39.82", - "34.199.231.204", - "34.199.113.81", - "34.197.3.157", - "34.205.112.156", - "34.195.29.8", - "34.201.247.123", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6928263Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7614,25 +3552,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync.extend.tv", + "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.184" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7643,92 +3577,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 143, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.185Z", - "dns": { - "answers": [ - { - "data": "t3j2g9x7.stackpathcdn.com", - "type": "CNAME" - }, - { - "data": "151.139.128.14", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ocsp.comodoca.com", - "registered_domain": "comodoca.com", - "subdomain": "ocsp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6928376Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7736,25 +3598,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.comodoca.com", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.185" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7765,70 +3623,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 144, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.189Z", - "dns": { - "answers": [ - { - "data": "sync.tubemogul.com", - "type": "CNAME" - }, - { - "data": "syncf.tubemogul.com", - "type": "CNAME" - }, - { - "data": "h2.shared.global.fastly.net", - "type": "CNAME" - }, - { - "data": "151.101.2.49", - "type": "A" - }, - { - "data": "151.101.66.49", - "type": "A" - }, - { - "data": "151.101.130.49", - "type": "A" - }, - { - "data": "151.101.194.49", - "type": "A" - } - ], - "question": { - "name": "sync-tm.everesttech.net", - "registered_domain": "everesttech.net", - "subdomain": "sync-tm", - "top_level_domain": "net" - }, - "resolved_ip": [ - "151.101.2.49", - "151.101.66.49", - "151.101.130.49", - "151.101.194.49" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6928489Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7836,25 +3644,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync-tm.everesttech.net", + "QueryResults": "type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.189" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7865,98 +3669,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 145, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.237Z", - "dns": { - "answers": [ - { - "data": "34.95.92.78", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - }, - { - "data": "192.35.51.30", - "type": "A" - } - ], - "question": { - "name": "idsync.rlcdn.com", - "registered_domain": "rlcdn.com", - "subdomain": "idsync", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "34.95.92.78", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30", - "192.35.51.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6928651Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -7964,25 +3690,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "idsync.rlcdn.com", + "QueryResults": "::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.237" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -7993,72 +3715,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 146, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.274Z", - "dns": { - "answers": [ - { - "data": "track-eu.adformnet.akadns.net", - "type": "CNAME" - }, - { - "data": "37.157.2.239", - "type": "A" - }, - { - "data": "37.157.6.253", - "type": "A" - }, - { - "data": "37.157.2.238", - "type": "A" - }, - { - "data": "37.157.4.25", - "type": "A" - }, - { - "data": "37.157.4.24", - "type": "A" - }, - { - "data": "37.157.6.247", - "type": "A" - } - ], - "question": { - "name": "cm.adform.net", - "registered_domain": "adform.net", - "subdomain": "cm", - "top_level_domain": "net" - }, - "resolved_ip": [ - "37.157.2.239", - "37.157.6.253", - "37.157.2.238", - "37.157.4.25", - "37.157.4.24", - "37.157.6.247" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6928827Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8066,25 +3736,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cm.adform.net", + "QueryResults": "type: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.274" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8095,43 +3761,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 147, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.302Z", - "dns": { - "answers": [ - { - "data": "37.18.16.16", - "type": "A" - } - ], - "question": { - "name": "dm.hybrid.ai", - "registered_domain": "hybrid.ai", - "subdomain": "dm", - "top_level_domain": "ai" - }, - "resolved_ip": [ - "37.18.16.16" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6928919Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8139,25 +3782,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dm.hybrid.ai", + "QueryResults": "::ffff:37.18.16.16;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.302" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8168,92 +3807,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 148, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.304Z", - "dns": { - "answers": [ - { - "data": "anycast.static.adsafeprotected.com", - "type": "CNAME" - }, - { - "data": "199.166.0.32", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "static.adsafeprotected.com", - "registered_domain": "adsafeprotected.com", - "subdomain": "static", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "199.166.0.32", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6929042Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8261,25 +3828,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "static.adsafeprotected.com", + "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.304" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8290,62 +3853,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 149, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.322Z", - "dns": { - "answers": [ - { - "data": "f2.taboola.map.fastly.net", - "type": "CNAME" - }, - { - "data": "151.101.130.2", - "type": "A" - }, - { - "data": "151.101.194.2", - "type": "A" - }, - { - "data": "151.101.2.2", - "type": "A" - }, - { - "data": "151.101.66.2", - "type": "A" - } - ], - "question": { - "name": "trc.taboola.com", - "registered_domain": "taboola.com", - "subdomain": "trc", - "top_level_domain": "com" - }, - "resolved_ip": [ - "151.101.130.2", - "151.101.194.2", - "151.101.2.2", - "151.101.66.2" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6929201Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8353,25 +3874,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "trc.taboola.com", + "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.322" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8382,42 +3899,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 150, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.379Z", - "dns": { - "answers": [ - { - "data": "107.178.254.65", - "type": "A" - } - ], - "question": { - "name": "pippio.com", - "registered_domain": "pippio.com", - "top_level_domain": "com" - }, - "resolved_ip": [ - "107.178.254.65" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6929352Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8425,25 +3920,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pippio.com", + "QueryResults": "::ffff:107.178.254.65;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.379" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8454,92 +3945,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 151, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.482Z", - "dns": { - "answers": [ - { - "data": "pixel-a.sitescout.com", - "type": "CNAME" - }, - { - "data": "209.15.36.34", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "pixel-sync.sitescout.com", - "registered_domain": "sitescout.com", - "subdomain": "pixel-sync", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "209.15.36.34", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6929973Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8547,25 +3966,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pixel-sync.sitescout.com", + "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.482" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8576,93 +3991,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 152, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.502Z", - "dns": { - "answers": [ - { - "data": "35.186.202.217", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - } - ], - "question": { - "name": "prod.y-medialink.com", - "registered_domain": "y-medialink.com", - "subdomain": "prod", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "35.186.202.217", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6930107Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8670,25 +4012,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "prod.y-medialink.com", + "QueryResults": "::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.502" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8699,72 +4037,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 153, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.507Z", - "dns": { - "answers": [ - { - "data": "jadserve.postrelease.com.akadns.net", - "type": "CNAME" - }, - { - "data": "54.80.117.178", - "type": "A" - }, - { - "data": "3.217.22.176", - "type": "A" - }, - { - "data": "35.153.215.15", - "type": "A" - }, - { - "data": "52.207.54.164", - "type": "A" - }, - { - "data": "52.204.186.237", - "type": "A" - }, - { - "data": "52.86.46.105", - "type": "A" - } - ], - "question": { - "name": "jadserve.postrelease.com", - "registered_domain": "postrelease.com", - "subdomain": "jadserve", - "top_level_domain": "com" - }, - "resolved_ip": [ - "54.80.117.178", - "3.217.22.176", - "35.153.215.15", - "52.207.54.164", - "52.204.186.237", - "52.86.46.105" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6930216Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8772,25 +4058,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "jadserve.postrelease.com", + "QueryResults": "type: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.507" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8801,92 +4083,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 154, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.508Z", - "dns": { - "answers": [ - { - "data": "partners-1732315393.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "107.21.43.184", - "type": "A" - }, - { - "data": "54.164.220.86", - "type": "A" - }, - { - "data": "52.72.172.174", - "type": "A" - }, - { - "data": "3.209.65.250", - "type": "A" - }, - { - "data": "3.94.51.187", - "type": "A" - }, - { - "data": "34.193.211.130", - "type": "A" - }, - { - "data": "18.214.47.10", - "type": "A" - }, - { - "data": "18.214.151.246", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - } - ], - "question": { - "name": "appnexus-partners.tremorhub.com", - "registered_domain": "tremorhub.com", - "subdomain": "appnexus-partners", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "107.21.43.184", - "54.164.220.86", - "52.72.172.174", - "3.209.65.250", - "3.94.51.187", - "34.193.211.130", - "18.214.47.10", - "18.214.151.246", - "192.5.6.30", - "2001:503:a83e::2:30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6930336Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -8894,25 +4104,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "appnexus-partners.tremorhub.com", + "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.508" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -8923,81 +4129,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 155, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.531Z", - "dns": { - "answers": [ - { - "data": "gtm13.nexac.com", - "type": "CNAME" - }, - { - "data": "ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "107.21.14.70", - "type": "A" - }, - { - "data": "107.23.33.163", - "type": "A" - }, - { - "data": "23.22.192.59", - "type": "A" - }, - { - "data": "100.24.96.238", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "x.dlx.addthis.com", - "registered_domain": "addthis.com", - "subdomain": "x.dlx", - "top_level_domain": "com" - }, - "resolved_ip": [ - "107.21.14.70", - "107.23.33.163", - "23.22.192.59", - "100.24.96.238", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6930449Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9005,25 +4150,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "x.dlx.addthis.com", + "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.531" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9034,81 +4175,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 156, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.532Z", - "dns": { - "answers": [ - { - "data": "haproxy-dmp.sizmdx.com", - "type": "CNAME" - }, - { - "data": "dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "18.205.112.71", - "type": "A" - }, - { - "data": "50.19.40.146", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - } - ], - "question": { - "name": "dh.serving-sys.com", - "registered_domain": "serving-sys.com", - "subdomain": "dh", - "top_level_domain": "com" - }, - "resolved_ip": [ - "18.205.112.71", - "50.19.40.146", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30" - ] - }, + "@timestamp": "2019-07-18T03:34:04.6930572Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9116,25 +4196,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dh.serving-sys.com", + "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.532" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9145,102 +4221,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 157, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.534Z", - "dns": { - "answers": [ - { - "data": "match-us-east-1.sharethrough.com", - "type": "CNAME" - }, - { - "data": "52.55.160.246", - "type": "A" - }, - { - "data": "3.211.67.240", - "type": "A" - }, - { - "data": "35.173.61.59", - "type": "A" - }, - { - "data": "34.233.179.235", - "type": "A" - }, - { - "data": "34.228.105.237", - "type": "A" - }, - { - "data": "52.7.23.213", - "type": "A" - }, - { - "data": "52.201.177.113", - "type": "A" - }, - { - "data": "34.235.70.251", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - } - ], - "question": { - "name": "match.sharethrough.com", - "registered_domain": "sharethrough.com", - "subdomain": "match", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "52.55.160.246", - "3.211.67.240", - "35.173.61.59", - "34.233.179.235", - "34.228.105.237", - "52.7.23.213", - "52.201.177.113", - "34.235.70.251", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.6930703Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9248,25 +4242,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "match.sharethrough.com", + "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.534" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9277,93 +4267,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 158, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.601Z", - "dns": { - "answers": [ - { - "data": "35.241.16.233", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - } - ], - "question": { - "name": "tags.rd.linksynergy.com", - "registered_domain": "linksynergy.com", - "subdomain": "tags.rd", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "35.241.16.233", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.8365914Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9371,25 +4288,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tags.rd.linksynergy.com", + "QueryResults": "::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.601" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9400,86 +4313,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 159, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } }, { - "@timestamp": "2019-07-18T03:34:04.604Z", - "dns": { - "answers": [ - { - "data": "2-01-275d-002d.cdx.cedexis.net", - "type": "CNAME" - }, - { - "data": "rtb-csync-tmk.smartadserver.com", - "type": "CNAME" - }, - { - "data": "199.187.193.166", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - } - ], - "question": { - "name": "rtb-csync.smartadserver.com", - "registered_domain": "smartadserver.com", - "subdomain": "rtb-csync", - "top_level_domain": "com" - }, - "resolved_ip": [ - "199.187.193.166", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30" - ] - }, + "@timestamp": "2019-07-18T03:34:04.8366083Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9487,25 +4334,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "rtb-csync.smartadserver.com", + "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.604" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9516,92 +4359,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 160, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.621Z", - "dns": { - "answers": [ - { - "data": "anycast.sc.iasds01.com", - "type": "CNAME" - }, - { - "data": "199.166.0.200", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "sc.iasds01.com", - "registered_domain": "iasds01.com", - "subdomain": "sc", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "199.166.0.200", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.8366266Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9609,25 +4380,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sc.iasds01.com", + "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.621" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9638,92 +4405,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 161, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.822Z", - "dns": { - "answers": [ - { - "data": "sjedt.adsafeprotected.com", - "type": "CNAME" - }, - { - "data": "104.244.38.20", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "dt.adsafeprotected.com", - "registered_domain": "adsafeprotected.com", - "subdomain": "dt", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "104.244.38.20", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:05.0346464Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9731,25 +4426,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dt.adsafeprotected.com", + "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.822" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9760,51 +4451,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 162, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.822Z", - "dns": { - "answers": [ - { - "data": "ocsp.digicert.com", - "type": "CNAME" - }, - { - "data": "cs9.wac.phicdn.net", - "type": "CNAME" - }, - { - "data": "72.21.91.29", - "type": "A" - } - ], - "question": { - "name": "status.thawte.com", - "registered_domain": "thawte.com", - "subdomain": "status", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.21.91.29" - ] - }, + "@timestamp": "2019-07-18T03:34:05.0346573Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9812,25 +4472,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "status.thawte.com", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.822" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9841,90 +4497,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 163, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:04.86Z", - "dns": { - "answers": [ - { - "data": "ip1.ads.stickyadstv.com.akadns.net", - "type": "CNAME" - }, - { - "data": "wlb1.ads.stickyadstv.com.akadns.net", - "type": "CNAME" - }, - { - "data": "fp4.ads.stickyadstv.com.akadns.net", - "type": "CNAME" - }, - { - "data": "38.134.110.101", - "type": "A" - }, - { - "data": "38.134.110.143", - "type": "A" - }, - { - "data": "38.134.110.141", - "type": "A" - }, - { - "data": "38.134.110.171", - "type": "A" - }, - { - "data": "38.134.110.177", - "type": "A" - }, - { - "data": "38.134.110.115", - "type": "A" - }, - { - "data": "38.134.110.104", - "type": "A" - }, - { - "data": "38.134.110.114", - "type": "A" - } - ], - "question": { - "name": "ads.stickyadstv.com", - "registered_domain": "stickyadstv.com", - "subdomain": "ads", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "38.134.110.101", - "38.134.110.143", - "38.134.110.141", - "38.134.110.171", - "38.134.110.177", - "38.134.110.115", - "38.134.110.104", - "38.134.110.114" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:05.0347983Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -9932,25 +4518,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ads.stickyadstv.com", + "QueryResults": "type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.860" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -9961,51 +4543,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 164, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.904Z", - "dns": { - "answers": [ - { - "data": "hbx.media.net.edgekey.net", - "type": "CNAME" - }, - { - "data": "e607.d.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.167.93", - "type": "A" - } - ], - "question": { - "name": "hbx.media.net", - "registered_domain": "media.net", - "subdomain": "hbx", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.52.167.93" - ] - }, + "@timestamp": "2019-07-18T03:34:06.0516927Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10013,25 +4564,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "hbx.media.net", + "QueryResults": "type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.904" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10042,62 +4589,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 165, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:04.911Z", - "dns": { - "answers": [ - { - "data": "trc.taboola.map.fastly.net", - "type": "CNAME" - }, - { - "data": "151.101.194.49", - "type": "A" - }, - { - "data": "151.101.2.49", - "type": "A" - }, - { - "data": "151.101.66.49", - "type": "A" - }, - { - "data": "151.101.130.49", - "type": "A" - } - ], - "question": { - "name": "match.taboola.com", - "registered_domain": "taboola.com", - "subdomain": "match", - "top_level_domain": "com" - }, - "resolved_ip": [ - "151.101.194.49", - "151.101.2.49", - "151.101.66.49", - "151.101.130.49" - ] - }, + "@timestamp": "2019-07-18T03:34:06.05171Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10105,25 +4610,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "match.taboola.com", + "QueryResults": "type: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:04.911" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10134,52 +4635,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 166, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:06.056Z", - "dns": { - "answers": [ - { - "data": "a1834.dspg2.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.185", - "type": "A" - }, - { - "data": "23.50.53.194", - "type": "A" - } - ], - "question": { - "name": "img-s-msn-com.akamaized.net", - "registered_domain": "akamaized.net", - "subdomain": "img-s-msn-com", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.50.53.185", - "23.50.53.194" - ] - }, + "@timestamp": "2019-07-18T03:34:06.0519029Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10187,25 +4656,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "img-s-msn-com.akamaized.net", + "QueryResults": "type: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:06.056" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10216,52 +4681,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 167, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:06.064Z", - "dns": { - "answers": [ - { - "data": "a1505.g2.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.194", - "type": "A" - }, - { - "data": "23.50.53.186", - "type": "A" - } - ], - "question": { - "name": "static-entertainment-eus-s-msn-com.akamaized.net", - "registered_domain": "akamaized.net", - "subdomain": "static-entertainment-eus-s-msn-com", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.50.53.194", - "23.50.53.186" - ] - }, + "@timestamp": "2019-07-18T03:34:07.0493197Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10269,25 +4702,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", + "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:06.064" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10298,51 +4727,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 168, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:06.178Z", - "dns": { - "answers": [ - { - "data": "radarmaps.weather.microsoft.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e15275.g.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.217.149.91", - "type": "A" - } - ], - "question": { - "name": "radarmaps.weather.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "radarmaps.weather", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.217.149.91" - ] - }, + "@timestamp": "2019-07-18T03:34:07.0493349Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10350,25 +4748,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "radarmaps.weather.microsoft.com", + "QueryResults": "type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:06.178" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10379,52 +4773,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 169, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:06.455Z", - "dns": { - "answers": [ - { - "data": "a1505.g2.akamai.net", - "type": "CNAME" - }, - { - "data": "23.50.53.194", - "type": "A" - }, - { - "data": "23.50.53.186", - "type": "A" - } - ], - "question": { - "name": "static-entertainment-eus-s-msn-com.akamaized.net", - "registered_domain": "akamaized.net", - "subdomain": "static-entertainment-eus-s-msn-com", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.50.53.194", - "23.50.53.186" - ] - }, + "@timestamp": "2019-07-18T03:34:07.049349Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10432,25 +4794,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 356 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessId": "356", + "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", + "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:06.455" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10461,47 +4819,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 170, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:06.494Z", - "dns": { - "answers": [ - { - "data": "cs747173190.wac.omegacdn.net", - "type": "CNAME" - }, - { - "data": "152.195.32.163", - "type": "A" - } - ], - "question": { - "name": "tag.sp.advertising.com", - "registered_domain": "advertising.com", - "subdomain": "tag.sp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "152.195.32.163" - ] - }, + "@timestamp": "2019-07-18T03:34:07.0493642Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10509,25 +4840,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tag.sp.advertising.com", + "QueryResults": "type: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:06.494" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10538,56 +4865,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 171, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:06.567Z", - "dns": { - "answers": [ - { - "data": "a-0001.a-afdentry.net.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "dual-a-0001.a-msedge.net", - "type": "CNAME" - }, - { - "data": "204.79.197.200", - "type": "A" - }, - { - "data": "13.107.21.200", - "type": "A" - } - ], - "question": { - "name": "www.bing.com", - "registered_domain": "bing.com", - "subdomain": "www", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.79.197.200", - "13.107.21.200" - ] - }, + "@timestamp": "2019-07-18T03:34:07.0493772Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10595,25 +4886,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "www.bing.com", + "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:06.567" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10624,51 +4911,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 172, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.228Z", - "dns": { - "answers": [ - { - "data": "akacdn.doubleverify.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e17513.d.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.164.109", - "type": "A" - } - ], - "question": { - "name": "cdn.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "cdn", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.52.164.109" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0542702Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10676,25 +4932,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cdn.doubleverify.com", + "QueryResults": "type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.228" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10705,55 +4957,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 173, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.357Z", - "dns": { - "answers": [ - { - "data": "cdn.doubleverify.com", - "type": "CNAME" - }, - { - "data": "akacdn.doubleverify.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e17513.d.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.164.109", - "type": "A" - } - ], - "question": { - "name": "cdn3.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "cdn3", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.52.164.109" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0543026Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10761,25 +4978,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cdn3.doubleverify.com", + "QueryResults": "type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.357" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10790,51 +5003,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 174, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.721Z", - "dns": { - "answers": [ - { - "data": "bs-geo.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "nycp-hlb.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "204.154.111.122", - "type": "A" - } - ], - "question": { - "name": "rtb0.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "rtb0", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.154.111.122" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0543273Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10842,25 +5024,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "rtb0.doubleverify.com", + "QueryResults": "type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.721" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10871,51 +5049,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 175, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.774Z", - "dns": { - "answers": [ - { - "data": "platform.maps.glbdns2.microsoft.com", - "type": "CNAME" - }, - { - "data": "fe-bmplatform-prod-atm.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "20.36.236.157", - "type": "A" - } - ], - "question": { - "name": "dev.virtualearth.net", - "registered_domain": "virtualearth.net", - "subdomain": "dev", - "top_level_domain": "net" - }, - "resolved_ip": [ - "20.36.236.157" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0543446Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -10923,25 +5070,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dev.virtualearth.net", + "QueryResults": "type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.774" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -10952,51 +5095,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 176, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.847Z", - "dns": { - "answers": [ - { - "data": "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", - "type": "CNAME" - }, - { - "data": "e7622.g.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.161.238", - "type": "A" - } - ], - "question": { - "name": "t.ssl.ak.dynamic.tiles.virtualearth.net", - "registered_domain": "virtualearth.net", - "subdomain": "t.ssl.ak.dynamic.tiles", - "top_level_domain": "net" - }, - "resolved_ip": [ - "23.52.161.238" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0543562Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11004,25 +5116,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "t.ssl.ak.dynamic.tiles.virtualearth.net", + "QueryResults": "type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.847" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11033,98 +5141,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 177, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:07.943Z", - "dns": { - "answers": [ - { - "data": "74.217.253.61", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - }, - { - "data": "192.35.51.30", - "type": "A" - } - ], - "question": { - "name": "rp.gwallet.com", - "registered_domain": "gwallet.com", - "subdomain": "rp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "74.217.253.61", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30", - "192.35.51.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.0544116Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11132,25 +5162,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "rp.gwallet.com", + "QueryResults": "::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.943" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11161,62 +5187,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 178, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.945Z", - "dns": { - "answers": [ - { - "data": "fo-fd-world-new.yax.gysm.yahoodns.net", - "type": "CNAME" - }, - { - "data": "98.139.225.43", - "type": "A" - }, - { - "data": "98.138.49.44", - "type": "A" - }, - { - "data": "72.30.3.43", - "type": "A" - }, - { - "data": "216.155.194.56", - "type": "A" - } - ], - "question": { - "name": "ads.yahoo.com", - "registered_domain": "yahoo.com", - "subdomain": "ads", - "top_level_domain": "com" - }, - "resolved_ip": [ - "98.139.225.43", - "98.138.49.44", - "72.30.3.43", - "216.155.194.56" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0544229Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11224,25 +5208,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ads.yahoo.com", + "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.945" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11253,53 +5233,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 179, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.954Z", - "dns": { - "answers": [ - { - "data": "169.55.104.49", - "type": "A" - }, - { - "data": "169.60.66.35", - "type": "A" - }, - { - "data": "169.61.103.241", - "type": "A" - } - ], - "question": { - "name": "um.simpli.fi", - "registered_domain": "simpli.fi", - "subdomain": "um", - "top_level_domain": "fi" - }, - "resolved_ip": [ - "169.55.104.49", - "169.60.66.35", - "169.61.103.241" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0544328Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11307,25 +5254,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "um.simpli.fi", + "QueryResults": "::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.954" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11336,93 +5279,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 180, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:07.955Z", - "dns": { - "answers": [ - { - "data": "35.186.236.204", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - } - ], - "question": { - "name": "mpp.vindicosuite.com", - "registered_domain": "vindicosuite.com", - "subdomain": "mpp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "35.186.236.204", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.0544448Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11430,25 +5300,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "mpp.vindicosuite.com", + "QueryResults": "::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.955" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11459,43 +5325,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 181, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.955Z", - "dns": { - "answers": [ - { - "data": "8.41.222.152", - "type": "A" - } - ], - "question": { - "name": "sync.1rx.io", - "registered_domain": "1rx.io", - "subdomain": "sync", - "top_level_domain": "io" - }, - "resolved_ip": [ - "8.41.222.152" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0544546Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11503,25 +5346,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync.1rx.io", + "QueryResults": "::ffff:8.41.222.152;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.955" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11532,51 +5371,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 182, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:07.956Z", - "dns": { - "answers": [ - { - "data": "sync.teads.tv.edgekey.net", - "type": "CNAME" - }, - { - "data": "e9957.g.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.52.160.7", - "type": "A" - } - ], - "question": { - "name": "sync.teads.tv", - "registered_domain": "teads.tv", - "subdomain": "sync", - "top_level_domain": "tv" - }, - "resolved_ip": [ - "23.52.160.7" - ] - }, + "@timestamp": "2019-07-18T03:34:08.0544649Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11584,25 +5392,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync.teads.tv", + "QueryResults": "type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:07.956" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11613,97 +5417,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 183, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.019Z", - "dns": { - "answers": [ - { - "data": "td.thebrighttag.com", - "type": "CNAME" - }, - { - "data": "3.15.109.176", - "type": "A" - }, - { - "data": "52.15.225.252", - "type": "A" - }, - { - "data": "3.18.121.79", - "type": "A" - }, - { - "data": "3.15.101.187", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - } - ], - "question": { - "name": "s.thebrighttag.com", - "registered_domain": "thebrighttag.com", - "subdomain": "s", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "3.15.109.176", - "52.15.225.252", - "3.18.121.79", - "3.15.101.187", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.0544828Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11711,25 +5438,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "s.thebrighttag.com", + "QueryResults": "type: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.019" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11740,47 +5463,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 184, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:08.05Z", - "dns": { - "answers": [ - { - "data": "d386jaag4hn9zl.cloudfront.net", - "type": "CNAME" - }, - { - "data": "54.192.55.189", - "type": "A" - } - ], - "question": { - "name": "t.a3cloud.net", - "registered_domain": "a3cloud.net", - "subdomain": "t", - "top_level_domain": "net" - }, - "resolved_ip": [ - "54.192.55.189" - ] - }, + "@timestamp": "2019-07-18T03:34:09.0538834Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11788,25 +5484,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "t.a3cloud.net", + "QueryResults": "type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.050" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11817,51 +5509,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 186, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:08.07Z", - "dns": { - "answers": [ - { - "data": "nycp-hlb.doubleverify.com", - "type": "CNAME" - }, - { - "data": "nycp-hlb.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "204.154.111.122", - "type": "A" - } - ], - "question": { - "name": "tps618.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "tps618", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.154.111.122" - ] - }, + "@timestamp": "2019-07-18T03:34:09.0539007Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11869,25 +5530,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tps618.doubleverify.com", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.070" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -11898,95 +5555,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 187, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.09Z", - "dns": { - "answers": [ - { - "data": "gslb-2.demdex.net", - "type": "CNAME" - }, - { - "data": "edge-va6.demdex.net", - "type": "CNAME" - }, - { - "data": "dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "54.157.69.185", - "type": "A" - }, - { - "data": "18.209.139.81", - "type": "A" - }, - { - "data": "18.233.36.36", - "type": "A" - }, - { - "data": "52.54.198.81", - "type": "A" - }, - { - "data": "52.55.201.28", - "type": "A" - }, - { - "data": "18.210.34.44", - "type": "A" - }, - { - "data": "52.72.163.149", - "type": "A" - }, - { - "data": "18.232.198.130", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - } - ], - "question": { - "name": "dpm.demdex.net", - "registered_domain": "demdex.net", - "subdomain": "dpm", - "top_level_domain": "net" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "54.157.69.185", - "18.209.139.81", - "18.233.36.36", - "52.54.198.81", - "52.55.201.28", - "18.210.34.44", - "52.72.163.149", - "18.232.198.130", - "192.5.6.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0539141Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -11994,25 +5576,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "dpm.demdex.net", + "QueryResults": "type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.090" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12023,101 +5601,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 188, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.308Z", - "dns": { - "answers": [ - { - "data": "g.geogslb.com", - "type": "CNAME" - }, - { - "data": "ib.anycast.adnxs.com", - "type": "CNAME" - }, - { - "data": "68.67.179.228", - "type": "A" - }, - { - "data": "68.67.180.44", - "type": "A" - }, - { - "data": "204.13.192.141", - "type": "A" - }, - { - "data": "68.67.178.230", - "type": "A" - }, - { - "data": "68.67.178.252", - "type": "A" - }, - { - "data": "68.67.179.23", - "type": "A" - }, - { - "data": "68.67.179.232", - "type": "A" - }, - { - "data": "68.67.180.12", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "secure.adnxs.com", - "registered_domain": "adnxs.com", - "subdomain": "secure", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "68.67.179.228", - "68.67.180.44", - "204.13.192.141", - "68.67.178.230", - "68.67.178.252", - "68.67.179.23", - "68.67.179.232", - "68.67.180.12", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0539388Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -12125,25 +5622,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "secure.adnxs.com", + "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.308" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12154,51 +5647,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 189, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:08.478Z", - "dns": { - "answers": [ - { - "data": "tps-geo.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "nycp-hlb.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "204.154.111.122", - "type": "A" - } - ], - "question": { - "name": "tps.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "tps", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.154.111.122" - ] - }, + "@timestamp": "2019-07-18T03:34:09.0539493Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -12206,25 +5668,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tps.doubleverify.com", + "QueryResults": "type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.478" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12235,123 +5693,42 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 190, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.536Z", - "dns": { - "answers": [ - { - "data": "idaas-production.us-east-1.elasticbeanstalk.com", - "type": "CNAME" - }, - { - "data": "52.71.175.22", - "type": "A" - }, - { - "data": "52.71.208.229", - "type": "A" - }, - { - "data": "52.86.201.172", - "type": "A" - }, - { - "data": "52.7.6.198", - "type": "A" - }, - { - "data": "54.152.156.164", - "type": "A" - }, - { - "data": "54.152.56.202", - "type": "A" - }, - { - "data": "54.164.15.83", - "type": "A" - }, - { - "data": "52.86.191.75", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - } - ], - "question": { - "name": "i.liadm.com", - "registered_domain": "liadm.com", - "subdomain": "i", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "52.71.175.22", - "52.71.208.229", - "52.86.201.172", - "52.7.6.198", - "54.152.156.164", - "54.152.56.202", - "54.164.15.83", - "52.86.191.75", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0677523Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" }, "log": { - "level": "information" - }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } + "level": "information" }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "i.liadm.com", + "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.536" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12362,98 +5739,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 191, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.544Z", - "dns": { - "answers": [ - { - "data": "67.231.251.189", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - }, - { - "data": "192.35.51.30", - "type": "A" - } - ], - "question": { - "name": "pixel.s3xified.com", - "registered_domain": "s3xified.com", - "subdomain": "pixel", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "67.231.251.189", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30", - "192.35.51.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.067766Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -12461,25 +5760,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pixel.s3xified.com", + "QueryResults": "::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.544" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12490,93 +5785,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 192, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.55Z", - "dns": { - "answers": [ - { - "data": "104.20.252.85", - "type": "A" - }, - { - "data": "104.20.253.85", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "router.infolinks.com", - "registered_domain": "infolinks.com", - "subdomain": "router", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "104.20.252.85", - "104.20.253.85", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0677766Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -12584,25 +5806,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "router.infolinks.com", + "QueryResults": "::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.550" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12613,88 +5831,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 193, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.552Z", - "dns": { - "answers": [ - { - "data": "94.23.171.206", - "type": "A" - }, - { - "data": "188.165.137.78", - "type": "A" - }, - { - "data": "87.98.128.108", - "type": "A" - }, - { - "data": "94.23.73.243", - "type": "A" - }, - { - "data": "94.23.144.220", - "type": "A" - }, - { - "data": "87.98.228.78", - "type": "A" - }, - { - "data": "188.165.27.173", - "type": "A" - }, - { - "data": "87.98.252.5", - "type": "A" - }, - { - "data": "188.165.4.142", - "type": "A" - }, - { - "data": "87.98.242.60", - "type": "A" - } - ], - "question": { - "name": "grey.erne.co", - "registered_domain": "erne.co", - "subdomain": "grey", - "top_level_domain": "co" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "94.23.171.206", - "188.165.137.78", - "87.98.128.108", - "94.23.73.243", - "94.23.144.220", - "87.98.228.78", - "188.165.27.173", - "87.98.252.5", - "188.165.4.142", - "87.98.242.60" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0677879Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -12702,25 +5852,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "grey.erne.co", + "QueryResults": "::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.552" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12731,98 +5877,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 194, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.552Z", - "dns": { - "answers": [ - { - "data": "54.243.145.203", - "type": "A" - }, - { - "data": "54.221.211.153", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - } - ], - "question": { - "name": "sync.jivox.com", - "registered_domain": "jivox.com", - "subdomain": "sync", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "54.243.145.203", - "54.221.211.153", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0677978Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -12830,25 +5898,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync.jivox.com", + "QueryResults": "::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.552" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -12859,328 +5923,42 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 195, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.594Z", - "dns": { - "answers": [ - { - "data": "b1-lsw-use1.zemanta.com", - "type": "CNAME" - }, - { - "data": "207.244.121.25", - "type": "A" - }, - { - "data": "108.59.0.1", - "type": "A" - }, - { - "data": "162.210.196.115", - "type": "A" - }, - { - "data": "207.244.94.20", - "type": "A" - }, - { - "data": "108.59.0.12", - "type": "A" - }, - { - "data": "207.244.121.65", - "type": "A" - }, - { - "data": "162.210.199.69", - "type": "A" - }, - { - "data": "207.244.76.83", - "type": "A" - }, - { - "data": "162.210.197.137", - "type": "A" - }, - { - "data": "207.244.108.217", - "type": "A" - }, - { - "data": "207.244.121.137", - "type": "A" - }, - { - "data": "207.244.67.99", - "type": "A" - }, - { - "data": "198.7.56.229", - "type": "A" - }, - { - "data": "198.7.56.231", - "type": "A" - }, - { - "data": "108.59.4.172", - "type": "A" - }, - { - "data": "108.62.117.43", - "type": "A" - }, - { - "data": "108.59.4.171", - "type": "A" - }, - { - "data": "207.244.121.27", - "type": "A" - }, - { - "data": "207.244.71.67", - "type": "A" - }, - { - "data": "207.244.121.70", - "type": "A" - }, - { - "data": "199.58.84.25", - "type": "A" - }, - { - "data": "207.244.67.98", - "type": "A" - }, - { - "data": "162.210.196.116", - "type": "A" - }, - { - "data": "207.244.73.10", - "type": "A" - }, - { - "data": "207.244.110.3", - "type": "A" - }, - { - "data": "108.59.4.173", - "type": "A" - }, - { - "data": "108.59.0.8", - "type": "A" - }, - { - "data": "207.244.71.88", - "type": "A" - }, - { - "data": "207.244.121.73", - "type": "A" - }, - { - "data": "207.244.69.231", - "type": "A" - }, - { - "data": "108.59.0.2", - "type": "A" - }, - { - "data": "207.244.121.74", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - }, - { - "data": "2001:502:1ca1::30", - "type": "AAAA" - }, - { - "data": "192.35.51.30", - "type": "A" - }, - { - "data": "2001:503:d414::30", - "type": "AAAA" - }, - { - "data": "192.42.93.30", - "type": "A" - }, - { - "data": "2001:503:eea3::30", - "type": "AAAA" - }, - { - "data": "192.54.112.30", - "type": "A" - }, - { - "data": "2001:502:8cc::30", - "type": "AAAA" - }, - { - "data": "192.43.172.30", - "type": "A" - }, - { - "data": "2001:503:39c1::30", - "type": "AAAA" - }, - { - "data": "192.48.79.30", - "type": "A" - }, - { - "data": "2001:502:7094::30", - "type": "AAAA" - } - ], - "question": { - "name": "b1sync.zemanta.com", - "registered_domain": "zemanta.com", - "subdomain": "b1sync", - "top_level_domain": "com" - }, - "resolved_ip": [ - "207.244.121.25", - "108.59.0.1", - "162.210.196.115", - "207.244.94.20", - "108.59.0.12", - "207.244.121.65", - "162.210.199.69", - "207.244.76.83", - "162.210.197.137", - "207.244.108.217", - "207.244.121.137", - "207.244.67.99", - "198.7.56.229", - "198.7.56.231", - "108.59.4.172", - "108.62.117.43", - "108.59.4.171", - "207.244.121.27", - "207.244.71.67", - "207.244.121.70", - "199.58.84.25", - "207.244.67.98", - "162.210.196.116", - "207.244.73.10", - "207.244.110.3", - "108.59.4.173", - "108.59.0.8", - "207.244.71.88", - "207.244.121.73", - "207.244.69.231", - "108.59.0.2", - "207.244.121.74", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30", - "2001:502:1ca1::30", - "192.35.51.30", - "2001:503:d414::30", - "192.42.93.30", - "2001:503:eea3::30", - "192.54.112.30", - "2001:502:8cc::30", - "192.43.172.30", - "2001:503:39c1::30", - "192.48.79.30", - "2001:502:7094::30" - ] - }, - "event": { - "category": [ - "network" - ], - "code": "22", - "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] - }, - "host": { - "name": "vagrant-2016" - }, - "log": { - "level": "information" - }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0678196Z", + "event": { + "code": "22", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant-2016" }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } + "log": { + "level": "information" }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "b1sync.zemanta.com", + "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.594" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13191,138 +5969,42 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 196, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:08.619Z", - "dns": { - "answers": [ - { - "data": "tg3.dr.socdm.com", - "type": "CNAME" - }, - { - "data": "124.146.215.43", - "type": "A" - }, - { - "data": "202.241.208.53", - "type": "A" - }, - { - "data": "124.146.215.46", - "type": "A" - }, - { - "data": "202.241.208.52", - "type": "A" - }, - { - "data": "124.146.215.48", - "type": "A" - }, - { - "data": "124.146.215.45", - "type": "A" - }, - { - "data": "202.241.208.54", - "type": "A" - }, - { - "data": "124.146.215.47", - "type": "A" - }, - { - "data": "124.146.215.42", - "type": "A" - }, - { - "data": "124.146.215.44", - "type": "A" - }, - { - "data": "202.241.208.55", - "type": "A" - }, - { - "data": "202.241.208.56", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - } - ], - "question": { - "name": "tg.socdm.com", - "registered_domain": "socdm.com", - "subdomain": "tg", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "124.146.215.43", - "202.241.208.53", - "124.146.215.46", - "202.241.208.52", - "124.146.215.48", - "124.146.215.45", - "202.241.208.54", - "124.146.215.47", - "124.146.215.42", - "124.146.215.44", - "202.241.208.55", - "202.241.208.56", - "192.5.6.30", - "2001:503:a83e::2:30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.0678355Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] - }, - "host": { - "name": "vagrant-2016" - }, - "log": { - "level": "information" - }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "vagrant-2016" }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } + "log": { + "level": "information" }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tg.socdm.com", + "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.619" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13333,47 +6015,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 197, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:08.62Z", - "dns": { - "answers": [ - { - "data": "prebid.appnexusgslb.net", - "type": "CNAME" - }, - { - "data": "68.67.153.75", - "type": "A" - } - ], - "question": { - "name": "prebid.adnxs.com", - "registered_domain": "adnxs.com", - "subdomain": "prebid", - "top_level_domain": "com" - }, - "resolved_ip": [ - "68.67.153.75" - ] - }, + "@timestamp": "2019-07-18T03:34:09.067845Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13381,25 +6036,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "prebid.adnxs.com", + "QueryResults": "type: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.620" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13410,55 +6061,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 198, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:08.811Z", - "dns": { - "answers": [ - { - "data": "tps.doubleverify.com", - "type": "CNAME" - }, - { - "data": "tps-geo.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "nycp-hlb.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "204.154.111.122", - "type": "A" - } - ], - "question": { - "name": "ul1.dvtps.com", - "registered_domain": "dvtps.com", - "subdomain": "ul1", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.154.111.122" - ] - }, + "@timestamp": "2019-07-18T03:34:09.0678835Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13466,25 +6082,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ul1.dvtps.com", + "QueryResults": "type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:08.811" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13495,34 +6107,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 199, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:08.912Z", - "dns": { - "question": { - "name": "ul1.dvtps.com", - "registered_domain": "dvtps.com", - "subdomain": "ul1", - "top_level_domain": "com" - } - }, + "@timestamp": "2019-07-18T03:34:09.0679463Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13530,25 +6128,20 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ul1.dvtps.com", + "QueryStatus": "9701", + "UtcTime": "2019-07-18 03:34:08.912" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13559,51 +6152,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 200, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:09.016Z", - "dns": { - "answers": [ - { - "data": "tags.bluekai.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e13541.x.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "23.3.125.199", - "type": "A" - } - ], - "question": { - "name": "tags.bluekai.com", - "registered_domain": "bluekai.com", - "subdomain": "tags", - "top_level_domain": "com" - }, - "resolved_ip": [ - "23.3.125.199" - ] - }, + "@timestamp": "2019-07-18T03:34:09.0680034Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13611,25 +6173,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tags.bluekai.com", + "QueryResults": "type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.016" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13640,98 +6198,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 201, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:09.048Z", - "dns": { - "answers": [ - { - "data": "104.19.195.151", - "type": "A" - }, - { - "data": "104.19.199.151", - "type": "A" - }, - { - "data": "104.19.198.151", - "type": "A" - }, - { - "data": "104.19.197.151", - "type": "A" - }, - { - "data": "104.19.196.151", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - } - ], - "question": { - "name": "cdnjs.cloudflare.com", - "registered_domain": "cloudflare.com", - "subdomain": "cdnjs", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "104.19.195.151", - "104.19.199.151", - "104.19.198.151", - "104.19.197.151", - "104.19.196.151", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.0674672Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13739,25 +6219,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "cdnjs.cloudflare.com", + "QueryResults": "::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.048" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13768,98 +6244,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 202, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:09.051Z", - "dns": { - "answers": [ - { - "data": "85.194.243.23", - "type": "A" - }, - { - "data": "85.194.243.239", - "type": "A" - }, - { - "data": "85.194.240.137", - "type": "A" - }, - { - "data": "85.194.242.103", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - } - ], - "question": { - "name": "pixel.onaudience.com", - "registered_domain": "onaudience.com", - "subdomain": "pixel", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "85.194.243.23", - "85.194.243.239", - "85.194.240.137", - "85.194.242.103", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.0674881Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13867,25 +6265,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "pixel.onaudience.com", + "QueryResults": "::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.051" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13896,51 +6290,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 203, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:09.054Z", - "dns": { - "answers": [ - { - "data": "ocsp.digicert.com", - "type": "CNAME" - }, - { - "data": "cs9.wac.phicdn.net", - "type": "CNAME" - }, - { - "data": "72.21.91.29", - "type": "A" - } - ], - "question": { - "name": "status.geotrust.com", - "registered_domain": "geotrust.com", - "subdomain": "status", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.21.91.29" - ] - }, + "@timestamp": "2019-07-18T03:34:10.0675046Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -13948,25 +6311,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "status.geotrust.com", + "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.054" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -13977,92 +6336,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 204, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:09.126Z", - "dns": { - "answers": [ - { - "data": "t3j2g9x7.stackpathcdn.com", - "type": "CNAME" - }, - { - "data": "151.139.128.14", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ocsp.trust-provider.com", - "registered_domain": "trust-provider.com", - "subdomain": "ocsp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.0675293Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14070,25 +6357,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.trust-provider.com", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.126" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14099,92 +6382,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 205, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:09.184Z", - "dns": { - "answers": [ - { - "data": "t3j2g9x7.stackpathcdn.com", - "type": "CNAME" - }, - { - "data": "151.139.128.14", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "ocsp.comodoca4.com", - "registered_domain": "comodoca4.com", - "subdomain": "ocsp", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "151.139.128.14", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.0675508Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14192,25 +6403,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ocsp.comodoca4.com", + "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.184" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14221,91 +6428,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 206, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:09.322Z", - "dns": { - "answers": [ - { - "data": "td.crwdcntrl.net", - "type": "CNAME" - }, - { - "data": "nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com", - "type": "CNAME" - }, - { - "data": "52.4.111.14", - "type": "A" - }, - { - "data": "52.205.68.184", - "type": "A" - }, - { - "data": "52.0.28.154", - "type": "A" - }, - { - "data": "34.225.82.232", - "type": "A" - }, - { - "data": "18.213.13.245", - "type": "A" - }, - { - "data": "52.22.171.66", - "type": "A" - }, - { - "data": "52.207.199.229", - "type": "A" - }, - { - "data": "52.72.57.144", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - } - ], - "question": { - "name": "sync.crwdcntrl.net", - "registered_domain": "crwdcntrl.net", - "subdomain": "sync", - "top_level_domain": "net" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "52.4.111.14", - "52.205.68.184", - "52.0.28.154", - "34.225.82.232", - "18.213.13.245", - "52.22.171.66", - "52.207.199.229", - "52.72.57.144", - "192.5.6.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.0675942Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14313,25 +6449,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "sync.crwdcntrl.net", + "QueryResults": "type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.322" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14342,80 +6474,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 207, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:09.73Z", - "dns": { - "answers": [ - { - "data": "cpe.us.dotomi.weighted.com.akadns.net", - "type": "CNAME" - }, - { - "data": "cpe.us.iad.dotomi.weighted.com.akadns.net", - "type": "CNAME" - }, - { - "data": "iad04-convex.dotomi.com", - "type": "CNAME" - }, - { - "data": "159.127.42.114", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - } - ], - "question": { - "name": "match.sync.ad.cpe.dotomi.com", - "registered_domain": "dotomi.com", - "subdomain": "match.sync.ad.cpe", - "top_level_domain": "com" - }, - "resolved_ip": [ - "159.127.42.114", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30" - ] - }, + "@timestamp": "2019-07-18T03:34:10.0676348Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14423,25 +6495,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "match.sync.ad.cpe.dotomi.com", + "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:09.730" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14452,51 +6520,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 208, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:10.627Z", - "dns": { - "answers": [ - { - "data": "nycp-hlb.doubleverify.com", - "type": "CNAME" - }, - { - "data": "nycp-hlb.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "204.154.111.122", - "type": "A" - } - ], - "question": { - "name": "tps10230.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "tps10230", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.154.111.122" - ] - }, + "@timestamp": "2019-07-18T03:34:11.066534Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14504,25 +6541,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tps10230.doubleverify.com", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:10.627" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14533,51 +6566,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 209, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:10.65Z", - "dns": { - "answers": [ - { - "data": "nycp-hlb.doubleverify.com", - "type": "CNAME" - }, - { - "data": "nycp-hlb.dvgtm.akadns.net", - "type": "CNAME" - }, - { - "data": "204.154.111.122", - "type": "A" - } - ], - "question": { - "name": "tps10221.doubleverify.com", - "registered_domain": "doubleverify.com", - "subdomain": "tps10221", - "top_level_domain": "com" - }, - "resolved_ip": [ - "204.154.111.122" - ] - }, + "@timestamp": "2019-07-18T03:34:11.0665587Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14585,25 +6587,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "tps10221.doubleverify.com", + "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:10.650" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14614,92 +6612,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 210, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:16.329Z", - "dns": { - "answers": [ - { - "data": "star-mini.c10r.facebook.com", - "type": "CNAME" - }, - { - "data": "31.13.71.36", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - }, - { - "data": "192.12.94.30", - "type": "A" - } - ], - "question": { - "name": "www.facebook.com", - "registered_domain": "facebook.com", - "subdomain": "www", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "31.13.71.36", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30", - "192.12.94.30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:17.2720222Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14707,25 +6633,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "www.facebook.com", + "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:16.329" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14736,63 +6658,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 212, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:16.386Z", - "dns": { - "answers": [ - { - "data": "cs472.wac.edgecastcdn.net", - "type": "CNAME" - }, - { - "data": "cs1-apr-8315.wac.edgecastcdn.net", - "type": "CNAME" - }, - { - "data": "wac.apr-8315.edgecastdns.net", - "type": "CNAME" - }, - { - "data": "cs1-lb-us.8315.ecdns.net", - "type": "CNAME" - }, - { - "data": "cs491.wac.edgecastcdn.net", - "type": "CNAME" - }, - { - "data": "192.229.163.25", - "type": "A" - } - ], - "question": { - "name": "platform.twitter.com", - "registered_domain": "twitter.com", - "subdomain": "platform", - "top_level_domain": "com" - }, - "resolved_ip": [ - "192.229.163.25" - ] - }, + "@timestamp": "2019-07-18T03:34:17.2721029Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14800,25 +6679,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "platform.twitter.com", + "QueryResults": "type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:16.386" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14829,98 +6704,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 213, "user": { - "identifier": "S-1-5-18" - }, - "version": 5 - } - }, - { - "@timestamp": "2019-07-18T03:34:16.482Z", - "dns": { - "answers": [ - { - "data": "104.244.42.8", - "type": "A" - }, - { - "data": "104.244.42.200", - "type": "A" - }, - { - "data": "104.244.42.136", - "type": "A" - }, - { - "data": "104.244.42.72", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - }, - { - "data": "192.31.80.30", - "type": "A" - }, - { - "data": "2001:500:856e::30", - "type": "AAAA" - } - ], - "question": { - "name": "syndication.twitter.com", - "registered_domain": "twitter.com", - "subdomain": "syndication", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, - "resolved_ip": [ - "104.244.42.8", - "104.244.42.200", - "104.244.42.136", - "104.244.42.72", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30", - "192.31.80.30", - "2001:500:856e::30" - ] - }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:17.2721343Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -14928,25 +6725,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "syndication.twitter.com", + "QueryResults": "::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:16.482" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -14957,47 +6750,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 214, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:19.578Z", - "dns": { - "answers": [ - { - "data": "pagead.l.doubleclick.net", - "type": "CNAME" - }, - { - "data": "172.217.10.34", - "type": "A" - } - ], - "question": { - "name": "ade.googlesyndication.com", - "registered_domain": "googlesyndication.com", - "subdomain": "ade", - "top_level_domain": "com" - }, - "resolved_ip": [ - "172.217.10.34" - ] - }, + "@timestamp": "2019-07-18T03:34:21.5524909Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15005,25 +6771,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 2736 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessId": "2736", + "QueryName": "ade.googlesyndication.com", + "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:19.578" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15034,51 +6796,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 215, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:34:31.219Z", - "dns": { - "answers": [ - { - "data": "ie9comview.vo.msecnd.net", - "type": "CNAME" - }, - { - "data": "cs9.wpc.v0cdn.net", - "type": "CNAME" - }, - { - "data": "72.21.81.200", - "type": "A" - } - ], - "question": { - "name": "iecvlist.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "iecvlist", - "top_level_domain": "com" - }, - "resolved_ip": [ - "72.21.81.200" - ] - }, + "@timestamp": "2019-07-18T03:34:33.1481043Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15086,25 +6817,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 356 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessId": "356", + "QueryName": "iecvlist.microsoft.com", + "QueryResults": "type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:34:31.219" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15115,47 +6842,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 216, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:39:02.752Z", - "dns": { - "answers": [ - { - "data": "tsfe.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "40.77.232.95", - "type": "A" - } - ], - "question": { - "name": "tsfe.trafficshaping.dsp.mp.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "tsfe.trafficshaping.dsp.mp", - "top_level_domain": "com" - }, - "resolved_ip": [ - "40.77.232.95" - ] - }, + "@timestamp": "2019-07-18T03:39:03.6856902Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15163,25 +6863,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 844 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Windows\\System32\\svchost.exe", + "ProcessGuid": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "ProcessId": "844", + "QueryName": "tsfe.trafficshaping.dsp.mp.microsoft.com", + "QueryResults": "type: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:39:02.752" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15192,34 +6888,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 220, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:39:20.413Z", - "dns": { - "question": { - "name": "isatap.local.crowbird.com", - "registered_domain": "crowbird.com", - "subdomain": "isatap.local", - "top_level_domain": "com" - } - }, + "@timestamp": "2019-07-18T03:39:22.4321531Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15227,25 +6909,20 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 844 - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Windows\\System32\\svchost.exe", + "ProcessGuid": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "ProcessId": "844", + "QueryName": "isatap.local.crowbird.com", + "QueryStatus": "9003", + "UtcTime": "2019-07-18 03:39:20.413" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15256,31 +6933,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 221, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:39:40.504Z", - "dns": { - "question": { - "name": "puppet" - } - }, + "@timestamp": "2019-07-18T03:39:42.5545393Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15288,25 +6954,20 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", - "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", - "name": "ruby.exe", - "pid": 676 - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", + "ProcessGuid": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", + "ProcessId": "676", + "QueryName": "puppet", + "QueryStatus": "9003", + "UtcTime": "2019-07-18 03:39:40.504" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15317,31 +6978,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 230, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:40:40.433Z", - "dns": { - "question": { - "name": "wpad" - } - }, + "@timestamp": "2019-07-18T03:40:42.4472937Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15349,25 +6999,20 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 636 - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Windows\\System32\\svchost.exe", + "ProcessGuid": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", + "ProcessId": "636", + "QueryName": "wpad", + "QueryStatus": "9003", + "UtcTime": "2019-07-18 03:40:40.433" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15378,55 +7023,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 231, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:42:54.033Z", - "dns": { - "answers": [ - { - "data": "v10-win.vortex.data.microsoft.com.akadns.net", - "type": "CNAME" - }, - { - "data": "geo.vortex.data.microsoft.com.akadns.net", - "type": "CNAME" - }, - { - "data": "bn2.vortex.data.microsoft.com.akadns.net", - "type": "CNAME" - }, - { - "data": "65.55.44.109", - "type": "A" - } - ], - "question": { - "name": "v10.vortex-win.data.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "v10.vortex-win.data", - "top_level_domain": "com" - }, - "resolved_ip": [ - "65.55.44.109" - ] - }, + "@timestamp": "2019-07-18T03:42:55.556826Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15434,25 +7044,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 1788 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Windows\\System32\\svchost.exe", + "ProcessGuid": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "ProcessId": "1788", + "QueryName": "v10.vortex-win.data.microsoft.com", + "QueryResults": "type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:42:54.033" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15463,47 +7069,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 232, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:43:04.4Z", - "dns": { - "answers": [ - { - "data": "settingsfd-geo.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "20.36.218.63", - "type": "A" - } - ], - "question": { - "name": "settings-win.data.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "settings-win.data", - "top_level_domain": "com" - }, - "resolved_ip": [ - "20.36.218.63" - ] - }, + "@timestamp": "2019-07-18T03:43:06.4599868Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15511,25 +7090,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 1788 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Windows\\System32\\svchost.exe", + "ProcessGuid": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "ProcessId": "1788", + "QueryName": "settings-win.data.microsoft.com", + "QueryResults": "type: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:43:04.400" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15540,81 +7115,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 233, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-07-18T03:49:51.154Z", - "dns": { - "answers": [ - { - "data": "wd-prod-ss.trafficmanager.net", - "type": "CNAME" - }, - { - "data": "wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com", - "type": "CNAME" - }, - { - "data": "40.121.17.79", - "type": "A" - }, - { - "data": "192.5.6.30", - "type": "A" - }, - { - "data": "2001:503:a83e::2:30", - "type": "AAAA" - }, - { - "data": "192.33.14.30", - "type": "A" - }, - { - "data": "2001:503:231d::2:30", - "type": "AAAA" - }, - { - "data": "192.26.92.30", - "type": "A" - }, - { - "data": "2001:503:83eb::30", - "type": "AAAA" - } - ], - "question": { - "name": "c.urs.microsoft.com", - "registered_domain": "microsoft.com", - "subdomain": "c.urs", - "top_level_domain": "com" - }, - "resolved_ip": [ - "40.121.17.79", - "192.5.6.30", - "2001:503:a83e::2:30", - "192.33.14.30", - "2001:503:231d::2:30", - "192.26.92.30", - "2001:503:83eb::30" - ] - }, + "@timestamp": "2019-07-18T03:49:52.1056327Z", "event": { - "category": [ - "network" - ], "code": "22", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "protocol", - "info" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2016" @@ -15622,25 +7136,21 @@ "log": { "level": "information" }, - "network": { - "protocol": "dns" - }, - "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "name": "iexplore.exe", - "pid": 356 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", + "event_data": { + "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessId": "356", + "QueryName": "c.urs.microsoft.com", + "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;", + "QueryStatus": "0", + "UtcTime": "2019-07-18 03:49:51.154" + }, "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { @@ -15651,7 +7161,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 234, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index 62b105a21b9..74c449820de 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -1,23 +1,10 @@ [ { - "@timestamp": "2020-05-07T08:14:44.489Z", + "@timestamp": "2020-05-07T08:14:44.4899785Z", "event": { - "category": [ - "file" - ], "code": "23", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "deletion" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001", - "extension": "exe", - "name": "test.test.exe", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -25,44 +12,24 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", - "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", - "hash": { - "md5": "199e1cf5b2250bd515ecccf4ca686301" - }, - "name": "go.exe", - "pe": { - "imphash": "d90d8c7812aec8da0fa173afa1293ab2" - }, - "pid": 2184 - }, - "related": { - "hash": [ - "199e1cf5b2250bd515ecccf4ca686301", - "d90d8c7812aec8da0fa173afa1293ab2" - ], - "user": "vagrant" - }, - "rule": { - "name": "-" - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": true - } - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18", - "name": "vagrant" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Archived": "true", + "Hashes": "MD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2", + "Image": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", + "IsExecutable": "true", + "ProcessGuid": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "ProcessId": "2184", + "RuleName": "-", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe", + "User": "VAGRANT-2012-R2\\vagrant", + "UtcTime": "2020-05-07 08:14:44.489" + }, "event_id": "23", + "opcode": "Info", "process": { "pid": 664, "thread": { @@ -73,30 +40,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 612, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2020-05-07T07:27:18.722Z", + "@timestamp": "2020-05-07T07:27:18.7221361Z", "event": { - "category": [ - "file" - ], "code": "23", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "deletion" - ] - }, - "file": { - "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local", - "extension": "dat", - "name": "lastalive0.dat", - "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -104,38 +61,24 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "hash": { - "sha1": "115106f5b338c87ae6836d50dd890de3da296367" - }, - "name": "svchost.exe", - "pid": 776 - }, - "related": { - "hash": "115106f5b338c87ae6836d50dd890de3da296367", - "user": "LOCAL SERVICE" - }, - "rule": { - "name": "-" - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": false - } - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "LOCAL SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Archived": "true", + "Hashes": "SHA1=115106F5B338C87AE6836D50DD890DE3DA296367", + "Image": "C:\\Windows\\System32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "ProcessId": "776", + "RuleName": "-", + "TargetFilename": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat", + "User": "NT AUTHORITY\\LOCAL SERVICE", + "UtcTime": "2020-05-07 07:27:18.722" + }, "event_id": "23", + "opcode": "Info", "process": { "pid": 664, "thread": { @@ -146,29 +89,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 11, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2020-05-12T06:48:27.084Z", + "@timestamp": "2020-05-12T06:48:27.0840442Z", "event": { - "category": [ - "file" - ], "code": "23", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "deletion" - ] - }, - "file": { - "directory": "C:\\Windows\\System32\\LogFiles\\Scm", - "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", - "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -176,38 +110,24 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", - "executable": "C:\\Windows\\system32\\svchost.exe", - "hash": { - "md5": "5a9bddf83be530b481f0fd24db28a6ff" - }, - "name": "svchost.exe", - "pid": 820 - }, - "related": { - "hash": "5a9bddf83be530b481f0fd24db28a6ff", - "user": "SYSTEM" - }, - "rule": { - "name": "-" - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": false - } - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Archived": "true", + "Hashes": "MD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000", + "Image": "C:\\Windows\\system32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{42f11c3b-4664-5eba-91ae-000000000000}", + "ProcessId": "820", + "RuleName": "-", + "TargetFilename": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2020-05-12 06:48:27.084" + }, "event_id": "23", + "opcode": "Info", "process": { "pid": 1188, "thread": { @@ -218,7 +138,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2243, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json index be766c23f9b..b4db5b63031 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedeletedetected.evtx.golden.json @@ -1,23 +1,10 @@ [ { - "@timestamp": "2022-01-24T05:12:34.328Z", + "@timestamp": "2022-01-24T05:12:34.3299803Z", "event": { - "category": [ - "file" - ], "code": "26", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "deletion" - ] - }, - "file": { - "directory": "C:\\Windows\\ServiceState\\EventLog\\Data", - "extension": "dat", - "name": "lastalive1.dat", - "path": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -25,37 +12,23 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "hash": { - "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" - }, - "name": "svchost.exe", - "pid": 1264 - }, - "related": { - "hash": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79", - "user": "LOCAL SERVICE" - }, - "rule": { - "name": "-" - }, - "sysmon": { - "file": { - "is_executable": false - } - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "LOCAL SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", + "event_data": { + "Hashes": "SHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79", + "Image": "C:\\Windows\\System32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{63a74932-a2b4-61ee-1b00-000000000700}", + "ProcessId": "1264", + "RuleName": "-", + "TargetFilename": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat", + "User": "NT AUTHORITY\\LOCAL SERVICE", + "UtcTime": "2022-01-24 05:12:34.328" + }, "event_id": "26", + "opcode": "Info", "process": { "pid": 2764, "thread": { @@ -66,30 +39,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 456, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2022-01-24T05:12:51.031Z", + "@timestamp": "2022-01-24T05:12:51.04227Z", "event": { - "category": [ - "file" - ], "code": "26", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "deletion" - ] - }, - "file": { - "directory": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache", - "extension": "000", - "name": "OLDCACHE.000", - "path": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -97,37 +60,23 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{63a74932-3523-61ee-af00-000000000700}", - "executable": "C:\\Windows\\system32\\svchost.exe", - "hash": { - "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" - }, - "name": "svchost.exe", - "pid": 1364 - }, - "related": { - "hash": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b", - "user": "SYSTEM" - }, - "rule": { - "name": "-" - }, - "sysmon": { - "file": { - "is_executable": false - } - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", + "event_data": { + "Hashes": "SHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B", + "Image": "C:\\Windows\\system32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{63a74932-3523-61ee-af00-000000000700}", + "ProcessId": "1364", + "RuleName": "-", + "TargetFilename": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2022-01-24 05:12:51.031" + }, "event_id": "26", + "opcode": "Info", "process": { "pid": 2764, "thread": { @@ -138,7 +87,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 457, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json index 70217350c10..0ef9ef3d650 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json @@ -1,18 +1,10 @@ [ { - "@timestamp": "2020-05-05T14:57:40.589Z", + "@timestamp": "2020-05-05T14:57:40.5995672Z", "event": { - "category": [ - "configuration", - "registry" - ], "code": "13", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -20,24 +12,6 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", - "executable": "C:\\Windows\\regedit.exe", - "name": "regedit.exe", - "pid": 6072 - }, - "registry": { - "data": { - "strings": [ - "4" - ], - "type": "SZ_DWORD" - }, - "hive": "HKU", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", - "value": "Key 1" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -45,9 +19,15 @@ "event_data": { "Details": "DWORD (0x00000004)", "EventType": "SetValue", - "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" + "Image": "C:\\Windows\\regedit.exe", + "ProcessGuid": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "ProcessId": "6072", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "UtcTime": "2020-05-05 14:57:40.589" }, "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { @@ -58,25 +38,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2682, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 2 } }, { - "@timestamp": "2020-05-05T14:57:44.714Z", + "@timestamp": "2020-05-05T14:57:44.7232485Z", "event": { - "category": [ - "configuration", - "registry" - ], "code": "13", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -84,18 +59,6 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE", - "name": "Explorer.EXE", - "pid": 4320 - }, - "registry": { - "hive": "HKU", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "value": "HRZR_PGYFRFFVBA" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -103,9 +66,15 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + "Image": "C:\\Windows\\Explorer.EXE", + "ProcessGuid": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "ProcessId": "4320", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "UtcTime": "2020-05-05 14:57:44.714" }, "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { @@ -116,25 +85,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2686, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 2 } }, { - "@timestamp": "2020-05-05T14:57:44.714Z", + "@timestamp": "2020-05-05T14:57:44.7260099Z", "event": { - "category": [ - "configuration", - "registry" - ], "code": "13", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -142,24 +106,6 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", - "executable": "C:\\Windows\\regedit.exe", - "name": "regedit.exe", - "pid": 6072 - }, - "registry": { - "data": { - "strings": [ - "5" - ], - "type": "SZ_QWORD" - }, - "hive": "HKU", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", - "value": "Key 2" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -167,9 +113,15 @@ "event_data": { "Details": "QWORD (0x00000000-0x00000005)", "EventType": "SetValue", - "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" + "Image": "C:\\Windows\\regedit.exe", + "ProcessGuid": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "ProcessId": "6072", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "UtcTime": "2020-05-05 14:57:44.714" }, "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { @@ -180,25 +132,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2687, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 2 } }, { - "@timestamp": "2020-05-05T14:57:46.808Z", + "@timestamp": "2020-05-05T14:57:46.8188214Z", "event": { - "category": [ - "configuration", - "registry" - ], "code": "13", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -206,18 +153,6 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE", - "name": "Explorer.EXE", - "pid": 4320 - }, - "registry": { - "hive": "HKU", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", - "value": "ertrqvg.rkr" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -225,9 +160,15 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" + "Image": "C:\\Windows\\Explorer.EXE", + "ProcessGuid": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "ProcessId": "4320", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "UtcTime": "2020-05-05 14:57:46.808" }, "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { @@ -238,25 +179,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2690, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 2 } }, { - "@timestamp": "2020-05-05T14:57:46.808Z", + "@timestamp": "2020-05-05T14:57:46.8188691Z", "event": { - "category": [ - "configuration", - "registry" - ], "code": "13", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -264,18 +200,6 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE", - "name": "Explorer.EXE", - "pid": 4320 - }, - "registry": { - "hive": "HKU", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "value": "HRZR_PGYFRFFVBA" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -283,9 +207,15 @@ "event_data": { "Details": "Binary Data", "EventType": "SetValue", - "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + "Image": "C:\\Windows\\Explorer.EXE", + "ProcessGuid": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "ProcessId": "4320", + "RuleName": "-", + "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "UtcTime": "2020-05-05 14:57:46.808" }, "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { @@ -296,7 +226,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2691, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 2 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json index 99b5b118b75..b4e1f9842a3 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-loadimage.evtx.golden.json @@ -1,42 +1,10 @@ [ { - "@timestamp": "2020-10-28T02:39:26.374Z", + "@timestamp": "2020-10-28T02:39:26.3883252Z", "event": { - "category": [ - "process" - ], "code": "7", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "code_signature": { - "signed": true, - "status": "Valid", - "subject_name": "Microsoft Windows", - "valid": true - }, - "directory": "C:\\Windows\\System32", - "extension": "dll", - "hash": { - "md5": "c7c45610f644906e6f7d664ef2e45b08", - "sha1": "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", - "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e" - }, - "name": "IDStore.dll", - "path": "C:\\Windows\\System32\\IDStore.dll", - "pe": { - "company": "Microsoft Corporation", - "description": "Identity Store", - "file_version": "10.0.17763.1 (WinBuild.160101.0800)", - "imphash": "194f3797b52231028c718b6d776c6853", - "original_file_name": "IdStore.dll", - "product": "Microsoft® Windows® Operating System" - } + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -44,20 +12,6 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", - "executable": "C:\\Windows\\System32\\dllhost.exe", - "name": "dllhost.exe", - "pid": 5184 - }, - "related": { - "hash": [ - "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", - "c7c45610f644906e6f7d664ef2e45b08", - "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e", - "194f3797b52231028c718b6d776c6853" - ] - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", @@ -66,12 +20,21 @@ "Company": "Microsoft Corporation", "Description": "Identity Store", "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", + "Hashes": "SHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853", + "Image": "C:\\Windows\\System32\\dllhost.exe", + "ImageLoaded": "C:\\Windows\\System32\\IDStore.dll", + "OriginalFileName": "IdStore.dll", + "ProcessGuid": "{9f32b55f-d9de-5f98-f006-000000000600}", + "ProcessId": "5184", "Product": "Microsoft® Windows® Operating System", + "RuleName": "-", "Signature": "Microsoft Windows", "SignatureStatus": "Valid", - "Signed": "true" + "Signed": "true", + "UtcTime": "2020-10-28 02:39:26.374" }, "event_id": "7", + "opcode": "Info", "process": { "pid": 1676, "thread": { @@ -82,7 +45,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10685, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json index 87b0a70efcd..6e0cba4335f 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-12-processcreate.evtx.golden.json @@ -1,18 +1,10 @@ [ { - "@timestamp": "2020-10-27T20:00:14.32Z", + "@timestamp": "2020-10-27T20:00:14.3242341Z", "event": { - "category": [ - "process" - ], "code": "1", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "start", - "process_start" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant" @@ -20,61 +12,36 @@ "log": { "level": "information" }, - "process": { - "args": [ - "C:\\Windows\\system32\\notepad.exe" - ], - "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ", - "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", - "executable": "C:\\Windows\\System32\\notepad.exe", - "hash": { - "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" - }, - "name": "notepad.exe", - "parent": { - "args": [ - "C:\\Windows\\Explorer.EXE" - ], - "command_line": "C:\\Windows\\Explorer.EXE", - "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", - "executable": "C:\\Windows\\explorer.exe", - "name": "explorer.exe", - "pid": 4212 - }, - "pe": { - "company": "Microsoft Corporation", - "description": "Notepad", - "file_version": "10.0.17763.475 (WinBuild.160101.0800)", - "original_file_name": "NOTEPAD.EXE", - "product": "Microsoft® Windows® Operating System" - }, - "pid": 3616, - "working_directory": "C:\\Users\\vagrant\\" - }, - "related": { - "hash": "b6d237154f2e528f0b503b58b025862d66b02b73", - "user": "vagrant" - }, - "user": { - "domain": "VAGRANT", - "id": "S-1-5-18", - "name": "vagrant" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\notepad.exe\" ", "Company": "Microsoft Corporation", + "CurrentDirectory": "C:\\Users\\vagrant\\", "Description": "Notepad", "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", + "Hashes": "SHA1=B6D237154F2E528F0B503B58B025862D66B02B73", + "Image": "C:\\Windows\\System32\\notepad.exe", "IntegrityLevel": "Medium", "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", "LogonId": "0x2c9e7", + "OriginalFileName": "NOTEPAD.EXE", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "ParentImage": "C:\\Windows\\explorer.exe", + "ParentProcessGuid": "{9f32b55f-6fdf-5f98-7000-000000000500}", + "ParentProcessId": "4212", + "ProcessGuid": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "ProcessId": "3616", "Product": "Microsoft® Windows® Operating System", - "TerminalSessionId": "1" + "RuleName": "-", + "TerminalSessionId": "1", + "User": "VAGRANT\\vagrant", + "UtcTime": "2020-10-27 20:00:14.320" }, "event_id": "1", + "opcode": "Info", "process": { "pid": 7144, "thread": { @@ -85,7 +52,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 20, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json index 8078ea80ba1..8285f5d3899 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-clipboardchange.evtx.golden.json @@ -1,14 +1,10 @@ [ { - "@timestamp": "2021-02-25T15:04:48.592Z", + "@timestamp": "2021-02-25T15:04:48.6073435Z", "event": { "code": "24", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "DESKTOP-I9CQVAQ" @@ -16,35 +12,23 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", - "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "hash": { - "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" - }, - "name": "vmtoolsd.exe", - "pid": 2144 - }, - "related": { - "hash": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" - }, - "sysmon": { - "file": { - "archived": true - } - }, - "user": { - "id": "S-1-5-18" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", "event_data": { + "Archived": "true", "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", - "Session": "1" + "Hashes": "SHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000", + "Image": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "ProcessGuid": "{9497d8d9-aa1b-602f-a600-000000001000}", + "ProcessId": "2144", + "RuleName": "-", + "Session": "1", + "UtcTime": "2021-02-25 15:04:48.592" }, "event_id": "24", + "opcode": "Info", "process": { "pid": 3800, "thread": { @@ -55,7 +39,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10757412, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json index 5efdad65937..6c767c9590d 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-13-processtampering.evtx.golden.json @@ -1,17 +1,10 @@ [ { - "@timestamp": "2021-02-25T14:43:23.55Z", + "@timestamp": "2021-02-25T14:43:23.5512694Z", "event": { - "category": [ - "process" - ], "code": "25", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "DESKTOP-I9CQVAQ" @@ -19,23 +12,20 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", - "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", - "name": "git.exe", - "pid": 2628 - }, - "user": { - "id": "S-1-5-18" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", "event_data": { - "Type": "Image is replaced" + "Image": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "ProcessGuid": "{9497d8d9-b78b-6037-6f13-000000001000}", + "ProcessId": "2628", + "RuleName": "-", + "Type": "Image is replaced", + "UtcTime": "2021-02-25 14:43:23.550" }, "event_id": "25", + "opcode": "Info", "process": { "pid": 3800, "thread": { @@ -46,7 +36,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10737797, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index adb964bd39d..8e4ad21c812 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -1,17 +1,10 @@ [ { - "@timestamp": "2019-03-18T16:57:37.933Z", + "@timestamp": "2019-03-18T16:57:37.933324Z", "event": { - "category": [ - "configuration" - ], "code": "16", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -24,9 +17,11 @@ "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" + "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n", + "UtcTime": "2019-03-18 16:57:37.933" }, "event_id": "16", + "opcode": "Info", "process": { "pid": 4616, "thread": { @@ -43,18 +38,11 @@ } }, { - "@timestamp": "2019-03-18T16:57:38.011Z", + "@timestamp": "2019-03-18T16:57:38.011477Z", "event": { - "category": [ - "process" - ], "code": "4", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -69,9 +57,11 @@ "event_data": { "SchemaVersion": "4.20", "State": "Started", + "UtcTime": "2019-03-18 16:57:38.011", "Version": "9.01" }, "event_id": "4", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -82,25 +72,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } }, { - "@timestamp": "2019-03-18T16:57:37.949Z", + "@timestamp": "2019-03-18T16:57:38.011477Z", "event": { - "category": [ - "process" - ], "code": "1", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "start", - "process_start" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -108,60 +93,34 @@ "log": { "level": "information" }, - "process": { - "args": [ - "C:\\Windows\\Sysmon.exe" - ], - "command_line": "C:\\Windows\\Sysmon.exe", - "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", - "executable": "C:\\Windows\\Sysmon.exe", - "hash": { - "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - }, - "name": "Sysmon.exe", - "parent": { - "args": [ - "C:\\Windows\\system32\\services.exe" - ], - "command_line": "C:\\Windows\\system32\\services.exe", - "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", - "executable": "C:\\Windows\\System32\\services.exe", - "name": "services.exe", - "pid": 488 - }, - "pe": { - "company": "Sysinternals - www.sysinternals.com", - "description": "System activity monitor", - "file_version": "9.01", - "product": "Sysinternals Sysmon" - }, - "pid": 4860, - "working_directory": "C:\\Windows\\system32\\" - }, - "related": { - "hash": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e", - "user": "SYSTEM" - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { + "CommandLine": "C:\\Windows\\Sysmon.exe", "Company": "Sysinternals - www.sysinternals.com", + "CurrentDirectory": "C:\\Windows\\system32\\", "Description": "System activity monitor", "FileVersion": "9.01", + "Hashes": "SHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E", + "Image": "C:\\Windows\\Sysmon.exe", "IntegrityLevel": "System", "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", "LogonId": "0x3e7", + "ParentCommandLine": "C:\\Windows\\system32\\services.exe", + "ParentImage": "C:\\Windows\\System32\\services.exe", + "ParentProcessGuid": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", + "ParentProcessId": "488", + "ProcessGuid": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "ProcessId": "4860", "Product": "Sysinternals Sysmon", - "TerminalSessionId": "0" + "TerminalSessionId": "0", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:37.949" }, "event_id": "1", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -172,25 +131,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 3, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:37.964Z", + "@timestamp": "2019-03-18T16:57:38.011477Z", "event": { - "category": [ - "process" - ], "code": "1", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "start", - "process_start" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -198,63 +152,34 @@ "log": { "level": "information" }, - "process": { - "args": [ - "C:\\Windows\\system32\\wbem\\unsecapp.exe", - "-Embedding" - ], - "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", - "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", - "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", - "hash": { - "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" - }, - "name": "unsecapp.exe", - "parent": { - "args": [ - "C:\\Windows\\system32\\svchost.exe", - "-k", - "DcomLaunch" - ], - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", - "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 560 - }, - "pe": { - "company": "Microsoft Corporation", - "description": "Sink to receive asynchronous callbacks for WMI client application", - "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", - "product": "Microsoft® Windows® Operating System" - }, - "pid": 5028, - "working_directory": "C:\\Windows\\system32\\" - }, - "related": { - "hash": "6df8163a6320b80b60733f9d62e2f39b4b16b678", - "user": "SYSTEM" - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { + "CommandLine": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", "Company": "Microsoft Corporation", + "CurrentDirectory": "C:\\Windows\\system32\\", "Description": "Sink to receive asynchronous callbacks for WMI client application", "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "Hashes": "SHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678", + "Image": "C:\\Windows\\System32\\wbem\\unsecapp.exe", "IntegrityLevel": "System", "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", "LogonId": "0x3e7", + "ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "ParentImage": "C:\\Windows\\System32\\svchost.exe", + "ParentProcessGuid": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "ParentProcessId": "560", + "ProcessGuid": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", + "ProcessId": "5028", "Product": "Microsoft® Windows® Operating System", - "TerminalSessionId": "0" + "TerminalSessionId": "0", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:37.964" }, "event_id": "1", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -265,25 +190,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 4, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:38.981Z", + "@timestamp": "2019-03-18T16:57:38.9811378Z", "event": { - "category": [ - "process" - ], "code": "5", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "end", - "process_end" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -291,17 +211,18 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", - "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", - "name": "Sysmon.exe", - "pid": 4616 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Image": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", + "ProcessGuid": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", + "ProcessId": "4616", + "UtcTime": "2019-03-18 16:57:38.981" + }, "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -312,25 +233,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 5, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } }, { - "@timestamp": "2019-03-18T16:57:38.981Z", + "@timestamp": "2019-03-18T16:57:38.9811378Z", "event": { - "category": [ - "process" - ], "code": "5", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "end", - "process_end" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -338,17 +254,18 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", - "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", - "name": "Sysmon.exe", - "pid": 4648 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Image": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", + "ProcessGuid": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", + "ProcessId": "4648", + "UtcTime": "2019-03-18 16:57:38.981" + }, "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -359,25 +276,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 6, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } }, { - "@timestamp": "2019-03-18T16:57:39.012Z", + "@timestamp": "2019-03-18T16:57:39.0127447Z", "event": { - "category": [ - "process" - ], "code": "1", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "start", - "process_start" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -385,63 +297,34 @@ "log": { "level": "information" }, - "process": { - "args": [ - "C:\\Windows\\system32\\wbem\\wmiprvse.exe", - "-Embedding" - ], - "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", - "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", - "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "hash": { - "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" - }, - "name": "WmiPrvSE.exe", - "parent": { - "args": [ - "C:\\Windows\\system32\\svchost.exe", - "-k", - "DcomLaunch" - ], - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", - "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 560 - }, - "pe": { - "company": "Microsoft Corporation", - "description": "WMI Provider Host", - "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", - "product": "Microsoft® Windows® Operating System" - }, - "pid": 4508, - "working_directory": "C:\\Windows\\system32\\" - }, - "related": { - "hash": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21", - "user": "SYSTEM" - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { + "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", "Company": "Microsoft Corporation", + "CurrentDirectory": "C:\\Windows\\system32\\", "Description": "WMI Provider Host", "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "Hashes": "SHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21", + "Image": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "IntegrityLevel": "System", "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", "LogonId": "0x3e7", + "ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "ParentImage": "C:\\Windows\\System32\\svchost.exe", + "ParentProcessGuid": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "ParentProcessId": "560", + "ProcessGuid": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", + "ProcessId": "4508", "Product": "Microsoft® Windows® Operating System", - "TerminalSessionId": "0" + "TerminalSessionId": "0", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:39.012" }, "event_id": "1", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -452,30 +335,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 7, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:47.847Z", - "destination": { - "ip": "a00:203:3000:3000:3000:3000:3000:3300", - "port": 53 - }, + "@timestamp": "2019-03-18T16:57:49.0897231Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -483,40 +356,28 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:EQDBfI6vAylArTBQHY8kNmaweOA=", - "direction": "egress", - "protocol": "domain", - "transport": "udp", - "type": "ipv6" - }, - "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 924 - }, - "related": { - "ip": [ - "a00:20f:0:0:18a2:6e00:e0:ffff", - "a00:203:3000:3000:3000:3000:3000:3300" - ], - "user": "NETWORK SERVICE" - }, - "source": { - "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", - "port": 62141 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "NETWORK SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "a00:203:3000:3000:3000:3000:3000:3300", + "DestinationIsIpv6": "true", + "DestinationPort": "53", + "DestinationPortName": "domain", + "Image": "C:\\Windows\\System32\\svchost.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessId": "924", + "Protocol": "udp", + "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", + "SourceIsIpv6": "true", + "SourcePort": "62141", + "User": "NT AUTHORITY\\NETWORK SERVICE", + "UtcTime": "2019-03-18 16:57:47.847" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -527,30 +388,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 8, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.07Z", - "destination": { - "ip": "10.0.2.3", - "port": 53 - }, + "@timestamp": "2019-03-18T16:57:49.0897231Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -558,41 +409,29 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:TXczQujzvcGYSvZ/CKEBu1p2riE=", - "direction": "ingress", - "protocol": "domain", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 924 - }, - "related": { - "ip": [ - "10.0.2.15", - "10.0.2.3" - ], - "user": "NETWORK SERVICE" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 62141 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "NETWORK SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "10.0.2.3", + "DestinationIsIpv6": "false", + "DestinationPort": "53", + "DestinationPortName": "domain", + "Image": "C:\\Windows\\System32\\svchost.exe", + "Initiated": "false", + "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessId": "924", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "62141", + "User": "NT AUTHORITY\\NETWORK SERVICE", + "UtcTime": "2019-03-18 16:57:48.070" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -603,30 +442,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 9, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.148Z", - "destination": { - "ip": "40.77.226.250", - "port": 443 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -634,41 +463,29 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:W2ZbP8nXMY+YAGYw2h/3Sa8Gu/w=", - "direction": "egress", - "protocol": "https", - "transport": "tcp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, - "related": { - "ip": [ - "10.0.2.15", - "40.77.226.250" - ], - "user": "vagrant" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 1138 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18", - "name": "vagrant" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "40.77.226.250", + "DestinationIsIpv6": "false", + "DestinationPort": "443", + "DestinationPortName": "https", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "Protocol": "tcp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "1138", + "User": "VAGRANT-2012-R2\\vagrant", + "UtcTime": "2019-03-18 16:57:48.148" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -679,30 +496,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.214Z", - "destination": { - "ip": "40.77.226.250", - "port": 443 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -710,41 +517,29 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:5MsyqYltV9KkhIFGPWiByzQqHDo=", - "direction": "egress", - "protocol": "https", - "transport": "tcp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, - "related": { - "ip": [ - "10.0.2.15", - "40.77.226.250" - ], - "user": "vagrant" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 1139 - }, - "user": { - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18", - "name": "vagrant" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "40.77.226.250", + "DestinationIsIpv6": "false", + "DestinationPort": "443", + "DestinationPortName": "https", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "Protocol": "tcp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "1139", + "User": "VAGRANT-2012-R2\\vagrant", + "UtcTime": "2019-03-18 16:57:48.214" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -755,30 +550,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 11, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.25Z", - "destination": { - "ip": "10.0.2.255", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -786,44 +571,30 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", - "direction": "egress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "10.0.2.15", - "10.0.2.255" - ], - "user": "SYSTEM" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "10.0.2.255", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:48.250" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -834,31 +605,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 12, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.25Z", - "destination": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -866,43 +626,30 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", - "direction": "ingress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "10.0.2.255", - "10.0.2.15" - ], - "user": "SYSTEM" - }, - "source": { - "ip": "10.0.2.255", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationHostname": "vagrant-2012-r2.local.crowbird.com", + "DestinationIp": "10.0.2.15", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "false", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceIp": "10.0.2.255", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:48.250" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -913,30 +660,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 13, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.25Z", - "destination": { - "ip": "ff02:0:0:0:0:0:1:3", - "port": 5355 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -944,41 +681,29 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:4DSgubObvMEI9IKNWPDqltrux+k=", - "direction": "egress", - "protocol": "llmnr", - "transport": "udp", - "type": "ipv6" - }, - "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 924 - }, - "related": { - "ip": [ - "fe80:0:0:0:e488:b85c:5262:ff86", - "ff02:0:0:0:0:0:1:3" - ], - "user": "NETWORK SERVICE" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "fe80:0:0:0:e488:b85c:5262:ff86", - "port": 55542 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "NETWORK SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "ff02:0:0:0:0:0:1:3", + "DestinationIsIpv6": "true", + "DestinationPort": "5355", + "DestinationPortName": "llmnr", + "Image": "C:\\Windows\\System32\\svchost.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessId": "924", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "fe80:0:0:0:e488:b85c:5262:ff86", + "SourceIsIpv6": "true", + "SourcePort": "55542", + "User": "NT AUTHORITY\\NETWORK SERVICE", + "UtcTime": "2019-03-18 16:57:48.250" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -989,30 +714,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 14, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.25Z", - "destination": { - "ip": "e000:fc:4300:6800:7200:6f00:6d00:6500", - "port": 5355 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1020,40 +735,28 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:sejGGvgk92xTvKdzlFitndKqdWw=", - "direction": "egress", - "protocol": "llmnr", - "transport": "udp", - "type": "ipv6" - }, - "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 924 - }, - "related": { - "ip": [ - "a00:20f:0:0:18a2:6e00:e0:ffff", - "e000:fc:4300:6800:7200:6f00:6d00:6500" - ], - "user": "NETWORK SERVICE" - }, - "source": { - "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", - "port": 55542 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "NETWORK SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "e000:fc:4300:6800:7200:6f00:6d00:6500", + "DestinationIsIpv6": "true", + "DestinationPort": "5355", + "DestinationPortName": "llmnr", + "Image": "C:\\Windows\\System32\\svchost.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessId": "924", + "Protocol": "udp", + "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", + "SourceIsIpv6": "true", + "SourcePort": "55542", + "User": "NT AUTHORITY\\NETWORK SERVICE", + "UtcTime": "2019-03-18 16:57:48.250" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1064,30 +767,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 15, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.25Z", - "destination": { - "ip": "169.254.255.255", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1095,43 +788,29 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", - "direction": "egress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "169.254.180.25", - "169.254.255.255" - ], - "user": "SYSTEM" - }, - "source": { - "ip": "169.254.180.25", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "169.254.255.255", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceIp": "169.254.180.25", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:48.250" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1142,30 +821,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 16, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.251Z", - "destination": { - "ip": "169.254.180.25", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1173,43 +842,29 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", - "direction": "ingress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "169.254.255.255", - "169.254.180.25" - ], - "user": "SYSTEM" - }, - "source": { - "ip": "169.254.255.255", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "169.254.180.25", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "false", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceIp": "169.254.255.255", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:48.251" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1220,30 +875,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 17, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.251Z", - "destination": { - "ip": "ff02:0:0:0:0:0:1:3", - "port": 5355 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1251,40 +896,28 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:Zt/ImHlMNf4MciHXlRDkivgw2jY=", - "direction": "egress", - "protocol": "llmnr", - "transport": "udp", - "type": "ipv6" - }, - "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 924 - }, - "related": { - "ip": [ - "fe80:0:0:0:616f:32fa:b04f:b419", - "ff02:0:0:0:0:0:1:3" - ], - "user": "NETWORK SERVICE" - }, - "source": { - "ip": "fe80:0:0:0:616f:32fa:b04f:b419", - "port": 55717 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "NETWORK SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "ff02:0:0:0:0:0:1:3", + "DestinationIsIpv6": "true", + "DestinationPort": "5355", + "DestinationPortName": "llmnr", + "Image": "C:\\Windows\\System32\\svchost.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessId": "924", + "Protocol": "udp", + "SourceIp": "fe80:0:0:0:616f:32fa:b04f:b419", + "SourceIsIpv6": "true", + "SourcePort": "55717", + "User": "NT AUTHORITY\\NETWORK SERVICE", + "UtcTime": "2019-03-18 16:57:48.251" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1295,30 +928,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 18, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.251Z", - "destination": { - "ip": "e000:fc:0:0:0:0:0:0", - "port": 5355 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1326,40 +949,28 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:SHkoHfPFDYWai8qQBwIiRxvCPZw=", - "direction": "egress", - "protocol": "llmnr", - "transport": "udp", - "type": "ipv6" - }, - "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe", - "name": "svchost.exe", - "pid": 924 - }, - "related": { - "ip": [ - "a9fe:b419:0:0:f880:2301:e0:ffff", - "e000:fc:0:0:0:0:0:0" - ], - "user": "NETWORK SERVICE" - }, - "source": { - "ip": "a9fe:b419:0:0:f880:2301:e0:ffff", - "port": 55717 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "NETWORK SERVICE" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "DestinationIp": "e000:fc:0:0:0:0:0:0", + "DestinationIsIpv6": "true", + "DestinationPort": "5355", + "DestinationPortName": "llmnr", + "Image": "C:\\Windows\\System32\\svchost.exe", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessId": "924", + "Protocol": "udp", + "SourceIp": "a9fe:b419:0:0:f880:2301:e0:ffff", + "SourceIsIpv6": "true", + "SourcePort": "55717", + "User": "NT AUTHORITY\\NETWORK SERVICE", + "UtcTime": "2019-03-18 16:57:48.251" + }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1370,30 +981,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 19, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.264Z", - "destination": { - "ip": "40.77.226.250", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1401,44 +1002,30 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:DI+g4BImhWaUwPmLEjdMMQVYPLs=", - "direction": "egress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "10.0.2.15", - "40.77.226.250" - ], - "user": "SYSTEM" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "40.77.226.250", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:48.264" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1449,30 +1036,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 20, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:48.276Z", - "destination": { - "ip": "10.0.2.3", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1480,44 +1057,30 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:okFVyky/zOY2Q0BATy37YsbiveA=", - "direction": "egress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "10.0.2.15", - "10.0.2.3" - ], - "user": "SYSTEM" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "10.0.2.3", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:48.276" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1528,30 +1091,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 21, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:49.213Z", - "destination": { - "ip": "169.254.255.255", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:50.3572387Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1559,44 +1112,30 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:ZHyFuF2PjubLSbAh4zRQIZHOZK8=", - "direction": "egress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "10.0.2.15", - "169.254.255.255" - ], - "user": "SYSTEM" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "169.254.255.255", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:49.213" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1607,30 +1146,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 22, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:49.218Z", - "destination": { - "ip": "169.254.180.25", - "port": 137 - }, + "@timestamp": "2019-03-18T16:57:50.3572387Z", "event": { - "category": [ - "network" - ], "code": "3", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "connection", - "start", - "protocol" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1638,44 +1167,30 @@ "log": { "level": "information" }, - "network": { - "community_id": "1:r3C/WjbATNIislTQ0M+ySzwnuiw=", - "direction": "egress", - "protocol": "netbios-ns", - "transport": "udp", - "type": "ipv4" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "executable": "System", - "name": "System", - "pid": 4 - }, - "related": { - "ip": [ - "10.0.2.15", - "169.254.180.25" - ], - "user": "SYSTEM" - }, - "source": { - "domain": "vagrant-2012-r2.local.crowbird.com", - "ip": "10.0.2.15", - "port": 137 - }, - "user": { - "domain": "NT AUTHORITY", - "id": "S-1-5-18", - "name": "SYSTEM" - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { - "SourcePortName": "netbios-ns" + "DestinationIp": "169.254.180.25", + "DestinationIsIpv6": "false", + "DestinationPort": "137", + "DestinationPortName": "netbios-ns", + "Image": "System", + "Initiated": "true", + "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessId": "4", + "Protocol": "udp", + "SourceHostname": "vagrant-2012-r2.local.crowbird.com", + "SourceIp": "10.0.2.15", + "SourceIsIpv6": "false", + "SourcePort": "137", + "SourcePortName": "netbios-ns", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2019-03-18 16:57:49.218" }, "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1686,25 +1201,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 23, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 5 } }, { - "@timestamp": "2019-03-18T16:57:52.35Z", + "@timestamp": "2019-03-18T16:57:52.3542746Z", "event": { - "category": [ - "process" - ], "code": "5", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "end", - "process_end" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1712,17 +1222,18 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 4832 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ProcessGuid": "{42f11c3b-ccc6-5c8f-0000-001005082900}", + "ProcessId": "4832", + "UtcTime": "2019-03-18 16:57:52.350" + }, "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1733,25 +1244,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 24, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } }, { - "@timestamp": "2019-03-18T16:57:52.364Z", + "@timestamp": "2019-03-18T16:57:52.3640428Z", "event": { - "category": [ - "process" - ], "code": "5", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "end", - "process_end" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1759,17 +1265,18 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 3208 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ProcessGuid": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", + "ProcessId": "3208", + "UtcTime": "2019-03-18 16:57:52.364" + }, "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1780,30 +1287,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 25, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } }, { - "@timestamp": "2019-03-18T16:57:52.387Z", + "@timestamp": "2019-03-18T16:57:52.4021191Z", "event": { - "category": [ - "file" - ], "code": "2", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", - "extension": "tmp", - "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1811,21 +1308,21 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "CreationUtcTime": "2019-03-18 16:52:04.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.387", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", + "UtcTime": "2019-03-18 16:57:52.387" }, "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1836,30 +1333,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 26, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 4 } }, { - "@timestamp": "2019-03-18T16:57:52.417Z", + "@timestamp": "2019-03-18T16:57:52.417733Z", "event": { - "category": [ - "file" - ], "code": "2", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", - "extension": "tmp", - "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1867,21 +1354,21 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "CreationUtcTime": "2019-03-18 16:52:04.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", + "UtcTime": "2019-03-18 16:57:52.417" }, "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1892,30 +1379,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 27, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 4 } }, { - "@timestamp": "2019-03-18T16:57:52.417Z", + "@timestamp": "2019-03-18T16:57:52.417733Z", "event": { - "category": [ - "file" - ], "code": "2", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", - "extension": "tmp", - "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1923,21 +1400,21 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "CreationUtcTime": "2019-03-18 16:52:05.028", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", + "UtcTime": "2019-03-18 16:57:52.417" }, "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -1948,30 +1425,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 28, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 4 } }, { - "@timestamp": "2019-03-18T16:57:52.417Z", + "@timestamp": "2019-03-18T16:57:52.417733Z", "event": { - "category": [ - "file" - ], "code": "2", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", - "extension": "tmp", - "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -1979,21 +1446,21 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "CreationUtcTime": "2019-03-18 16:51:54.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", + "UtcTime": "2019-03-18 16:57:52.417" }, "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -2004,25 +1471,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 29, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 4 } }, { - "@timestamp": "2019-03-18T16:57:52.433Z", + "@timestamp": "2019-03-18T16:57:52.4333673Z", "event": { - "category": [ - "process" - ], "code": "5", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "end", - "process_end" - ] + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -2030,17 +1492,18 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 2680 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "event_data": { + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "ProcessGuid": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", + "ProcessId": "2680", + "UtcTime": "2019-03-18 16:57:52.433" + }, "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -2051,30 +1514,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 30, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 3 } }, { - "@timestamp": "2019-03-18T16:57:52.433Z", + "@timestamp": "2019-03-18T16:57:52.4333673Z", "event": { - "category": [ - "file" - ], "code": "2", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def", - "extension": "tmp", - "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -2082,21 +1535,21 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "CreationUtcTime": "2019-03-18 16:52:08.496", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", + "UtcTime": "2019-03-18 16:57:52.433" }, "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -2107,30 +1560,20 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 31, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 4 } }, { - "@timestamp": "2019-03-18T16:57:52.433Z", + "@timestamp": "2019-03-18T16:57:52.4333673Z", "event": { - "category": [ - "file" - ], "code": "2", "kind": "event", - "module": "sysmon", - "provider": "Microsoft-Windows-Sysmon", - "type": [ - "change" - ] - }, - "file": { - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def", - "extension": "tmp", - "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" + "provider": "Microsoft-Windows-Sysmon" }, "host": { "name": "vagrant-2012-r2" @@ -2138,21 +1581,21 @@ "log": { "level": "information" }, - "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "name": "chrome.exe", - "pid": 1600 - }, "winlog": { "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "CreationUtcTime": "2019-03-18 16:52:05.339", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", + "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", + "UtcTime": "2019-03-18 16:57:52.433" }, "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { @@ -2163,7 +1606,10 @@ "provider_name": "Microsoft-Windows-Sysmon", "record_id": 32, "user": { - "identifier": "S-1-5-18" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" }, "version": 4 } diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 2f07ac85e9f..fcf3f77768f 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -21,14 +21,11 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/mapping" - "github.com/elastic/beats/v7/libbeat/processors/script/javascript" "github.com/elastic/beats/v7/winlogbeat/checkpoint" "github.com/elastic/beats/v7/winlogbeat/eventlog" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/mapstr" - - // Register javascript modules. - _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module" + "github.com/elastic/go-sysinfo/providers/windows" ) var update = flag.Bool("update", false, "update golden files") @@ -41,17 +38,28 @@ type params struct { } // WithFieldFilter filters the specified fields from the event prior to -// creating the golden file. +// comparison of values, but retains them in the written golden files. func WithFieldFilter(filter []string) Option { return func(p *params) { p.ignoreFields = filter } } -// TestPipeline tests the given pipeline by reading events from the .evtx files -// and processing them with the pipeline. Then it compares the results against +// TestPipeline tests the partial pipeline by reading events from the .evtx files +// and processing them with a basic enrichment. Then it compares the results against // a saved golden file. Use -update to regenerate the golden files. -func TestPipeline(t *testing.T, evtx string, pipeline string, opts ...Option) { +func TestPipeline(t *testing.T, evtx string, opts ...Option) { + // FIXME: We cannot generate golden files on Windows 2022. + if *update { + os, err := windows.OperatingSystem() + if err != nil { + t.Fatalf("failed to get operating system info: %v", err) + } + if strings.Contains(os.Name, "2022") { + t.Fatal("cannot generate golden files on Windows 2022: see note in powershell/test/powershell_windows_test.go") + } + } + files, err := filepath.Glob(evtx) if err != nil { t.Fatal(err) @@ -67,12 +75,12 @@ func TestPipeline(t *testing.T, evtx string, pipeline string, opts ...Option) { for _, f := range files { t.Run(filepath.Base(f), func(t *testing.T) { - testPipeline(t, f, pipeline, &p) + testPipeline(t, f, &p) }) } } -func testPipeline(t testing.TB, evtx string, pipeline string, p *params) { +func testPipeline(t testing.TB, evtx string, p *params) { t.Helper() path, err := filepath.Abs(evtx) @@ -95,24 +103,17 @@ func testPipeline(t testing.TB, evtx string, pipeline string, p *params) { t.Fatal(err) } - // Load javascript processor. - processor, err := javascript.New(config.MustNewConfigFrom(mapstr.M{ - "file": pipeline, - })) - if err != nil { - t.Fatal(err) - } - // Read and process events. var events []mapstr.M for stop := false; !stop; { records, err := log.Read() - if err == io.EOF { + if err == io.EOF { //nolint:errorlint // io.EOF should never be wrapped. stop = true } else if err != nil { t.Fatal(err) } + //nolint:errcheck // All the errors returned here are from beat.Event queries and may be ignored. for _, r := range records { record := r.ToEvent() @@ -130,19 +131,15 @@ func testPipeline(t testing.TB, evtx string, pipeline string, p *params) { record.Delete("winlog.user.domain") } - evt, err := processor.Run(&record) - if err != nil { - t.Fatalf("%v while processing event:\n%v", err, record.Fields.StringToPrint()) - } - // Copy the timestamp to the beat.Event.Fields because this is what // we write to the golden data for testing purposes. In the normal // Beats output this the handled by the encoder (go-structform). + evt := &record if !evt.Timestamp.IsZero() { evt.Fields["@timestamp"] = evt.Timestamp.UTC() } - events = append(events, filterEvent(evt.Fields, p.ignoreFields)) + events = append(events, evt.Fields) } } @@ -156,7 +153,7 @@ func testPipeline(t testing.TB, evtx string, pipeline string, p *params) { return } for i, e := range events { - assertEqual(t, expected[i], normalize(t, e)) + assertEqual(t, filterEvent(expected[i], p.ignoreFields), normalize(t, filterEvent(e, p.ignoreFields))) } } @@ -189,12 +186,12 @@ func writeGolden(t testing.TB, source string, events []mapstr.M) { t.Fatal(err) } - if err := os.MkdirAll("testdata", 0o755); err != nil { + if err := os.MkdirAll("testdata", 0755); err != nil { t.Fatal(err) } outPath := filepath.Join("testdata", filepath.Base(source)+".golden.json") - if err := ioutil.WriteFile(outPath, data, 0o644); err != nil { + if err := ioutil.WriteFile(outPath, data, 0o644); err != nil { //nolint:gosec // Bad linter! t.Fatal(err) } } @@ -235,7 +232,7 @@ func normalize(t testing.TB, m mapstr.M) mapstr.M { func filterEvent(m mapstr.M, ignores []string) mapstr.M { for _, f := range ignores { - m.Delete(f) + m.Delete(f) //nolint:errcheck // Deleting a thing that doesn't exist is ok. } return m } @@ -252,7 +249,7 @@ func lowercaseGUIDs(m mapstr.M) mapstr.M { continue } if uppercaseGUIDRegex.MatchString(str) { - m.Put(k, strings.ToLower(str)) + m.Put(k, strings.ToLower(str)) //nolint:errcheck // Can't fail because k has been obtained from m. } } return m