Skip to content

Instantly share code, notes, and snippets.

@P1llus

P1llus/gist:4d01f857bcd4e5eaf1338ad2892f0630 Secret

Created November 29, 2022 13:37
Show Gist options
  • Save P1llus/4d01f857bcd4e5eaf1338ad2892f0630 to your computer and use it in GitHub Desktop.
Save P1llus/4d01f857bcd4e5eaf1338ad2892f0630 to your computer and use it in GitHub Desktop.
Download ZIP
ECS test document
Raw
gistfile1.txt
{
"@timestamp": "2021-01-13T10:13:08.000Z",
"agent": {
"build": {
"original": "metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]"
},
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796",
"id": "83d8d392-d20c-40ef-a257-bf9cf314d1db",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.0.0"
},
"client": {
"address": "89.160.20.156",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"bytes": 23,
"domain": "d111111abcdef8.cloudfront.net",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "192.168.0.2",
"mac": [
"02:42:ac:1b:00:07"
],
"nat": {
"ip": "10.0.0.2",
"port": 3389
},
"packets": 54,
"port": 54,
"registered_domain": "d111111abcdef8.cloudfront.net",
"subdomain": "d111111abcdef8",
"top_level_domain": "d111111abcdef8",
"user": {
"domain": "TEST",
"email": "test@test.com",
"full_name": "somename",
"hash": "12354dfsngdftbsvesawcd",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm",
"roles": [
"role1",
"role2"
],
"group": {
"name": "test-name",
"domain": "test.domain",
"id": "test-id"
}
}
},
"cloud": {
"account": {
"id": "428152502467",
"name": "elastic-beats"
},
"availability_zone": "us-east-1c",
"instance": {
"id": "i-1234567890abcdef0",
"name": "instance-name"
},
"machine": {
"type": "t2.medium"
},
"origin": {
"account": {
"id": "428152502467",
"name": "elastic-beats"
},
"availability_zone": "us-east-1c",
"instance": {
"id": "i-1234567890abcdef0",
"name": "instance-name"
},
"machine": {
"type": "t2.medium"
},
"project": {
"id": "my-project",
"name": "project-name"
},
"provider": "aws",
"region": "us-east-1",
"service": {
"name": "service-name"
}
},
"project": {
"id": "my-project",
"name": "project-name"
},
"provider": "aws",
"region": "us-east-1",
"service": {
"name": "service-name"
},
"target": {
"account": {
"id": "428152502467",
"name": "elastic-beats"
},
"availability_zone": "us-east-1c",
"instance": {
"id": "i-1234567890abcdef0",
"name": "instance-name"
},
"machine": {
"type": "t2.medium"
},
"project": {
"id": "my-project",
"name": "project-name"
},
"provider": "aws",
"region": "us-east-1",
"service": {
"name": "service-name"
}
}
},
"container": {
"cpu": {
"usage": 0.08265027322397175
},
"disk": {
"read": {
"bytes": 123
},
"write": {
"bytes": 123
}
},
"id": "7f3ca1f1b2b310362e90f700d2b2e52ebd46ef6ddf10c0704f22b25686c466ab",
"image": {
"name": "metricbeat_beat",
"hash": {
"all": "[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]"
},
"tag": [
"tag1",
"tag2"
]
},
"labels": {
"com_docker_compose_config-hash": "e3e0a2c6e5d1afb741bc8b1ecb09cda0395886b7a3e5084a9fd110be46d70f78",
"com_docker_compose_container-number": "1"
},
"memory": {
"usage": 0.08265027322397175
},
"name": "metricbeat_beat_run_8ba23fa682a6",
"network": {
"egress": {
"bytes": 123
},
"ingress": {
"bytes": 123
}
},
"runtime": "docker"
},
"data_stream": {
"dataset": "elasticsearch.stack_monitoring.cluster_stats",
"namespace": "ep",
"type": "metrics"
},
"destination": {
"address": "89.160.20.156",
"bytes": 23,
"domain": "d111111abcdef8.cloudfront.net",
"ip": "192.168.0.2",
"mac": [
"02:42:ac:1b:00:07"
],
"nat": {
"ip": "10.0.0.2",
"port": 3389
},
"packets": 54,
"port": 54,
"registered_domain": "d111111abcdef8.cloudfront.net",
"subdomain": "d111111abcdef8",
"top_level_domain": "d111111abcdef8",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"user": {
"domain": "TEST",
"email": "test@test.com",
"full_name": "somename",
"hash": "12354dfsngdftbsvesawcd",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm",
"roles": [
"role1",
"role2"
],
"group": {
"name": "test-name",
"domain": "test.domain",
"id": "test-id"
}
}
},
"device": {
"id": "deviceid",
"manufacturer": "device manufacturer",
"model": {
"identifier": "device-identifier",
"name": "device-ident-name"
}
},
"dll": {
"code_signature": {
"digest_algorithm": "sha256",
"exists": true,
"signing_id": "com.apple.xpc.proxy",
"status": "N/A",
"subject_name": "Microsoft",
"team_id": "EQHXZ8M8AV",
"timestamp": "2021-01-01T12:10:30Z",
"trusted": true,
"valid": true
},
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"name": "dllname",
"path": "C:\\Windows\\System32\\kernel32.dll",
"pe": {
"company": "Microsoft Corporation",
"description": "Notepad",
"file_version": "10.0.17763.475 (WinBuild.160101.0800)",
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"imphash": "0c6803c4e922103c4dca5963aad36ddf",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"original_file_name": "NOTEPAD.EXE",
"product": "Microsoft« Windows« Operating System",
"architecture": "x86",
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975",
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123
}]
}
},
"dns": {
"answers": [{
"data": "203.0.113.9",
"type": "PTR",
"class": "IN",
"name": "dnsanswername",
"ttl": 123
}],
"header_flags": [
"RD",
"RA"
],
"id": "62111",
"op_code": "QUERY",
"question": {
"class": "IN",
"name": "www.sub.test.com",
"registered_domain": "test.com",
"subdomain": "sub",
"top_level_domain": "com",
"type": "AAAA"
},
"resolved_ip": [
"10.10.10.10",
"192.168.1.1"
],
"response_code": "NOERROR",
"type": "answer"
},
"ecs": {
"version": "8.0.0"
},
"email": {
"attachments": [{
"file": {
"extension": "txt",
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"mime_type": "text/plain",
"name": "attachment.txt",
"size": 123543
}
}],
"bcc": {
"address": [
"test@example.com",
"test@example2.com"
]
},
"cc": {
"address": [
"test@example.com",
"test@example2.com"
]
},
"content_type": "text/plain",
"delivery_timestamp": "2020-11-10T22:12:34.8196921Z",
"direction": "inbound",
"from": {
"address": [
"test@example.com",
"test@example2.com"
]
},
"local_id": "c26dbea0-80d5-463b-b93c-4e8b708219ce",
"message_id": "81ce15$8r2j59@mail01.example.com",
"origination_timestamp": "2020-11-10T22:12:34.8196921Z",
"reply_to": {
"address": [
"test@example.com",
"test@example2.com"
]
},
"sender": {
"address": "senderaddr@example.com"
},
"subject": "emailsubject",
"to": {
"address": [
"test@example.com",
"test@example2.com"
]
},
"x_mailer": "Spambot v2.5"
},
"error": {
"id": "1235",
"message": "errormessage",
"stack_trace": "stacktracetxt",
"type": "java.lang.NullPointerException"
},
"event": {
"action": "pwd-change",
"agent_id_status": "verified",
"category": [
"authentication"
],
"code": "1235",
"created": "2016-05-23T08:05:34.857Z",
"dataset": "apache.access",
"duration": 123,
"end": "2016-05-23T08:05:34.857Z",
"hash": "123456789012345678901234567890ABCD",
"id": "1235",
"ingested": "2016-05-23T08:05:34.857Z",
"kind": "event",
"module": "apache",
"original": "Sep 19 08:26:10 host CEF:0|Security|",
"outcome": "success",
"provider": "kernel",
"reason": "killed process",
"reference": "https://system.example.com/event/#0001234",
"risk_score": 12.12,
"risk_score_norm": 12.12,
"sequence": 12,
"severity": 3,
"start": "2016-05-23T08:05:34.857Z",
"timezone": "Europe/Amsterdam",
"type": [
"info",
"user"
],
"url": "https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe"
},
"faas": {
"coldstart": true,
"execution": "af9d5aa4-a685-4c5f-a22b-444f80b3cc28",
"id": "arn:aws:lambda:us-west-2:123456789012:function:my-function",
"name": "my-function",
"trigger": [{
"request_id": "1231123",
"type": "http"
}],
"version": "123"
},
"file": {
"accessed": "2021-01-13T10:13:08.000Z",
"attributes": [
"readonly",
"system"
],
"code_signature": {
"digest_algorithm": "sha256",
"exists": true,
"signing_id": "com.apple.xpc.proxy",
"status": "N/A",
"subject_name": "Microsoft",
"team_id": "EQHXZ8M8AV",
"timestamp": "2021-01-01T12:10:30Z",
"trusted": true,
"valid": true
},
"created": "2021-01-13T10:13:08.000Z",
"ctime": "2021-01-13T10:13:08.000Z",
"device": "sda",
"directory": "/home/test",
"drive_letter": "C",
"elf": {
"architecture": "x86-64",
"byte_order": "Little Endian",
"cpu_type": "Intel",
"creation_date": "2021-01-13T10:13:08.000Z",
"exports": {
"field1": "value1",
"field2": "value2"
},
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"header": {
"abi_version": "versionname",
"class": "headerclass",
"data": "elfheaderdata",
"entrypoint": 123,
"object_version": "headerobjversion",
"os_abi": "osabi",
"type": "headertype",
"version": "headerversion",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e"
},
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"chi2": 100,
"entropy": 123,
"flags": "sectionsflag",
"name": "sectioname",
"physical_offset": "physoffset",
"physical_size": 123,
"type": "sectionstype",
"var_entropy": 123,
"virtual_address": 123,
"virtual_size": 123
}],
"segments": [{
"sections": "elfsegments",
"type": "elftype"
}],
"shared_libraries": [
"lib1",
"lib2"
],
"telfhash": "telfhash"
},
"extension": "png",
"fork_name": "Zone.Identifer",
"gid": "1001",
"group": "filegroup",
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"inode": "123123",
"macho": {
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}],
"symhash": "d3ccf195b62a9279c3c19af1080497ec"
},
"mime_type": "text/plain",
"mode": "0444",
"mtime": "2021-01-13T10:13:08.000Z",
"name": "file.png",
"owner": "testuser",
"path": "C:\\Windows\\System32\\kernel32.dll",
"pe": {
"company": "Microsoft Corporation",
"description": "Notepad",
"file_version": "10.0.17763.475 (WinBuild.160101.0800)",
"original_file_name": "NOTEPAD.EXE",
"product": "Microsoft« Windows« Operating System",
"architecture": "x86",
"imphash": "0c6803c4e922103c4dca5963aad36ddf",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975",
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}]
},
"size": 123,
"target_path": "/some/path",
"type": "filetype",
"uid": "1001",
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
}
},
"group": {
"domain": "testdomain",
"id": "1233",
"name": "groupname"
},
"host": {
"architecture": "x86_64",
"boot": {
"id": "83d8d392-d20c-40ef-a257-bf9cf314d1db"
},
"cpu": {
"usage": 0.08265027322397175
},
"disk": {
"read": {
"bytes": 123
},
"write": {
"bytes": 123
}
},
"domain": "d111111abcdef8.cloudfront.net",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"hostname": "testhostname",
"id": "deviceid",
"ip": [
"192.168.0.2",
"10.10.10.10"
],
"mac": [
"02:42:ac:1b:00:07"
],
"name": "hostname",
"network": {
"egress": {
"bytes": 123,
"packets": 123
},
"ingress": {
"bytes": 123,
"packets": 123
}
},
"os": {
"family": "debian",
"full": "Mac OS Mojave",
"kernel": "4.4.4-112-generic",
"name": "MAC OS X",
"platform": "darwin",
"type": "macos",
"version": "10.14.1"
},
"pid_ns_ino": "123123",
"risk": {
"calculated_levels": "High",
"calculated_score": 880.73,
"calculated_score_norm": 88.73,
"static_level": "High",
"static_score": 830.0,
"static_score_norm": 83.0
},
"type": "t2.medium",
"uptime": 1234
},
"http": {
"request": {
"body": {
"bytes": 123,
"content": "hello world"
},
"bytes": 123,
"id": "83d8d392-d20c-40ef-a257-bf9cf314d1db",
"method": "POST",
"mime_type": "image/gif",
"referrer": "https://example.com"
},
"response": {
"body": {
"bytes": 123,
"content": "hello world"
},
"bytes": 123,
"mime_type": "image/gif",
"status_code": 404
},
"version": "1.1"
},
"labels": {
"field1": "value",
"field2": "value2"
},
"log": {
"file": {
"path": "/var/log/fun-times.log"
},
"level": "error",
"logger": "org.elasticsearch.bootstrap.Bootstrap",
"origin": {
"file": {
"line": 42,
"name": "filename"
},
"function": "init"
},
"syslog": {
"appname": "sshd",
"facility": {
"code": 123,
"name": "local7"
},
"hostname": "example-host",
"msgid": "ID47",
"priority": 123,
"procid": "534123",
"severity": {
"code": 3,
"name": "Error"
},
"structured_data": {
"testfield1": "asd",
"testfield2": "asd"
},
"version": "1"
}
},
"message": "the connection is not enabled",
"network": {
"application": "aim",
"bytes": 123,
"community_id": "1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=",
"direction": "inbound",
"forwarded_ip": "192.2.2.2",
"iana_number": "6",
"inner": {
"vlan": {
"id": "10",
"name": "vlanname"
}
},
"name": "networkname",
"packets": 123,
"protocol": "http",
"transport": "tcp",
"type": "ipv4",
"vlan": {
"id": "10",
"name": "vlanname"
}
},
"observer": {
"egress": {
"interface": {
"alias": "outside",
"id": "interfaceid",
"name": "interfacename"
},
"vlan": {
"id": "10",
"name": "vlanname"
},
"zone": "EgressZone"
},
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"hostname": "observerhostname",
"ingress": {
"interface": {
"alias": "outside",
"id": "interfaceid",
"name": "interfacename"
},
"vlan": {
"id": "10",
"name": "vlanname"
},
"zone": "EgressZone"
},
"ip": [
"10.0.0.2",
"192.1.1.1"
],
"mac": [
"02:42:ac:1b:00:07"
],
"name": "observername",
"os": {
"family": "debian",
"full": "Mac OS Mojave",
"kernel": "4.4.4-112-generic",
"name": "MAC OS X",
"platform": "darwin",
"type": "macos",
"version": "10.14.1"
},
"product": "s200",
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"type": "firewall",
"vendor": "Checkpoint",
"version": "10.10"
},
"orchestrator": {
"api_version": "beta1",
"cluster": {
"id": "123",
"name": "clustername",
"url": "http://clusterurl.com",
"version": "12.2"
},
"namespace": "kube-system",
"organization": "elastic",
"resource": {
"id": "123",
"ip": [
"10.10.10.10",
"192.1.1.1"
],
"name": "test-pod",
"parent": {
"type": "DaemonSet"
},
"type": "service"
},
"type": "kubernetes"
},
"organization": {
"id": "orgid",
"name": "orgname"
},
"package": {
"architecture": "x86-64",
"build_version": "36f4f7e89dd61b0988b12ee000b98966867710cd",
"checksum": "68b329da9893e34099c7d8ad5cb9c940",
"description": "some package description",
"install_scope": "global",
"installed": "2020-07-16T03:15:39Z",
"license": "Apache License 2.0",
"name": "package name",
"path": "/usr/local/Cellar/go/1.12.9/",
"reference": "https://golang.org",
"size": 123,
"type": "rpm",
"version": "1.12.9"
},
"process": {
"args": [
"/bin/ssh",
"user",
"10.10.10.2"
],
"args_count": 3,
"code_signature": {
"digest_algorithm": "sha256",
"exists": true,
"signing_id": "com.apple.xpc.proxy",
"status": "N/A",
"subject_name": "Microsoft",
"team_id": "EQHXZ8M8AV",
"timestamp": "2021-01-01T12:10:30Z",
"trusted": true,
"valid": true
},
"command_line": "/usr/bin/ssh -l user 10.0.0.16",
"elf": {
"architecture": "x86-64",
"byte_order": "Little Endian",
"cpu_type": "Intel",
"creation_date": "2021-01-13T10:13:08.000Z",
"exports": {
"field1": "value1",
"field2": "value2"
},
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"header": {
"abi_version": "versionname",
"class": "headerclass",
"data": "elfheaderdata",
"entrypoint": 123,
"object_version": "headerobjversion",
"os_abi": "osabi",
"type": "headertype",
"version": "headerversion"
},
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"chi2": 123,
"entropy": 100,
"flags": "sectionsflag",
"name": "sectionname",
"physical_offset": "physoffset",
"physical_size": 123,
"type": "sectionstype",
"var_entropy": 123,
"virtual_address": 123,
"virtual_size": 123
}],
"segments": [{
"sections": "elfsegments",
"type": "elftype"
}],
"shared_libraries": [
"lib1",
"lib2"
],
"telfhash": "telfhash"
},
"end": "2016-05-23T08:05:34.853Z",
"entity_id": "c2c455d9f99375d",
"entry_leader": {
"args": [
"/bin/ssh",
"user",
"10.10.10.2"
],
"args_count": 3,
"attested_groups": {
"name": "groupname"
},
"attested_user": {
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm"
},
"command_line": "/usr/bin/ssh -l user 10.0.0.16",
"entity_id": "c2c455d9f99375d",
"entry_meta": {
"source": {
"ip": "10.10.10.10",
"type": "sshd"
}
},
"executable": "/usr/bin/ssh",
"group": {
"id": "groupid",
"name": "groupname"
},
"interactive": true,
"name": "entryprocessname",
"parent": {
"entity_id": "c2c455d9f99375d",
"pid": 123,
"session_leader": {
"entity_id": "c2c455d9f99375d",
"pid": 123,
"start": "2016-05-23T08:05:34.857Z"
},
"start": "2016-05-23T08:05:34.857Z"
},
"pid": 123,
"real_group": {
"id": "123",
"name": "groupname"
},
"real_user": {
"id": "userid",
"name": "username"
},
"same_as_process": true,
"saved_group": {
"id": "savedgroupid",
"name": "savedgroupname"
},
"saved_user": {
"id": "saveduserid",
"name": "savedusername"
},
"start": "2016-05-23T08:05:34.857Z",
"supplemental_groups": {
"id": "suppgroupid",
"name": "suppgroupname"
},
"tty": {
"char_device": {
"major": 4,
"minor": 2
}
},
"user": {
"id": "userid",
"name": "username"
},
"working_directory": "/home/test"
},
"env_vars": [
"PATH=/usr/local/bin:/usr/bin",
"USER=ubuntu"
],
"executable": "/usr/bin/ssh",
"exit_code": 123,
"group_leader": {
"args": [
"/bin/ssh",
"10.10.10.2",
"user"
],
"args_count": 3,
"command_line": "/usr/bin/ssh -l user 10.0.0.16",
"entity_id": "c2c455d9f99375d",
"executable": "/usr/bin/ssh",
"group": {
"id": "groupid",
"name": "groupname"
},
"interactive": true,
"name": "ssh",
"pid": 123,
"real_group": {
"id": "123",
"name": "groupname"
},
"real_user": {
"id": "userid",
"name": "username"
},
"same_as_process": true,
"saved_group": {
"id": "savedgroupid",
"name": "savedgroupname"
},
"saved_user": {
"id": "saveduserid",
"name": "savedusername"
},
"start": "2016-05-23T08:05:34.857Z",
"supplemental_groups": {
"id": "suppgroupid",
"name": "suppgroupname"
},
"tty": {
"char_device": {
"major": 4,
"minor": 2
}
},
"user": {
"id": "userid",
"name": "username"
},
"working_directory": "/home/test"
},
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"interactive": true,
"io": {
"bytes_skipped": [{
"length": 123,
"offset": 123
}],
"max_bytes_per_process_exceeded": true,
"text": "some longer test text",
"total_bytes_captured": 123,
"total_bytes_skipped": 123,
"type": "iotype",
"macho": {
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}],
"symhash": "d3ccf195b62a9279c3c19af1080497ec"
},
"name": "processname",
"parent": {
"args": [
"/bin/ssh",
"user",
"10.10.10.2"
],
"args_count": 3,
"code_signature": {
"digest_algorithm": "sha256",
"exists": true,
"signing_id": "com.apple.xpc.proxy",
"status": "N/A",
"subject_name": "Microsoft",
"team_id": "EQHXZ8M8AV",
"timestamp": "2021-01-01T12:10:30Z",
"trusted": true,
"valid": true
},
"command_line": "/usr/bin/ssh -l user 10.0.0.16",
"elf": {
"architecture": "x86-64",
"byte_order": "Little Endian",
"cpu_type": "Intel",
"creation_date": "2021-01-13T10:13:08.000Z",
"exports": {
"field1": "value1",
"field2": "value2"
},
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"header": {
"abi_version": "versionname",
"class": "headerclass",
"data": "elfheaderdata",
"entrypoint": 123,
"object_version": "headerobjversion",
"os_abi": "osabi",
"type": "headertype",
"version": "headerversion"
},
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"chi2": 123,
"entropy": 100,
"flags": "sectionsflag",
"name": "sectionname",
"physical_offset": "physoffset",
"physical_size": 123,
"type": "sectionstype",
"var_entropy": 123,
"virtual_address": 123,
"virtual_size": 123
}],
"segments": [{
"sections": "elfsegments",
"type": "elftype"
}],
"shared_libraries": [
"lib1",
"lib2"
],
"telfhash": "telfhash"
},
"end": "2016-05-23T08:05:34.853Z",
"entity_id": "c2c455d9f99375d",
"executable": "/usr/bin/ssh",
"exit_code": 123,
"group": {
"name": "test-name",
"id": "test-id"
},
"group_leader": {
"entity_id": "c2c455d9f99375d",
"pid": 123,
"start": "2016-05-23T08:05:34.857Z"
},
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"interactive": true,
"macho": {
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}],
"symhash": "d3ccf195b62a9279c3c19af1080497ec"
},
"name": "processname",
"pe": {
"company": "Microsoft Corporation",
"description": "Notepad",
"file_version": "10.0.17763.475 (WinBuild.160101.0800)",
"original_file_name": "NOTEPAD.EXE",
"product": "Microsoft« Windows« Operating System",
"architecture": "x86",
"imphash": "0c6803c4e922103c4dca5963aad36ddf",
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975",
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}]
},
"pgid": 123,
"pid": 123,
"real_group": {
"id": "groupid",
"name": "groupname"
},
"real_user": {
"id": "userid",
"name": "username"
},
"saved_group": {
"id": "groupid",
"name": "groupname"
},
"saved_user": {
"id": "userid",
"name": "username"
},
"start": "2016-05-23T08:05:34.857Z",
"supplemental_groups": {
"id": "suppgroupid",
"name": "suppgroupname"
},
"thread": {
"id": 123,
"name": "threadname"
},
"title": "proctitle",
"tty": {
"char_device": {
"major": 4,
"minor": 2
}
},
"uptime": 123,
"user": {
"id": "userid",
"name": "username"
},
"working_directory": "/home/test"
},
"pe": {
"company": "Microsoft Corporation",
"description": "Notepad",
"file_version": "10.0.17763.475 (WinBuild.160101.0800)",
"original_file_name": "NOTEPAD.EXE",
"product": "Microsoft« Windows« Operating System",
"architecture": "x86",
"imphash": "0c6803c4e922103c4dca5963aad36ddf",
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975",
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}]
},
"pgid": 123,
"pid": 123,
"previous": {
"args": [
"/usr/bin/ssh",
"user",
"10.10.10.1"
],
"args_count": 3,
"executable": "/usr/bin/ssh"
},
"real_group": {
"id": "groupid",
"name": "groupname"
},
"real_user": {
"id": "userid",
"name": "username"
},
"saved_group": {
"id": "groupid",
"name": "groupname"
},
"saved_user": {
"id": "userid",
"name": "username"
},
"session_leader": {
"args": [
"/usr/bin/ssh",
"user",
"10.10.10.1"
],
"args_count": 3,
"command_line": "/usr/bin/ssh -l user 10.0.0.16",
"entity_id": "c2c455d9f99375d",
"executable": "/usr/bin/ssh",
"group": {
"id": "groupid",
"name": "groupname"
},
"interactive": true,
"name": "processname",
"parent": {
"entity_id": "c2c455d9f99375d",
"pid": 123,
"session_leader": {
"entity_id": "c2c455d9f99375d",
"pid": 123,
"start": "2016-05-23T08:05:34.857Z"
},
"start": "2016-05-23T08:05:34.857Z"
},
"pid": 123,
"real_group": {
"id": "groupid",
"name": "groupname"
},
"real_user": {
"id": "userid",
"name": "username"
},
"same_as_process": true,
"saved_group": {
"id": "groupid",
"name": "groupname"
},
"saved_user": {
"id": "userid",
"name": "username"
},
"start": "2016-05-23T08:05:34.857Z",
"supplemental_groups": {
"id": "suppgroupid",
"name": "suppgroupname"
},
"tty": {
"char_device": {
"major": 4,
"minor": 2
}
},
"user": {
"id": "userid",
"name": "username"
},
"working_directory": "/home/test"
},
"start": "2016-05-23T08:05:34.857Z",
"supplemental_groups": {
"id": "123",
"name": "suppgroupname"
},
"thread": {
"id": 123,
"name": "threadname"
},
"title": "proctitle",
"tty": {
"char_device": {
"major": 4,
"minor": 2
},
"columns": 80,
"rows": 23
},
"uptime": 123,
"user": {
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm"
},
"working_directory": "/home/test"
}
},
"registry": {
"data": {
"bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=",
"strings": [
"C:\\rta\\red_ttp\\bin\\myapp.exe",
"C:\\rta\\red_ttp\\bin\\myapp2.exe"
],
"type": "REG_SZ"
},
"hive": "HKLM",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe",
"path": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"value": "Debugger"
},
"related": {
"hash": [
"asdojigiopsj349850+",
"asdojigiopsj349850gdfh"
],
"hosts": [
"hostname1",
"hostname2"
],
"ip": [
"10.10.10.10",
"192.1.1.1"
],
"user": [
"test",
"test2"
]
},
"rule": {
"author": [
"authorname1",
"authorname2"
],
"category": "Attempted Info Leak",
"description": "ruledescription",
"id": "ruleid",
"license": "rulelicense",
"name": "rulename",
"reference": "rulereference",
"ruleset": "rulesetname",
"uuid": "ruileuuid",
"version": "ruleversion"
},
"server": {
"address": "89.160.20.156",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"bytes": 23,
"domain": "d111111abcdef8.cloudfront.net",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "192.168.0.2",
"mac": [
"02:42:ac:1b:00:07"
],
"nat": {
"ip": "10.0.0.2",
"port": 3389
},
"packets": 54,
"port": 54,
"registered_domain": "d111111abcdef8.cloudfront.net",
"subdomain": "d111111abcdef8",
"top_level_domain": "d111111abcdef8",
"user": {
"domain": "TEST",
"email": "test@test.com",
"full_name": "somename",
"group": {
"name": "test-name",
"domain": "test.domain",
"id": "test-id"
},
"hash": "12354dfsngdftbsvesawcd",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm",
"roles": [
"role1",
"role2"
]
}
},
"service": {
"environment": "serviceenvname",
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796",
"id": "serviceid",
"name": "servicename",
"node": {
"name": "servicenodename",
"role": "servicerole",
"roles": [
"role1",
"role2"
]
},
"origin": {
"address": "89.160.20.156",
"environment": "serviceenvname",
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796",
"id": "serviceid",
"name": "servicename",
"node": {
"name": "servicenodename",
"role": "servicerole",
"roles": [
"role1",
"role2"
]
},
"state": "originstate",
"type": "origintype",
"version": "originversion"
},
"state": "servicestate",
"target": {
"address": "89.160.20.156",
"environment": "serviceenvname",
"ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796",
"id": "serviceid",
"name": "servicename",
"node": {
"name": "servicenodename",
"role": "servicerole",
"roles": [
"role1",
"role2"
]
},
"state": "originstate",
"type": "origintype",
"version": "originversion"
},
"type": "servicetype",
"version": "serviceversion"
},
"source": {
"address": "89.160.20.156",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"bytes": 23,
"domain": "d111111abcdef8.cloudfront.net",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "192.168.0.2",
"mac": [
"02:42:ac:1b:00:07"
],
"nat": {
"ip": "10.0.0.2",
"port": 3389
},
"packets": 54,
"port": 54,
"registered_domain": "d111111abcdef8.cloudfront.net",
"subdomain": "d111111abcdef8",
"top_level_domain": "d111111abcdef8",
"user": {
"domain": "TEST",
"email": "test@test.com",
"full_name": "somename",
"group": {
"name": "test-name",
"domain": "test.domain",
"id": "test-id"
},
"hash": "12354dfsngdftbsvesawcd",
"id": "S-1-5-21-1717121054-434620538-60925301-2794",
"name": "at_adm",
"roles": [
"role1",
"role2"
]
}
},
"span": {
"id": "spanid"
},
"tags": [
"preserve_original_event"
],
"threat": {
"enrichments": [{
"indicator": {
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"confidence": "Low",
"description": "indicator description",
"email": {
"address": "test@example.com"
},
"file": {
"accessed": "2021-01-13T10:13:08.000Z",
"attributes": [
"readonly",
"system"
],
"code_signature": {
"digest_algorithm": "sha256",
"exists": true,
"signing_id": "com.apple.xpc.proxy",
"status": "N/A",
"subject_name": "Microsoft",
"team_id": "EQHXZ8M8AV",
"timestamp": "2021-01-01T12:10:30Z",
"trusted": true,
"valid": true
},
"created": "2021-01-13T10:13:08.000Z",
"ctime": "2021-01-13T10:13:08.000Z",
"device": "sda",
"directory": "/home/test",
"drive_letter": "C",
"elf": {
"architecture": "x86-64",
"byte_order": "Little Endian",
"cpu_type": "Intel",
"creation_date": "2021-01-13T10:13:08.000Z",
"exports": {
"field1": "value1",
"field2": "value2"
},
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"header": {
"abi_version": "versionname",
"class": "headerclass",
"data": "elfheaderdata",
"entrypoint": 123,
"object_version": "headerobjversion",
"os_abi": "osabi",
"type": "headertype",
"version": "headerversion",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e"
},
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"chi2": 100,
"entropy": 123,
"flags": "sectionsflag",
"name": "sectioname",
"physical_offset": "physoffset",
"physical_size": 123,
"type": "sectionstype",
"var_entropy": 123,
"virtual_address": 123,
"virtual_size": 123
}],
"segments": [{
"sections": "elfsegments",
"type": "elftype"
}],
"shared_libraries": [
"lib1",
"lib2"
],
"telfhash": "telfhash"
},
"extension": "png",
"fork_name": "Zone.Identifer",
"gid": "1001",
"group": "filegroup",
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"inode": "123123",
"macho": {
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}],
"symhash": "d3ccf195b62a9279c3c19af1080497ec"
},
"mime_type": "text/plain",
"mode": "0444",
"mtime": "2021-01-13T10:13:08.000Z",
"name": "file.png",
"owner": "testuser",
"path": "C:\\Windows\\System32\\kernel32.dll",
"pe": {
"company": "Microsoft Corporation",
"description": "Notepad",
"file_version": "10.0.17763.475 (WinBuild.160101.0800)",
"original_file_name": "NOTEPAD.EXE",
"product": "Microsoft« Windows« Operating System",
"architecture": "x86",
"imphash": "0c6803c4e922103c4dca5963aad36ddf",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975",
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}]
},
"size": 123,
"target_path": "/some/path",
"type": "filetype",
"uid": "1001",
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
}
},
"first_seen": "2021-01-13T10:13:08.000Z",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "10.0.0.2",
"last_seen": "2021-01-13T10:13:08.000Z",
"marking": {
"tlp": {
"version": "2.0"
}
},
"modified_at": "2021-01-13T10:13:08.000Z",
"port": 123,
"provider": "lrz_urlhaus",
"reference": "https://system.example.com/indicator/0001234",
"registry": {
"data": {
"bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=",
"strings": [
"C:\\rta\\red_ttp\\bin\\myapp.exe",
"C:\\rta\\red_ttp\\bin\\myapp2.exe"
],
"type": "REG_SZ"
},
"hive": "HKLM",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe",
"path": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"value": "Debugger"
},
"scanner_stats": 123,
"sightings": 123,
"type": "artifact",
"url": {
"domain": "elastic.co",
"extension": "png",
"fragment": "top",
"full": "www.elastic.co/test.png",
"original": "www.elastic.co/test.png",
"password": "password123",
"path": "/test.png",
"port": 123,
"query": "?somesearch=123",
"registered_domain": "registered_domain",
"scheme": "https",
"subdomain": "somesubdomain",
"top_level_domain": "d111111abcdef8",
"username": "urluser"
},
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
},
"matched": {
"atomic": "domain.com",
"field": "file.hash.sha1",
"id": "ff93aee5-86a1-4a61-b0e6-0cdc313d01b5",
"index": "filebeat-8.0.0-2021.05.23-000011",
"occured": "2021-10-05T17:00:58.326Z",
"type": "indicator_match_rule"
}
}
}],
"feed": {
"dashboard_id": "5ba16340-72e6-11eb-a3e3-b3cc7c78a70f",
"description": "Description of the threat feed in a UI friendly format.",
"name": "AlienVault OTX",
"reference": "https://otx.alienvault.com"
},
"framework": "MITRE ATT&CK",
"group": {
"alias": [
"Magecart Group 6",
"Magecart Group 5"
],
"id": "FIN6",
"reference": "groupreference"
},
"indicator": {
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"confidence": "Low",
"description": "indicator description",
"email": {
"address": "test@example.com"
},
"file": {
"accessed": "2021-01-13T10:13:08.000Z",
"attributes": [
"readonly",
"system"
],
"code_signature": {
"digest_algorithm": "sha256",
"exists": true,
"signing_id": "com.apple.xpc.proxy",
"status": "N/A",
"subject_name": "Microsoft",
"team_id": "EQHXZ8M8AV",
"timestamp": "2021-01-01T12:10:30Z",
"trusted": true,
"valid": true
},
"created": "2021-01-13T10:13:08.000Z",
"ctime": "2021-01-13T10:13:08.000Z",
"device": "sda",
"directory": "/home/test",
"drive_letter": "C",
"elf": {
"architecture": "x86-64",
"byte_order": "Little Endian",
"cpu_type": "Intel",
"creation_date": "2021-01-13T10:13:08.000Z",
"exports": {
"field1": "value1",
"field2": "value2"
},
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"header": {
"abi_version": "versionname",
"class": "headerclass",
"data": "elfheaderdata",
"entrypoint": 123,
"object_version": "headerobjversion",
"os_abi": "osabi",
"type": "headertype",
"version": "headerversion",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e"
},
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"chi2": 100,
"entropy": 123,
"flags": "sectionsflag",
"name": "sectioname",
"physical_offset": "physoffset",
"physical_size": 123,
"type": "sectionstype",
"var_entropy": 123,
"virtual_address": 123,
"virtual_size": 123
}],
"segments": [{
"sections": "elfsegments",
"type": "elftype"
}],
"shared_libraries": [
"lib1",
"lib2"
],
"telfhash": "telfhash"
},
"extension": "png",
"fork_name": "Zone.Identifer",
"gid": "1001",
"group": "filegroup",
"hash": {
"md5": "somemd5hash",
"sha1": "somesha1hash",
"sha256": "somesha256hash",
"sha384": "somesha384hash",
"sha512": "somesha512hash",
"ssdeep": "somessdeephash",
"tlsh": "sometlshhash"
},
"inode": "123123",
"macho": {
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}],
"symhash": "d3ccf195b62a9279c3c19af1080497ec"
},
"mime_type": "text/plain",
"mode": "0444",
"mtime": "2021-01-13T10:13:08.000Z",
"name": "file.png",
"owner": "testuser",
"path": "C:\\Windows\\System32\\kernel32.dll",
"pe": {
"company": "Microsoft Corporation",
"description": "Notepad",
"file_version": "10.0.17763.475 (WinBuild.160101.0800)",
"original_file_name": "NOTEPAD.EXE",
"product": "Microsoft« Windows« Operating System",
"architecture": "x86",
"imphash": "0c6803c4e922103c4dca5963aad36ddf",
"import_hash": "d41d8cd98f00b204e9800998ecf8427e",
"imports": {
"field1": "value1",
"field2": "value2"
},
"imports_names_entropy": 123,
"imports_names_var_entropy": 123,
"pehash": "73ff189b63cd6be375a7ff25179a38d347651975",
"go_import_hash": "10bddcb4cee42080f76c88d9ff964491",
"go_imports": {
"field1": "value1",
"field2": "value2"
},
"go_imports_names_entropy": 123,
"go_imports_names_var_entropy": 123,
"go_stripped": true,
"sections": [{
"entropy": 100,
"name": "sectionname",
"physical_size": 123,
"var_entropy": 123,
"virtual_size": 123
}]
},
"size": 123,
"target_path": "/some/path",
"type": "filetype",
"uid": "1001",
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
}
},
"first_seen": "2021-01-13T10:13:08.000Z",
"geo": {
"city_name": "Linköping",
"continent_code": "NA",
"name": "custom-name",
"postal_code": "12354",
"timezone": "America/Argentina/Buenos_Aires",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "10.0.0.2",
"last_seen": "2021-01-13T10:13:08.000Z",
"marking": {
"tlp": {
"version": "2.0"
}
},
"modified_at": "2021-01-13T10:13:08.000Z",
"port": 123,
"provider": "lrz_urlhaus",
"reference": "https://system.example.com/indicator/0001234",
"registry": {
"data": {
"bytes": "ZQBuAC0AVQBTAAAAZQBuAAAAAAA=",
"strings": [
"C:\\rta\\red_ttp\\bin\\myapp.exe",
"C:\\rta\\red_ttp\\bin\\myapp2.exe"
],
"type": "REG_SZ"
},
"hive": "HKLM",
"key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe",
"path": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"value": "Debugger"
},
"scanner_stats": 123,
"sightings": 123,
"type": "artifact",
"url": {
"domain": "elastic.co",
"extension": "png",
"fragment": "top",
"full": "www.elastic.co/test.png",
"original": "www.elastic.co/test.png",
"password": "password123",
"path": "/test.png",
"port": 123,
"query": "?somesearch=123",
"registered_domain": "registered_domain",
"scheme": "https",
"subdomain": "somesubdomain",
"top_level_domain": "d111111abcdef8",
"username": "urluser"
},
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
}
},
"software": {
"alias": [
"X-Agent",
"X-Agent2"
],
"id": "S0552",
"name": "AdFind",
"platforms": [
"AWS",
"Azure"
],
"reference": "https://attack.mitre.org/software/S0552/",
"type": "Malware"
},
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": [
"https://attack.mitre.org/tactics/TA0002/",
"https://attack.mitre.org/tactics/TA0003/"
]
},
"technique": {
"id": [
"T1059",
"T1053"
],
"name": [
"Command and Scripting Interpreter",
"Command and Scripting Interpreter2"
],
"reference": [
"https://attack.mitre.org/techniques/T1059/",
"https://attack.mitre.org/techniques/T1051/"
],
"subtechnique": {
"id": [
"T1059.001",
"T1059.002"
],
"name": [
"PowerShell",
"PowerShell2"
],
"reference": [
"https://attack.mitre.org/techniques/T1059/001/",
"https://attack.mitre.org/techniques/T1059/002/"
]
}
}
},
"tls": {
"cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"client": {
"certificate": "MII...",
"certificate_chain": [
"chain1",
"chain2"
],
"hash": {
"md5": "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC",
"sha1": "9E393D93138888D288266C2D915214D1D1CCEB2A",
"sha256": "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"
},
"issuer": "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",
"ja3": "d4e5b18d6b55c71272893221c96ba240",
"not_after": "2021-01-01T00:00:00.000Z",
"not_before": "1970-01-01T00:00:00.000Z",
"server_name": "www.elastic.co",
"subject": "CN=myclient, OU=Documentation Team, DC=example, DC=com",
"supported_ciphers": [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
],
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
}
},
"curve": "secp256r1",
"established": true,
"next_protocol": "http/1.1",
"resumed": true,
"server": {
"certificate": "MII...",
"certificate_chain": [
"chain1",
"chain2"
],
"hash": {
"md5": "0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC",
"sha1": "9E393D93138888D288266C2D915214D1D1CCEB2A",
"sha256": "0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"
},
"issuer": "CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",
"ja3": "d4e5b18d6b55c71272893221c96ba240",
"not_after": "2021-01-01T00:00:00.000Z",
"not_before": "1970-01-01T00:00:00.000Z",
"server_name": "www.elastic.co",
"subject": "CN=myclient, OU=Documentation Team, DC=example, DC=com",
"supported_ciphers": [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
],
"x509": {
"alternative_names": [
"testalternativename",
"anothername"
],
"issuer": {
"common_name": "Example SHA2 High Assurance Server CA",
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",
"locality": [
"Mountain View",
"Testlocality"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"www.example.com",
"www.example.co.uk"
],
"state_or_province": [
"California",
"Florida"
]
},
"not_after": "2020-07-16T03:15:39Z",
"not_before": "2020-07-16T03:15:39Z",
"public_key_algorithm": "RSA",
"public_key_curve": "nistp521",
"public_key_exponent": 65537,
"public_key_size": 123,
"serial_number": "55FBB9C7DEBF09809D12CCAA",
"signature_algorithm": "SHA256-RSA",
"subject": {
"common_name": [
"shared.global.example.net",
"test.example.com"
],
"country": [
"US",
"NL"
],
"distinguished_name": "C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",
"locality": [
"Florida",
"Mountain View"
],
"organization": [
"Example Inc",
"Elastic BV"
],
"organizational_unit": [
"testorgunit",
"testanotherorgunit"
],
"state_or_province": [
"California",
"Florida"
]
},
"version_number": "3"
}
},
"version": "1.2",
"version_protocol": "tls"
},
"trace": {
"id": "traceid"
},
"transaction": {
"id": "transactionid"
},
"url": {
"domain": "elastic.co",
"extension": "png",
"fragment": "top",
"full": "www.elastic.co/test.png",
"original": "www.elastic.co/test.png",
"password": "password123",
"path": "/test.png",
"port": 123,
"query": "?somesearch=123",
"registered_domain": "registered_domain",
"scheme": "https",
"subdomain": "somesubdomain",
"top_level_domain": "d111111abcdef8",
"username": "urluser"
},
"user": {
"changes": {
"domain": "www.elastic.co",
"email": "test@test.com",
"full_name": "somename",
"group": {
"domain": "groupdomain",
"id": "groupid",
"name": "groupname"
},
"hash": "123456789012345678901234567890ABCD",
"id": "userid",
"name": "username",
"roles": [
"role1",
"role2"
]
},
"domain": "www.elastic.co",
"effective": {
"domain": "www.elastic.co",
"email": "test@test.com",
"full_name": "somename",
"group": {
"domain": "groupdomain",
"id": "groupid",
"name": "groupname"
},
"hash": "123456789012345678901234567890ABCD",
"id": "userid",
"name": "username",
"roles": [
"role1",
"role2"
]
},
"email": "test@test.com",
"full_name": "somename",
"group": {
"domain": "groupdomain",
"id": "groupid",
"name": "groupname"
},
"hash": "123456789012345678901234567890ABCD",
"id": "userid",
"name": "username",
"risk": {
"calculated_levels": "High",
"calculated_score": 880.73,
"calculated_score_norm": 88.73,
"static_level": "High",
"static_score": 830.0,
"static_score_norm": 83.0
},
"roles": [
"role1",
"role2"
],
"target": {
"domain": "www.elastic.co",
"email": "test@test.com",
"full_name": "somename",
"group": {
"domain": "groupdomain",
"id": "groupid",
"name": "groupname"
},
"hash": "123456789012345678901234567890ABCD",
"id": "userid",
"name": "username",
"roles": [
"role1",
"role2"
]
}
},
"user_agent": {
"name": "Safari",
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",
"os": {
"family": "debian",
"full": "Mac OS Mojave",
"kernel": "4.4.4-112-generic",
"name": "MAC OS X",
"platform": "darwin",
"type": "macos",
"version": "10.14.1"
},
"version": "12.0"
},
"vulnerability": {
"category": [
"Firewall",
"Host"
],
"classification": "CVSS",
"description": "Vulnerability description",
"enumeration": "CVE",
"id": "CVE-2020-001",
"reference": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111",
"report_id": "20191018.0001",
"scanner": {
"vendor": "Tenable"
},
"score": {
"base": 5.5,
"environmental": 5.5,
"temporal": 2.2,
"version": "2.0"
},
"severity": "Critical"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment