Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

CrowdstrikeFDR: Samples,parser,table-schema

This commit is contained in:
Alex Verbniak 2021-03-09 12:33:14 +02:00
Родитель 845d32dbc5
Коммит 59b35dad7a
3 изменённых файлов: 3691 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2017
.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1011
Parsers/CrowdstrikeFDR/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

663
Sample Data/Custom/CrowdstrikeReplicatorLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,663 @@
[{
"ProcessCreateFlags":"525332",
"IntegrityLevel":"4096",
"ParentProcessId":"2065892889926",
"SourceProcessId":"2065892889926",
"aip":"165.165.165.165",
"SHA1HashData":"0000000000000000000000000000000000000000",
"UserSid":"S-1-12-1-3105947409-1312664182-3305734049-3050736265",
"event_platform":"Win",
"TokenType":"2",
"ProcessEndTime":"",
"AuthenticodeHashData":"7e23eb59249cc9d1be47b6e0dd9e89039d5dc6eb70b5105051ed739418a68c5e",
"ParentBaseFileName":"svchost.exe",
"RpcClientProcessId":"2065892889926",
"ImageSubsystem":"2",
"id":"8b1852b8-649f-11eb-811e-06ca739c04b7",
"EffectiveTransmissionClass":"3",
"SessionId":"1",
"Tags":"53, 54, 55, 12094627905582, 12094627906234",
"timestamp":"1612192196113",
"event_simpleName":"ProcessRollup2",
"RawProcessId":"19076",
"ConfigStateHash":"4091923303",
"MD5HashData":"b7fc4a29431d4f795bbab1fb182b759a",
"SHA256HashData":"48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
"ProcessSxsFlags":"1600",
"AuthenticationId":"1259939",
"ConfigBuild":"1007.3.0012806.1",
"WindowFlags":"128",
"CommandLine":"\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider",
"ParentAuthenticationId":"1259939",
"TargetProcessId":"2119008022556",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe",
"SourceThreadId":"67139455641525",
"Entitlements":"15",
"name":"ProcessRollup2V19",
"ProcessStartTime":"1612192197.855",
"ProcessParameterFlags":"16385",
"aid":"f0b5394377fb4cc1592c660de3ac2ccb",
"SignInfoFlags":"9175042",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"ScreenshotsTakenCount":"0",
"ExitCode":"0",
"ParentProcessId":"1421648597103",
"UserSid":"S-1-5-20",
"NetworkListenCount":"0",
"SuspiciousRawDiskReadCount":"0",
"NetworkBindCount":"0",
"NetworkRecvAcceptCount":"0",
"ContextData":"",
"id":"9047859a-649f-11eb-b1b3-068090ee3e49",
"NewExecutableWrittenCount":"0",
"ExeAndServiceCount":"0",
"NetworkCloseCount":"0",
"SuspectStackCount":"0",
"CLICreationCount":"0",
"UnsignedModuleLoadCount":"0",
"UserTime":"156250",
"event_simpleName":"EndOfProcess",
"RawProcessId":"13184",
"ContextTimeStamp":"1612192202.219",
"AllocateVirtualMemoryCount":"0",
"ContextProcessId":"1437581318764",
"ServiceEventCount":"0",
"SnapshotFileOpenCount":"0",
"RemovableDiskFileWrittenCount":"0",
"InjectedDllCount":"0",
"ModuleLoadCount":"39",
"UserMemoryProtectExecutableCount":"0",
"NetworkCapableAsepWriteCount":"0",
"TargetProcessId":"1437581318764",
"DnsRequestCount":"0",
"ArchiveFileWrittenCount":"0",
"Entitlements":"15",
"name":"EndOfProcessV15",
"ProcessStartTime":"1612192112.216",
"SetThreadContextCount":"0",
"SuspiciousCredentialModuleLoadCount":"0",
"aid":"d4a94db4404b42d95ae69960dd2364a5",
"cid":"e941027a2d1141f189b6c6c049c83215",
"FileDeletedCount":"0",
"UserMemoryAllocateExecutableCount":"0",
"DirectoryCreatedCount":"0",
"NetworkConnectCountUdp":"0",
"QueueApcCount":"0",
"ContextThreadId":"75529593909860",
"aip":"165.165.165.165",
"SuspiciousFontLoadCount":"0",
"ConHostId":"1152",
"NetworkConnectCount":"0",
"BinaryExecutableWrittenCount":"0",
"CycleTime":"105226185",
"event_platform":"Win",
"ConHostProcessId":"1421648597103",
"PrivilegedProcessHandleCount":"0",
"MaxThreadCount":"10",
"ImageSubsystem":"2",
"GenericFileWrittenCount":"0",
"EffectiveTransmissionClass":"3",
"ScriptEngineInvocationCount":"0",
"RunDllInvocationCount":"0",
"timestamp":"1612192204811",
"CreateProcessCount":"0",
"KernelTime":"312500",
"DirectoryEnumeratedCount":"0",
"ConfigStateHash":"4091923303",
"AsepWrittenCount":"0",
"SuspiciousDnsRequestCount":"0",
"DocumentFileWrittenCount":"0",
"ProtectVirtualMemoryCount":"0",
"SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15",
"UserMemoryProtectExecutableRemoteCount":"0",
"ConfigBuild":"1007.3.0012806.1",
"UserMemoryAllocateExecutableRemoteCount":"0",
"ExecutableDeletedCount":"0",
"RegKeySecurityDecreasedCount":"0",
"InjectedThreadCount":"0",
"NetworkModuleLoadCount":"0"
},
{
"event_simpleName":"DnsRequest",
"ContextTimeStamp":"1612192188.546",
"ConfigStateHash":"1187562179",
"ContextProcessId":"593354899211",
"DomainName":"domain1",
"ContextThreadId":"26667268649418",
"aip":"82.82.82.82",
"QueryStatus":"9003",
"InterfaceIndex":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"DnsRequestCount":"1",
"DualRequest":"0",
"Entitlements":"15",
"name":"DnsRequestV4",
"id":"881d1128-649f-11eb-9c59-022209fbed9d",
"EffectiveTransmissionClass":"3",
"aid":"eb2763e9afca47c996acf2a8e6651f18",
"timestamp":"1612192191111",
"cid":"e941027a2d1141f189b6c6c049c83215",
"RequestType":"1"
},
{
"ChannelVersion":"2353",
"event_simpleName":"ChannelVersionRequired",
"ConfigStateHash":"3574986334",
"aip":"165.165.165.165",
"ChannelVersionRequired":"0",
"ChannelId":"200",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"ChannelVersionRequiredV1",
"id":"7d66d49d-649f-11eb-8ef0-06f5d9b66909",
"EffectiveTransmissionClass":"0",
"aid":"ec61c9f00a054a7c499eb92b9f67e2ab",
"timestamp":"1612192173140",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"LocalAddressIP4":"10.10.10.10",
"event_simpleName":"NetworkConnectIP4",
"ContextTimeStamp":"1612192203.293",
"ConfigStateHash":"3840237054",
"ConnectionFlags":"0",
"ContextProcessId":"1435198812605",
"RemotePort":"443",
"ContextThreadId":"35388335972466",
"aip":"104.104.104.104",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"LocalPort":"54781",
"Entitlements":"15",
"name":"NetworkConnectIP4V5",
"id":"8fbf8c4c-649f-11eb-93e6-06d64cd93503",
"Protocol":"6",
"EffectiveTransmissionClass":"3",
"aid":"124bdfdf1dcf4bdb6cf503d3b93a8e36",
"RemoteAddressIP4":"52.52.52.52",
"ConnectionDirection":"0",
"InContext":"0",
"timestamp":"1612192203920",
"cid":"e941027a2d1141f189bc6c049c83215"
},
{
"ModuleCharacteristics":"8450",
"ContextThreadId":"118013339024792",
"aip":"189.189.189.189",
"OriginalEventTimeStamp":"1612192206.828",
"SHA1HashData":"0000000000000000000000000000000000000000",
"event_platform":"Win",
"MappedFromUserMode":"1",
"AuthenticodeHashData":"c733fb7f27aeb8af40676839d86bf52a58e175436de685abbc25bb881c3da65f",
"id":"92b01584-649f-11eb-b4d4-02d8cc9f6f77",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192208852",
"event_simpleName":"ImageHash",
"ContextTimeStamp":"1612192206.828",
"ConfigStateHash":"4091923303",
"ContextProcessId":"4770863664501",
"MD5HashData":"2d84620a2580073a2940067e9153243b",
"SHA256HashData":"7db6c8d5f59adbcda1fd8e4052cd0f0ad2d409b19e4ead5d9800e63913c478fb",
"ConfigBuild":"1007.3.0012806.1",
"TargetProcessId":"4770863664501",
"TreeId":"249108533330",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\gdi32.dll",
"Entitlements":"15",
"name":"ImageHashV4",
"PrimaryModule":"0",
"aid":"f46cf24c09c545c06826924f56e9b12",
"SignInfoFlags":"9175042",
"cid":"e941027a2d1141f89b6c6c049c83215"
},
{
"event_simpleName":"SensorHeartbeat",
"ConfigStateHash":"1187562179",
"NetworkContainmentState":"0",
"aip":"165.165.165.165",
"ConfigIDBase":"65994753",
"SensorStateBitMap":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ConfigurationVersion":"10",
"Entitlements":"15",
"name":"SensorHeartbeatV4",
"ConfigIDPlatform":"3",
"id":"99d1e81e-649f-11eb-b627-06e39ca35a05",
"ConfigIDBuild":"12806",
"EffectiveTransmissionClass":"0",
"aid":"265ebfb466e649e14f739b2ec82ef4c0",
"ProvisionState":"1",
"timestamp":"1612192220818",
"cid":"e941027a2d1141f89b6c6c049c83215"
},
{
"Parameter2":"104741656",
"event_simpleName":"ErrorEvent",
"Parameter1":"3934815034",
"Parameter3":"0",
"ConfigStateHash":"4091923303",
"aip":"104.104.104.104",
"Line":"1066",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ErrorStatus":"3221227780",
"Entitlements":"15",
"name":"ErrorEventV1",
"id":"851075fd-649f-11eb-9d98-0256c1ba3b87",
"Facility":"67109928",
"EffectiveTransmissionClass":"0",
"aid":"7eece200f1444be9650676f1460ec1f4",
"File":"0",
"timestamp":"1612192185995",
"cid":"e941027a2d114189b6c6c049c83215"
},
{
"Options":"35651617",
"ContextThreadId":"34965671247409",
"MinorFunction":"0",
"aip":"47.47.47.47",
"FileIdentifier":"f31039767b57934cab36a2c87ff011b649010000001a00",
"Information":"2",
"event_platform":"Win",
"ShareAccess":"3",
"id":"9c750397-649f-11eb-a468-02143f29d047",
"FileObject":"18446614397218495824",
"EffectiveTransmissionClass":"3",
"FileAttributes":"128",
"timestamp":"1612192225242",
"Status":"0",
"event_simpleName":"DirectoryCreate",
"ContextTimeStamp":"1612192225.647",
"ConfigStateHash":"370429029",
"ContextProcessId":"1015925104824",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1048577",
"Entitlements":"15",
"name":"DirectoryCreateV1",
"OperationFlags":"0",
"aid":"d9a8e94338e34c667ac3c406b33a26",
"cid":"e941027a2d114189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume4\\Users\\T\\AppData\\Local\\Temp\\{A6EDA298-D2B2-43BD-BF53-4AAC80A8F624}"
},
{
"event_simpleName":"SetWinEventHookEtw",
"RawProcessId":"0",
"ContextTimeStamp":"1612192180.085",
"ConfigStateHash":"1002018934",
"EtwRawProcessId":"12680",
"ContextProcessId":"1462865029781",
"EventMax":"2147483410",
"SourceProcessId":"0",
"aip":"147.147.147.147",
"EtwRawThreadId":"13348",
"Flags":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"EventMin":"2147483408",
"SourceThreadId":"0",
"Entitlements":"15",
"name":"SetWinEventHookEtwV1",
"RawThreadId":"0",
"id":"8004b527-649f-11eb-9488-024e6bf3d6b1",
"EffectiveTransmissionClass":"3",
"aid":"e30dfd2dac46425c721ffb42691c1c",
"timestamp":"1612192177530",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"LocalAddressIP4":"10.10.10.10",
"event_simpleName":"NetworkReceiveAcceptIP4",
"ContextTimeStamp":"1612192231.439",
"ConfigStateHash":"976821965",
"ConnectionFlags":"0",
"ContextProcessId":"138285062270780",
"RemotePort":"137",
"aip":"165.165.165.165",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"LocalPort":"137",
"Entitlements":"15",
"name":"NetworkReceiveAcceptIP4V5",
"id":"a02b6add-649f-11eb-a61c-027816f012a3",
"Protocol":"17",
"EffectiveTransmissionClass":"3",
"aid":"acd89ebd166344b17e6d7018dbde25cc",
"RemoteAddressIP4":"23.23.23.23",
"ConnectionDirection":"1",
"InContext":"0",
"timestamp":"1612192231470",
"cid":"e941027a2d1141f186c6c049c83215"
},
{
"event_simpleName":"RegisterRawInputDevicesEtw",
"ContextTimeStamp":"1612192192.661",
"ConfigStateHash":"4091923303",
"EtwRawProcessId":"9528",
"ContextProcessId":"2801870511975",
"aip":"71.71.71.71",
"EtwRawThreadId":"9428",
"ApiReturnValue":"1",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"RegisterRawInputDevicesEtwV1",
"id":"89e6dbf0-649f-11eb-b45d-022d70a19ab5",
"EffectiveTransmissionClass":"3",
"aid":"ede5911c3ded4cac6927ee72eef376ba",
"timestamp":"1612192194111",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"Size":"14712251",
"ContextThreadId":"165986129080464",
"MinorFunction":"0",
"aip":"185.185.185.185",
"IsOnNetwork":"0",
"FileIdentifier":"5399f2747c5de811960c806e6f6e69632cc701000000e31f",
"event_platform":"Win",
"TokenType":"1",
"id":"7d82fc3d-649f-11eb-86d4-06271f28c015",
"FileObject":"2292681824",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192173324",
"event_simpleName":"DmpFileWritten",
"ContextTimeStamp":"1612192172.528",
"ConfigStateHash":"3840237054",
"ContextProcessId":"30359610206388",
"IrpFlags":"1028",
"AuthenticationId":"237790",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"DmpFileWrittenV12",
"OperationFlags":"0",
"aid":"e7149f2a8a69453b74a072f67cfc4d",
"cid":"e941027a2d1141f9b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume1\\ProgramData\\Zscaler\\ZSATray.exe.11924.dmp"
},
{
"Size":"5120",
"ContextThreadId":"20459934839588",
"MinorFunction":"0",
"aip":"165.165.165.165",
"IsOnNetwork":"0",
"FileIdentifier":"405e4cec2cac994b802c88a89583ce852db9000000002e00",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_8086&DEV_F1A6&SUBSYS_390B8086&REV_03\\4&280be160&0&00E4",
"id":"954b4f19-649f-11eb-86b9-06f80c26adc1",
"FileObject":"18446698488861015536",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192213225",
"event_simpleName":"PeFileWritten",
"ContextTimeStamp":"1612192154.275",
"ConfigStateHash":"1187562179",
"IsTransactedFile":"0",
"ContextProcessId":"538129154765",
"IrpFlags":"1028",
"SHA256HashData":"28ca0d1c692331a22174be034be2d6a39f4c1868e2a7b23172335554fcd1e681",
"AuthenticationId":"999",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"PeFileWrittenV15",
"OperationFlags":"0",
"aid":"578817b172b44b32fec1ab92ea86b0",
"cid":"e941027a2d1141f1b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\2C957836-F162-4817-87B7-A6668CC4AE78\\en-US\\UnattendProvider.dll.mui"
},
{
"Options":"33554532",
"ContextThreadId":"76915493345508",
"MinorFunction":"0",
"aip":"147.147.147.147",
"Information":"2",
"FileIdentifier":"edc203080b0ab8458680afe68146b1ed6c62010000009700",
"event_platform":"Win",
"ShareAccess":"0",
"id":"80d5ae7b-649f-11eb-9488-024e6bf3d6b1",
"FileObject":"18446634184237273600",
"EffectiveTransmissionClass":"3",
"FileAttributes":"0",
"timestamp":"1612192178899",
"Status":"0",
"event_simpleName":"NewExecutableWritten",
"ContextTimeStamp":"1612192178.595",
"ConfigStateHash":"1002018934",
"ContextProcessId":"1462865029781",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1180054",
"Entitlements":"15",
"name":"NewExecutableWrittenV1",
"OperationFlags":"0",
"aid":"e30dfd2dac464a925c721ffb42691c1c",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\S\\AppData\\Local\\assembly\\tmp\\VVCQJISQ\\Newtonsoft.Json.DLL"
},
{
"Options":"88080484",
"ContextThreadId":"121390994923701",
"MinorFunction":"0",
"aip":"165.165.165.165",
"Information":"2",
"FileIdentifier":"8e22c65ac1de534d924b77bef9724e893b34000000007e01",
"event_platform":"Win",
"ShareAccess":"1",
"id":"9a1112a6-649f-11eb-a1a0-02d051f2be4b",
"FileObject":"18446705066600845600",
"EffectiveTransmissionClass":"3",
"FileAttributes":"0",
"timestamp":"1612192221231",
"Status":"0",
"event_simpleName":"NewScriptWritten",
"ContextTimeStamp":"1612192219.844",
"ConfigStateHash":"4091923303",
"ContextProcessId":"2092451718379",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1180054",
"Entitlements":"15",
"name":"NewScriptWrittenV7",
"OperationFlags":"0",
"aid":"1d26eadfb948448653c36c1b900df377",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\__PSS.ps1"
},
{
"event_simpleName":"ExecutableDeleted",
"ContextTimeStamp":"1612192183.367",
"ConfigStateHash":"4091923303",
"ContextProcessId":"2235221295047",
"IrpFlags":"1028",
"ContextThreadId":"115372276358029",
"MinorFunction":"0",
"aip":"165.165.165.165",
"FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8e86ea010000006c00",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"MajorFunction":"18",
"Entitlements":"15",
"name":"ExecutableDeletedV3",
"OperationFlags":"0",
"id":"840c4b68-649f-11eb-bde3-024e3dec27db",
"FileObject":"18446713894431458368",
"EffectiveTransmissionClass":"3",
"aid":"e17bf6ec831e4f3976553f9969664271",
"timestamp":"1612192184290",
"cid":"e941027a2d1141f186c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\k\\AppData\\Local\\assembly\\tmp\\QN76W635\\WinZipExpressForOffice.DLL"
},
{
"Status":"3221225506",
"KernelTime":"0",
"event_simpleName":"SignInfoError",
"ConfigStateHash":"4091923303",
"aip":"165.165.165.165",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\iwprn.dll",
"Entitlements":"15",
"name":"SignInfoErrorV3",
"id":"8257ef61-649f-11eb-b376-02f6607228a3",
"EffectiveTransmissionClass":"2",
"aid":"c0da753d75ff4e7971901ab055d804b4",
"timestamp":"1612192181431",
"cid":"e941027a2d1141fb6c6c049c83215"
},
{
"Size":"104753",
"ContextThreadId":"68150305082852",
"MinorFunction":"0",
"aip":"165.165.165.165",
"IsOnNetwork":"0",
"FileIdentifier":"8e22c65ac1de534d924b77bef9724e89bd9c000000009300",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_15B7&DEV_5002&SUBSYS_500215B7&REV_00\\4&18cf69ef&0&00E4",
"id":"7d068550-649f-11eb-9be1-065505666d6f",
"FileObject":"18446655072069839760",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192172508",
"event_simpleName":"OoxmlFileWritten",
"ContextTimeStamp":"1612192167.261",
"ConfigStateHash":"1187562179",
"ContextProcessId":"1961692248212",
"TemporaryFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix",
"IrpFlags":"1028",
"AuthenticationId":"286344857",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"OoxmlFileWrittenV12",
"OperationFlags":"0",
"aid":"cfbece25ef5444715fb3340fad3cab37",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix"
},
{
"event_simpleName":"ProcessRollup2Stats",
"ConfigStateHash":"2191674825",
"Timeout":"600",
"aip":"77.77.77.77",
"SHA256HashData":"7b7d042adc61f6bd613c202e72b88045702d3171ab27e4702411d337dd0ccb4b",
"ProcessCount":"6",
"ConfigBuild":"1007.4.0012204.1",
"UID":"0",
"event_platform":"Mac",
"CommandLine":"/usr/bin/awk {print $1;}",
"Entitlements":"15",
"name":"ProcessRollup2StatsMacV1",
"id":"7ddb47a2-649f-11eb-b100-069ffba97e11",
"aid":"4a685c5af31c441b78b96df71752f303",
"timestamp":"1612192173903",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"event_simpleName":"PeVersionInfo",
"ConfigStateHash":"4091923303",
"aip":"147.147.147.147",
"SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15",
"ConfigBuild":"1007.3.0012806.1",
"VersionInfo":"880334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000a000100634500000a00010063453f000000000000000400040002000000000000000000000000000000e6020000010053007400720069006e006700460069006c00650049006e0066006f000000c202000001003000340030003900300034004200300000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e0000004c0012000100460069006c0065004400650073006300720069007000740069006f006e000000000057004d0049002000500072006f0076006900640065007200200048006f00730074000000680024000100460069006c006500560065007200730069006f006e0000000000310030002e0030002e00310037003700360033002e00310020002800570069006e004200750069006c0064002e003100360030003100300031002e003000380030003000290000003a000d00010049006e007400650072006e0061006c004e0061006d006500000057006d006900700072007600730065002e006500780065000000000080002e0001004c006500670061006c0043006f0070007900720069006700680074000000a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e00000042000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000057006d006900700072007600730065002e00650078006500000000006a0025000100500072006f0064007500630074004e0061006d006500000000004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d00000000003e000d000100500072006f006400750063007400560065007200730069006f006e000000310030002e0030002e00310037003700360033002e00310000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000904b00400000000000000000000000000000000",
"CompanyName":"Microsoft Corporation",
"event_platform":"Win",
"OriginalFilename":"Wmiprvse.exe",
"TargetProcessId":"1467339488123",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"FileVersion":"10.0.17763.1 (WinBuild.160101.0800)",
"Entitlements":"15",
"name":"PeVersionInfoV3",
"id":"85d170dd-649f-11eb-b7ab-02c72af1f307",
"EffectiveTransmissionClass":"3",
"aid":"8a7c4aa9c11944aa7afa437b73a4817d",
"LanguageId":"1033",
"timestamp":"1612192187260",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"Size":"5120",
"ContextThreadId":"37505999371785",
"MinorFunction":"0",
"aip":"84.84.84.84",
"IsOnNetwork":"0",
"FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8ed2da010000007f00",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_17AA&DEV_0003&SUBSYS_100317AA&REV_00\\4&18cf69ef&0&00E4",
"id":"7fca95a3-649f-11eb-87c5-0608a1cc49e3",
"FileObject":"18446668234812634352",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192177149",
"event_simpleName":"OleFileWritten",
"ContextTimeStamp":"1612192175.957",
"ConfigStateHash":"4091923303",
"ContextProcessId":"1017509766761",
"IrpFlags":"1028",
"AuthenticationId":"757446330",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"OleFileWrittenV12",
"OperationFlags":"0",
"aid":"b324ab19ddf34b8f6672c64a05758b",
"cid":"e941027a2d1141f9b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\D\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\AutomationManager\\Active\\{990EF5F6-645A-11EB-AE23-7C2A31092D5A}.dat"
},
{
"event_simpleName":"DriverLoad",
"ContextTimeStamp":"1612192188.246",
"ConfigStateHash":"1036481984",
"ContextProcessId":"1305670660340",
"DriverLoadFlags":"0",
"ContextThreadId":"47805865802230",
"aip":"104.104.104.104",
"MD5HashData":"3c15a5ac47b1ca4d9a9f8680e224996f",
"SHA256HashData":"f95ec4e4e5fdff1d68179205430aad01a0124dbd682faff6270b99b4aacc793f",
"ConfigBuild":"1007.3.0012806.1",
"CompanyName":"Microsoft Corporation",
"event_platform":"Win",
"OriginalFilename":"WSDScan.sys",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\drivers\\WSDScan.sys",
"FileVersion":"10.0.17134.1 (WinBuild.160101.0800)",
"Entitlements":"15",
"name":"DriverLoadV3",
"id":"948cb457-649f-11eb-a03c-065d96aa71d1",
"EffectiveTransmissionClass":"3",
"aid":"6bbe3993fd594f45d25512aeabbfd4",
"timestamp":"1612192211975",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"event_simpleName":"NeighborListIP4",
"ConfigStateHash":"1187562179",
"NeighborList":"BC-0F-9A-F5-62-FW|192.168.0.1|0|!!!!UNKNOWN!!!!;",
"aip":"103.103.103.103",
"InterfaceIndex":"7",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"NeighborListIP4V2",
"id":"9926a93d-649f-11eb-910e-024bf0016c79",
"EffectiveTransmissionClass":"3",
"aid":"504c07d9cdbb47ac793b11238a2476e1",
"timestamp":"1612192219695",
"cid":"e941027a2d114189b6c6c049c83215"
}
]