diff --git a/.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator b/.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator new file mode 100644 index 0000000000..6d322f7916 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator @@ -0,0 +1,2017 @@ +{ + "Name":"CrowdstrikeReplicator", + "Properties":[ + { + "Name":"EventVendor", + "Type":"String" + }, + { + "Name":"EventProduct", + "Type":"String" + }, + { + "Name":"TimeGenerated", + "Type":"String" + }, + { + "Name":"FileMode", + "Type":"String" + }, + { + "Name":"DeviceSerialNumber", + "Type":"String" + }, + { + "Name":"IcmpCode", + "Type":"String" + }, + { + "Name":"IcmpType", + "Type":"String" + }, + { + "Name":"LastUpdateInstalledTime", + "Type":"String" + }, + { + "Name":"RebootRequired", + "Type":"String" + }, + { + "Name":"PendingUpdateIds", + "Type":"String" + }, + { + "Name":"InstalledUpdateIds", + "Type":"String" + }, + { + "Name":"InstalledUpdateExtendedStatus", + "Type":"String" + }, + { + "Name":"SupersededUpdateIds", + "Type":"String" + }, + { + "Name":"ConfigurationDescriptorValue", + "Type":"String" + }, + { + "Name":"ConfigurationDescriptorAttributes", + "Type":"String" + }, + { + "Name":"DeviceDescriptorUniqueIdentifier", + "Type":"String" + }, + { + "Name":"ConfigurationDescriptorName", + "Type":"String" + }, + { + "Name":"ConfigurationDescriptorNumInterfaces", + "Type":"String" + }, + { + "Name":"ConfigurationDescriptorMaxPowerDraw", + "Type":"String" + }, + { + "Name":"ScreenshotsTakenCount", + "Type":"String" + }, + { + "Name":"ExitCode", + "Type":"String" + }, + { + "Name":"ParentProcessId", + "Type":"String" + }, + { + "Name":"DstUserIdentity", + "Type":"String" + }, + { + "Name":"NetworkListenCount", + "Type":"String" + }, + { + "Name":"SuspiciousRawDiskReadCount", + "Type":"String" + }, + { + "Name":"NetworkBindCount", + "Type":"String" + }, + { + "Name":"NetworkRecvAcceptCount", + "Type":"String" + }, + { + "Name":"ContextData", + "Type":"String" + }, + { + "Name":"id", + "Type":"String" + }, + { + "Name":"NewExecutableWrittenCount", + "Type":"String" + }, + { + "Name":"ExeAndServiceCount", + "Type":"String" + }, + { + "Name":"NetworkCloseCount", + "Type":"String" + }, + { + "Name":"SuspectStackCount", + "Type":"String" + }, + { + "Name":"CLICreationCount", + "Type":"String" + }, + { + "Name":"UnsignedModuleLoadCount", + "Type":"String" + }, + { + "Name":"UserTime", + "Type":"String" + }, + { + "Name":"EventMessage", + "Type":"String" + }, + { + "Name":"RawProcessId", + "Type":"String" + }, + { + "Name":"ContextTimeStamp", + "Type":"String" + }, + { + "Name":"AllocateVirtualMemoryCount", + "Type":"String" + }, + { + "Name":"ContextProcessId", + "Type":"String" + }, + { + "Name":"ServiceEventCount", + "Type":"String" + }, + { + "Name":"SnapshotFileOpenCount", + "Type":"String" + }, + { + "Name":"RemovableDiskFileWrittenCount", + "Type":"String" + }, + { + "Name":"InjectedDllCount", + "Type":"String" + }, + { + "Name":"ModuleLoadCount", + "Type":"String" + }, + { + "Name":"UserMemoryProtectExecutableCount", + "Type":"String" + }, + { + "Name":"NetworkCapableAsepWriteCount", + "Type":"String" + }, + { + "Name":"TargetProcessId", + "Type":"String" + }, + { + "Name":"DnsRequestCount", + "Type":"String" + }, + { + "Name":"ArchiveFileWrittenCount", + "Type":"String" + }, + { + "Name":"Entitlements", + "Type":"String" + }, + { + "Name":"name", + "Type":"String" + }, + { + "Name":"ProcessStartTime", + "Type":"String" + }, + { + "Name":"SetThreadContextCount", + "Type":"String" + }, + { + "Name":"SuspiciousCredentialModuleLoadCount", + "Type":"String" + }, + { + "Name":"DvcInterfaceGuid", + "Type":"String" + }, + { + "Name":"cid", + "Type":"String" + }, + { + "Name":"FileDeletedCount", + "Type":"String" + }, + { + "Name":"UserMemoryAllocateExecutableCount", + "Type":"String" + }, + { + "Name":"DirectoryCreatedCount", + "Type":"String" + }, + { + "Name":"NetworkConnectCountUdp", + "Type":"String" + }, + { + "Name":"QueueApcCount", + "Type":"String" + }, + { + "Name":"ContextThreadId", + "Type":"String" + }, + { + "Name":"aip", + "Type":"String" + }, + { + "Name":"SuspiciousFontLoadCount", + "Type":"String" + }, + { + "Name":"ConHostId", + "Type":"String" + }, + { + "Name":"NetworkConnectCount", + "Type":"String" + }, + { + "Name":"BinaryExecutableWrittenCount", + "Type":"String" + }, + { + "Name":"CycleTime", + "Type":"String" + }, + { + "Name":"DvcOs", + "Type":"String" + }, + { + "Name":"ConHostProcessId", + "Type":"String" + }, + { + "Name":"PrivilegedProcessHandleCount", + "Type":"String" + }, + { + "Name":"MaxThreadCount", + "Type":"String" + }, + { + "Name":"ImageSubsystem", + "Type":"String" + }, + { + "Name":"GenericFileWrittenCount", + "Type":"String" + }, + { + "Name":"EffectiveTransmissionClass", + "Type":"String" + }, + { + "Name":"ScriptEngineInvocationCount", + "Type":"String" + }, + { + "Name":"RunDllInvocationCount", + "Type":"String" + }, + { + "Name":"timestamp", + "Type":"String" + }, + { + "Name":"CreateProcessCount", + "Type":"String" + }, + { + "Name":"KernelTime", + "Type":"String" + }, + { + "Name":"DirectoryEnumeratedCount", + "Type":"String" + }, + { + "Name":"ConfigStateHash", + "Type":"String" + }, + { + "Name":"AsepWrittenCount", + "Type":"String" + }, + { + "Name":"SuspiciousDnsRequestCount", + "Type":"String" + }, + { + "Name":"DocumentFileWrittenCount", + "Type":"String" + }, + { + "Name":"ProtectVirtualMemoryCount", + "Type":"String" + }, + { + "Name":"ProcessHashSha256", + "Type":"String" + }, + { + "Name":"UserMemoryProtectExecutableRemoteCount", + "Type":"String" + }, + { + "Name":"ConfigBuild", + "Type":"String" + }, + { + "Name":"UserMemoryAllocateExecutableRemoteCount", + "Type":"String" + }, + { + "Name":"ExecutableDeletedCount", + "Type":"String" + }, + { + "Name":"RegKeySecurityDecreasedCount", + "Type":"String" + }, + { + "Name":"InjectedThreadCount", + "Type":"String" + }, + { + "Name":"NetworkModuleLoadCount", + "Type":"String" + }, + { + "Name":"WindowTitle", + "Type":"String" + }, + { + "Name":"ProcessCreateFlags", + "Type":"String" + }, + { + "Name":"IntegrityLevel", + "Type":"String" + }, + { + "Name":"SourceProcessId", + "Type":"String" + }, + { + "Name":"ProcessHashSha1", + "Type":"String" + }, + { + "Name":"TokenType", + "Type":"String" + }, + { + "Name":"ProcessEndTime", + "Type":"String" + }, + { + "Name":"AuthenticodeHashData", + "Type":"String" + }, + { + "Name":"ParentBaseFileName", + "Type":"String" + }, + { + "Name":"SessionId", + "Type":"String" + }, + { + "Name":"Tags", + "Type":"String" + }, + { + "Name":"ProcessHashMd5", + "Type":"String" + }, + { + "Name":"ProcessSxsFlags", + "Type":"String" + }, + { + "Name":"AuthenticationId", + "Type":"String" + }, + { + "Name":"WindowFlags", + "Type":"String" + }, + { + "Name":"ProcessCommandLine", + "Type":"String" + }, + { + "Name":"ParentAuthenticationId", + "Type":"String" + }, + { + "Name":"FileName", + "Type":"String" + }, + { + "Name":"SourceThreadId", + "Type":"String" + }, + { + "Name":"ProcessParameterFlags", + "Type":"String" + }, + { + "Name":"SignInfoFlags", + "Type":"String" + }, + { + "Name":"ChannelVersion", + "Type":"String" + }, + { + "Name":"ChannelVersionRequired", + "Type":"String" + }, + { + "Name":"ChannelId", + "Type":"String" + }, + { + "Name":"DnsResponseType", + "Type":"String" + }, + { + "Name":"IP4Records", + "Type":"String" + }, + { + "Name":"CNAMERecords", + "Type":"String" + }, + { + "Name":"QueryStatus", + "Type":"String" + }, + { + "Name":"InterfaceIndex", + "Type":"String" + }, + { + "Name":"DualRequest", + "Type":"String" + }, + { + "Name":"FirstIP4Record", + "Type":"String" + }, + { + "Name":"UrlDomain", + "Type":"String" + }, + { + "Name":"RespondingDnsServer", + "Type":"String" + }, + { + "Name":"RequestType", + "Type":"String" + }, + { + "Name":"FirewallRuleId", + "Type":"String" + }, + { + "Name":"Options", + "Type":"String" + }, + { + "Name":"MinorFunction", + "Type":"String" + }, + { + "Name":"FileIdentifier", + "Type":"String" + }, + { + "Name":"Information", + "Type":"String" + }, + { + "Name":"ShareAccess", + "Type":"String" + }, + { + "Name":"FileObject", + "Type":"String" + }, + { + "Name":"FilePermission", + "Type":"String" + }, + { + "Name":"Status", + "Type":"String" + }, + { + "Name":"IrpFlags", + "Type":"String" + }, + { + "Name":"MajorFunction", + "Type":"String" + }, + { + "Name":"DesiredAccess", + "Type":"String" + }, + { + "Name":"OperationFlags", + "Type":"String" + }, + { + "Name":"TargetFileName", + "Type":"String" + }, + { + "Name":"CallStackModuleNamesVersion", + "Type":"String" + }, + { + "Name":"CsaProcessDataCollectionInstanceId", + "Type":"String" + }, + { + "Name":"CallStackModuleNames", + "Type":"String" + }, + { + "Name":"CreateProcessType", + "Type":"String" + }, + { + "Name":"EtwRawProcessId", + "Type":"String" + }, + { + "Name":"EventMax", + "Type":"String" + }, + { + "Name":"EtwRawThreadId", + "Type":"String" + }, + { + "Name":"Flags", + "Type":"String" + }, + { + "Name":"EventMin", + "Type":"String" + }, + { + "Name":"RawThreadId", + "Type":"String" + }, + { + "Name":"SrcIpAddr", + "Type":"String" + }, + { + "Name":"ConnectionFlags", + "Type":"String" + }, + { + "Name":"DstIpPort", + "Type":"String" + }, + { + "Name":"SrcIpPort", + "Type":"String" + }, + { + "Name":"Protocol", + "Type":"String" + }, + { + "Name":"DstIpAddr", + "Type":"String" + }, + { + "Name":"ConnectionDirection", + "Type":"String" + }, + { + "Name":"InContext", + "Type":"String" + }, + { + "Name":"NetworkContainmentState", + "Type":"String" + }, + { + "Name":"ConfigIDBase", + "Type":"String" + }, + { + "Name":"SensorStateBitMap", + "Type":"String" + }, + { + "Name":"ConfigurationVersion", + "Type":"String" + }, + { + "Name":"ConfigIDPlatform", + "Type":"String" + }, + { + "Name":"ConfigIDBuild", + "Type":"String" + }, + { + "Name":"ProvisionState", + "Type":"String" + }, + { + "Name":"Size", + "Type":"String" + }, + { + "Name":"IsOnNetwork", + "Type":"String" + }, + { + "Name":"DiskParentDeviceInstanceId", + "Type":"String" + }, + { + "Name":"TemporaryFileName", + "Type":"String" + }, + { + "Name":"FileEcpBitmask", + "Type":"String" + }, + { + "Name":"IsOnRemovableDisk", + "Type":"String" + }, + { + "Name":"ModuleCharacteristics", + "Type":"String" + }, + { + "Name":"OriginalEventTimeStamp", + "Type":"String" + }, + { + "Name":"MappedFromUserMode", + "Type":"String" + }, + { + "Name":"TreeId", + "Type":"String" + }, + { + "Name":"PrimaryModule", + "Type":"String" + }, + { + "Name":"UserIsAdmin", + "Type":"String" + }, + { + "Name":"LogoffTime", + "Type":"String" + }, + { + "Name":"LogonTime", + "Type":"String" + }, + { + "Name":"LogonDomain", + "Type":"String" + }, + { + "Name":"RemoteAccount", + "Type":"String" + }, + { + "Name":"UserFlags", + "Type":"String" + }, + { + "Name":"LogonServer", + "Type":"String" + }, + { + "Name":"DstUserName", + "Type":"String" + }, + { + "Name":"LogonType", + "Type":"String" + }, + { + "Name":"AuthenticationPackage", + "Type":"String" + }, + { + "Name":"UserPrincipal", + "Type":"String" + }, + { + "Name":"PasswordLastSet", + "Type":"String" + }, + { + "Name":"UserLogoffType", + "Type":"String" + }, + { + "Name":"UserLogonFlags", + "Type":"String" + }, + { + "Name":"Parameter2", + "Type":"String" + }, + { + "Name":"Parameter1", + "Type":"String" + }, + { + "Name":"Parameter3", + "Type":"String" + }, + { + "Name":"Line", + "Type":"String" + }, + { + "Name":"ErrorStatus", + "Type":"String" + }, + { + "Name":"Facility", + "Type":"String" + }, + { + "Name":"File", + "Type":"String" + }, + { + "Name":"PublicKeys", + "Type":"String" + }, + { + "Name":"HandleCreated", + "Type":"String" + }, + { + "Name":"ExtendedKeyUsages", + "Type":"String" + }, + { + "Name":"FileSigningTime", + "Type":"String" + }, + { + "Name":"Object1Name", + "Type":"String" + }, + { + "Name":"Object1Type", + "Type":"String" + }, + { + "Name":"Certificate", + "Type":"String" + }, + { + "Name":"RpcClientProcessId", + "Type":"String" + }, + { + "Name":"SyntheticPR2Flags", + "Type":"String" + }, + { + "Name":"MachOSubType", + "Type":"String" + }, + { + "Name":"SessionProcessId", + "Type":"String" + }, + { + "Name":"SVUID", + "Type":"String" + }, + { + "Name":"ProcessGroupId", + "Type":"String" + }, + { + "Name":"GID", + "Type":"String" + }, + { + "Name":"SVGID", + "Type":"String" + }, + { + "Name":"UID", + "Type":"String" + }, + { + "Name":"RGID", + "Type":"String" + }, + { + "Name":"RUID", + "Type":"String" + }, + { + "Name":"NeighborList", + "Type":"String" + }, + { + "Name":"DownloadServer", + "Type":"String" + }, + { + "Name":"DownloadPath", + "Type":"String" + }, + { + "Name":"DownloadPort", + "Type":"String" + }, + { + "Name":"CompletionEventId", + "Type":"String" + }, + { + "Name":"IsTransactedFile", + "Type":"String" + }, + { + "Name":"WindowStation", + "Type":"String" + }, + { + "Name":"BoundingLimitCount", + "Type":"String" + }, + { + "Name":"ProcessBehaviorBitfield", + "Type":"String" + }, + { + "Name":"Desktop", + "Type":"String" + }, + { + "Name":"PatternId", + "Type":"String" + }, + { + "Name":"ExclusionType", + "Type":"String" + }, + { + "Name":"ExclusionSource", + "Type":"String" + }, + { + "Name":"DriverLoadFlags", + "Type":"String" + }, + { + "Name":"CompanyName", + "Type":"String" + }, + { + "Name":"OriginalFilename", + "Type":"String" + }, + { + "Name":"FileVersion", + "Type":"String" + }, + { + "Name":"GrandParentBaseFileName", + "Type":"String" + }, + { + "Name":"ShowWindowFlags", + "Type":"String" + }, + { + "Name":"ThreadStartAddress", + "Type":"String" + }, + { + "Name":"InjectedThreadFlag", + "Type":"String" + }, + { + "Name":"UserThread", + "Type":"String" + }, + { + "Name":"TargetThreadModule", + "Type":"String" + }, + { + "Name":"TargetThreadId", + "Type":"String" + }, + { + "Name":"ThreadStartContext", + "Type":"String" + }, + { + "Name":"SourceThreadStartAddress", + "Type":"String" + }, + { + "Name":"InterfaceGuid", + "Type":"String" + }, + { + "Name":"InterfaceVersion", + "Type":"String" + }, + { + "Name":"RpcClientThreadId", + "Type":"String" + }, + { + "Name":"TaskXml", + "Type":"String" + }, + { + "Name":"TaskAuthor", + "Type":"String" + }, + { + "Name":"TaskName", + "Type":"String" + }, + { + "Name":"RpcOpNum", + "Type":"String" + }, + { + "Name":"TaskExecArguments", + "Type":"String" + }, + { + "Name":"TaskExecCommand", + "Type":"String" + }, + { + "Name":"RpcNestingLevel", + "Type":"String" + }, + { + "Name":"ErrorLocation", + "Type":"String" + }, + { + "Name":"ErrorReason", + "Type":"String" + }, + { + "Name":"Parameter64_1", + "Type":"String" + }, + { + "Name":"ErrorSource", + "Type":"String" + }, + { + "Name":"ParameterSizedBuffer_1", + "Type":"String" + }, + { + "Name":"ErrorCode", + "Type":"String" + }, + { + "Name":"DeviceProductId", + "Type":"String" + }, + { + "Name":"DeviceVersion", + "Type":"String" + }, + { + "Name":"DeviceTimeStamp", + "Type":"String" + }, + { + "Name":"DeviceInstanceId", + "Type":"String" + }, + { + "Name":"DeviceDescriptorSetHash", + "Type":"String" + }, + { + "Name":"DeviceVendorId", + "Type":"String" + }, + { + "Name":"DeviceManufacturer", + "Type":"String" + }, + { + "Name":"DeviceProduct", + "Type":"String" + }, + { + "Name":"GroupRid", + "Type":"String" + }, + { + "Name":"UserRid", + "Type":"String" + }, + { + "Name":"DomainSid", + "Type":"String" + }, + { + "Name":"LightningLatencyState", + "Type":"String" + }, + { + "Name":"UnixMode", + "Type":"String" + }, + { + "Name":"VnodeType", + "Type":"String" + }, + { + "Name":"TargetDirectoryName", + "Type":"String" + }, + { + "Name":"ApiReturnValue", + "Type":"String" + }, + { + "Name":"ServiceDisplayName", + "Type":"String" + }, + { + "Name":"LinkName", + "Type":"String" + }, + { + "Name":"VersionInfo", + "Type":"String" + }, + { + "Name":"LanguageId", + "Type":"String" + }, + { + "Name":"AsepFlags", + "Type":"String" + }, + { + "Name":"RegObjectName", + "Type":"String" + }, + { + "Name":"Data1", + "Type":"String" + }, + { + "Name":"RegOperationType", + "Type":"String" + }, + { + "Name":"ProcessArgs", + "Type":"String" + }, + { + "Name":"RegStringValue", + "Type":"String" + }, + { + "Name":"RegType", + "Type":"String" + }, + { + "Name":"AsepClass", + "Type":"String" + }, + { + "Name":"AsepIndex", + "Type":"String" + }, + { + "Name":"RegValueName", + "Type":"String" + }, + { + "Name":"AsepValueType", + "Type":"String" + }, + { + "Name":"LocalSession", + "Type":"String" + }, + { + "Name":"DstDvcHostname", + "Type":"String" + }, + { + "Name":"PrivilegesBitmask", + "Type":"String" + }, + { + "Name":"EnabledPrivilegesBitmask", + "Type":"String" + }, + { + "Name":"UserGroupsBitmask", + "Type":"String" + }, + { + "Name":"Timeout", + "Type":"String" + }, + { + "Name":"ProcessCount", + "Type":"String" + }, + { + "Name":"SuppressType", + "Type":"String" + }, + { + "Name":"BoundedCount", + "Type":"String" + }, + { + "Name":"IP6Records", + "Type":"String" + }, + { + "Name":"FirstIP6Record", + "Type":"String" + }, + { + "Name":"WmiQuery", + "Type":"String" + }, + { + "Name":"WmiNamespaceName", + "Type":"String" + }, + { + "Name":"RegClassificationIndex", + "Type":"String" + }, + { + "Name":"RegClassificationFlags", + "Type":"String" + }, + { + "Name":"RegClassification", + "Type":"String" + }, + { + "Name":"SystemTableIndex", + "Type":"String" + }, + { + "Name":"ScreenshotType", + "Type":"String" + }, + { + "Name":"SubStatus", + "Type":"String" + }, + { + "Name":"UmppaInjectAbortCount", + "Type":"String" + }, + { + "Name":"UmppaInjectFailedCount", + "Type":"String" + }, + { + "Name":"UmppaInjectionType", + "Type":"String" + }, + { + "Name":"UmppaInjectLoadFailCount", + "Type":"String" + }, + { + "Name":"UmppaInjectCfgCheckCount", + "Type":"String" + }, + { + "Name":"UmppaInjectExtensionErrorCount", + "Type":"String" + }, + { + "Name":"UmppaInjectInvalidThreadCount", + "Type":"String" + }, + { + "Name":"UmppaInjectFileSectionCount", + "Type":"String" + }, + { + "Name":"TotalCount", + "Type":"String" + }, + { + "Name":"UmppaInjectLoadErrorCount", + "Type":"String" + }, + { + "Name":"UmppaInjectBadAlertCount", + "Type":"String" + }, + { + "Name":"UmppaInjectApcInsertionCount", + "Type":"String" + }, + { + "Name":"UmppaInjectCopyFailCount", + "Type":"String" + }, + { + "Name":"FirewallRuleId", + "Type":"String" + }, + { + "Name":"FirewallRule", + "Type":"String" + }, + { + "Name":"RegNumericValue", + "Type":"String" + }, + { + "Name":"VolumeDriveLetter", + "Type":"String" + }, + { + "Name":"VolumeSnapshotName", + "Type":"String" + }, + { + "Name":"VolumeName", + "Type":"String" + }, + { + "Name":"UserCanonical", + "Type":"String" + }, + { + "Name":"LogonId", + "Type":"String" + }, + { + "Name":"ConfigStateData", + "Type":"String" + }, + { + "Name":"FirewallProfile", + "Type":"String" + }, + { + "Name":"FirewallOption", + "Type":"String" + }, + { + "Name":"FirewallOptionNumericValue", + "Type":"String" + }, + { + "Name":"SmbShareName", + "Type":"String" + }, + { + "Name":"TargetSHA256HashData", + "Type":"String" + }, + { + "Name":"IsCpuDataCommonOnAllCores", + "Type":"String" + }, + { + "Name":"SpibarDataFrap", + "Type":"String" + }, + { + "Name":"EfiVariableDbxSha256Hash", + "Type":"String" + }, + { + "Name":"PciConfigDataBgsm", + "Type":"String" + }, + { + "Name":"PciConfigDataDpr", + "Type":"String" + }, + { + "Name":"CpuDataCommonSmrrSupported", + "Type":"String" + }, + { + "Name":"SpibarDataHsfc", + "Type":"String" + }, + { + "Name":"EfiVariableSecureBoot", + "Type":"String" + }, + { + "Name":"PciConfigDataMesegMask", + "Type":"String" + }, + { + "Name":"PciConfigDataTolud", + "Type":"String" + }, + { + "Name":"EfiVariableDbxAttributes", + "Type":"String" + }, + { + "Name":"PciConfigDataPavpc", + "Type":"String" + }, + { + "Name":"EfiVariableCustomModeAttributes", + "Type":"String" + }, + { + "Name":"SpibarDataFreg3", + "Type":"String" + }, + { + "Name":"SpibarDataFreg4", + "Type":"String" + }, + { + "Name":"SpibarDataFreg1", + "Type":"String" + }, + { + "Name":"SpibarDataFreg2", + "Type":"String" + }, + { + "Name":"SpibarDataFreg0", + "Type":"String" + }, + { + "Name":"EfiSupported", + "Type":"String" + }, + { + "Name":"EfiVariablePkAttributes", + "Type":"String" + }, + { + "Name":"CpuDataCommonPrmrrUncorePhysicalMask", + "Type":"String" + }, + { + "Name":"PciConfigDataGenPmconA", + "Type":"String" + }, + { + "Name":"PciConfigDataTsegmb", + "Type":"String" + }, + { + "Name":"SpibarDataVscc0", + "Type":"String" + }, + { + "Name":"EfiVariablePkSha256Hash", + "Type":"String" + }, + { + "Name":"SpibarDataVscc1", + "Type":"String" + }, + { + "Name":"CpuDataCommonSmrrPhysicalMask", + "Type":"String" + }, + { + "Name":"NorthBridgeDeviceId", + "Type":"String" + }, + { + "Name":"IsNorthBridgeSupported", + "Type":"String" + }, + { + "Name":"PciConfigDataTom", + "Type":"String" + }, + { + "Name":"EfiVariableKekSha256Hash", + "Type":"String" + }, + { + "Name":"SouthBridgeVendorId", + "Type":"String" + }, + { + "Name":"EfiVariableSignatureSupport", + "Type":"String" + }, + { + "Name":"MmioDataTco1Cnt", + "Type":"String" + }, + { + "Name":"EfiVariableKekAttributes", + "Type":"String" + }, + { + "Name":"FirmwareAnalysisCpuSupported", + "Type":"String" + }, + { + "Name":"MmioDataSmiEn", + "Type":"String" + }, + { + "Name":"CpuDataCommonPrmrrUncoreSupported", + "Type":"String" + }, + { + "Name":"NorthBridgeVendorId", + "Type":"String" + }, + { + "Name":"CpuDataCommonMsrApicBase", + "Type":"String" + }, + { + "Name":"EfiVariableDbAttributes", + "Type":"String" + }, + { + "Name":"SpibarDataPr2", + "Type":"String" + }, + { + "Name":"SpibarDataBfpr", + "Type":"String" + }, + { + "Name":"SpibarDataPr1", + "Type":"String" + }, + { + "Name":"EfiVariableSecureBootAttributes", + "Type":"String" + }, + { + "Name":"SpibarDataPr0", + "Type":"String" + }, + { + "Name":"IsSouthBridgeSupported", + "Type":"String" + }, + { + "Name":"PciConfigDataHfsts1", + "Type":"String" + }, + { + "Name":"CpuDataCommonMsrFeatureControl", + "Type":"String" + }, + { + "Name":"PciConfigDataRemaplimit", + "Type":"String" + }, + { + "Name":"CpuDataCommonSiliconDebugFeatureControl", + "Type":"String" + }, + { + "Name":"CpuDataCommonSmrrPhysicalBase", + "Type":"String" + }, + { + "Name":"SouthBridgeDeviceId", + "Type":"String" + }, + { + "Name":"CpuDataCommonPrmrrPhysicalMask", + "Type":"String" + }, + { + "Name":"EfiVariableDbSha256Hash", + "Type":"String" + }, + { + "Name":"SpibarDataHsfs", + "Type":"String" + }, + { + "Name":"PciConfigDataRemapbase", + "Type":"String" + }, + { + "Name":"EfiVariableCustomMode", + "Type":"String" + }, + { + "Name":"PciConfigDataGgc", + "Type":"String" + }, + { + "Name":"PciConfigDataTouud", + "Type":"String" + }, + { + "Name":"SpibarDataPr4", + "Type":"String" + }, + { + "Name":"SpibarDataPr3", + "Type":"String" + }, + { + "Name":"CpuDataCommonPrmrrSupported", + "Type":"String" + }, + { + "Name":"PciConfigDataSmramc", + "Type":"String" + }, + { + "Name":"EfiVariableSignatureSupportAttributes", + "Type":"String" + }, + { + "Name":"PciConfigDataBdsm", + "Type":"String" + }, + { + "Name":"EfiVariableSetupModeAttributes", + "Type":"String" + }, + { + "Name":"EfiVariableSetupMode", + "Type":"String" + }, + { + "Name":"PciConfigDataBiosCntl", + "Type":"String" + }, + { + "Name":"PciConfigDataMesegBase", + "Type":"String" + }, + { + "Name":"SourceFileName", + "Type":"String" + }, + { + "Name":"NewFileIdentifier", + "Type":"String" + }, + { + "Name":"FeatureVector", + "Type":"String" + }, + { + "Name":"ModelPrediction", + "Type":"String" + }, + { + "Name":"Malicious", + "Type":"String" + }, + { + "Name":"FeatureExtractionVersion", + "Type":"String" + }, + { + "Name":"FXFileSize", + "Type":"String" + }, + { + "Name":"MLModelVersion", + "Type":"String" + }, + { + "Name":"FontBufferLength", + "Type":"String" + }, + { + "Name":"FontFileCount", + "Type":"String" + }, + { + "Name":"FontLoadOperation", + "Type":"String" + }, + { + "Name":"FontBuffer", + "Type":"String" + }, + { + "Name":"FontFileName", + "Type":"String" + }, + { + "Name":"TemplateInstanceId", + "Type":"String" + }, + { + "Name":"PatternDisposition", + "Type":"String" + }, + { + "Name":"ServicePackMajor", + "Type":"String" + }, + { + "Name":"ProductSku", + "Type":"String" + }, + { + "Name":"PointerSize", + "Type":"String" + }, + { + "Name":"ProductName", + "Type":"String" + }, + { + "Name":"AgentVersion", + "Type":"String" + }, + { + "Name":"ServicePackMinor", + "Type":"String" + }, + { + "Name":"SuiteMask", + "Type":"String" + }, + { + "Name":"SubBuildNumber", + "Type":"String" + }, + { + "Name":"PlatformId", + "Type":"String" + }, + { + "Name":"BuildType", + "Type":"String" + }, + { + "Name":"MajorVersion", + "Type":"String" + }, + { + "Name":"ProductType", + "Type":"String" + }, + { + "Name":"MinorVersion", + "Type":"String" + }, + { + "Name":"CheckedBuild", + "Type":"String" + }, + { + "Name":"BuildNumber", + "Type":"String" + }, + { + "Name":"RFMState", + "Type":"String" + }, + { + "Name":"FirmwareAnalysisEclControlInterfaceVersion", + "Type":"String" + }, + { + "Name":"FirmwareAnalysisEclConsumerInterfaceVersion", + "Type":"String" + }, + { + "Name":"BootTimeFunctionalityLevel", + "Type":"String" + }, + { + "Name":"ReasonOfFunctionalityLevel", + "Type":"String" + }, + { + "Name":"CurrentFunctionalityLevel", + "Type":"String" + }, + { + "Name":"PciAttachmentState", + "Type":"String" + }, + { + "Name":"LocalAddressIP6", + "Type":"String" + }, + { + "Name":"RemoteAddressIP6", + "Type":"String" + }, + { + "Name":"RegBinaryValue", + "Type":"String" + }, + { + "Name":"ServiceDescription", + "Type":"String" + }, + { + "Name":"ServiceSecurity", + "Type":"String" + }, + { + "Name":"ServiceImagePath", + "Type":"String" + }, + { + "Name":"ServiceStart", + "Type":"String" + }, + { + "Name":"ServiceType", + "Type":"String" + }, + { + "Name":"ServiceFailureActions", + "Type":"String" + }, + { + "Name":"ServiceErrorControl", + "Type":"String" + }, + { + "Name":"SymbolicLinkName", + "Type":"String" + }, + { + "Name":"SymbolicLinkTarget", + "Type":"String" + }, + { + "Name":"DevicePropertyClassName", + "Type":"String" + }, + { + "Name":"DeviceActiveConfigurationNumber", + "Type":"String" + }, + { + "Name":"DevicePropertyClassGuid", + "Type":"String" + }, + { + "Name":"DeviceUsbSubclass", + "Type":"String" + }, + { + "Name":"DeviceSerialNumber", + "Type":"String" + }, + { + "Name":"ParentHubInstanceId", + "Type":"String" + }, + { + "Name":"DeviceConnectionStatus", + "Type":"String" + }, + { + "Name":"DeviceUsbClass", + "Type":"String" + }, + { + "Name":"ParentHubPort", + "Type":"String" + }, + { + "Name":"DevicePropertyManufacturer", + "Type":"String" + }, + { + "Name":"DevicePropertyLocationInformation", + "Type":"String" + }, + { + "Name":"DeviceProtocol", + "Type":"String" + }, + { + "Name":"DevicePropertyDeviceDescription", + "Type":"String" + }, + { + "Name":"DeviceUsbVersion", + "Type":"String" + }, + { + "Name":"ModuleBaseAddress", + "Type":"String" + }, + { + "Name":"ModuleSize", + "Type":"String" + }, + { + "Name":"IsOnClearCaseMvfs", + "Type":"String" + }, + { + "Name":"DllCharacteristics", + "Type":"String" + }, + { + "Name":"ActiveCpuCount", + "Type":"String" + }, + { + "Name":"MemoryTotal", + "Type":"String" + }, + { + "Name":"BillingType", + "Type":"String" + }, + { + "Name":"ConnectionCipher", + "Type":"String" + }, + { + "Name":"ConnectType", + "Type":"String" + }, + { + "Name":"ConnectionProtocol", + "Type":"String" + }, + { + "Name":"ConnectionHash", + "Type":"String" + }, + { + "Name":"ConnectTime", + "Type":"String" + }, + { + "Name":"ConnectionHashStrength", + "Type":"String" + }, + { + "Name":"FailedConnectCount", + "Type":"String" + }, + { + "Name":"ConnectionCipherStrength", + "Type":"String" + }, + { + "Name":"ConnectionExchangeStrength", + "Type":"String" + }, + { + "Name":"ConnectionExchange", + "Type":"String" + }, + { + "Name":"PreviousConnectTime", + "Type":"String" + }, + { + "Name":"FalconServiceServletErrors", + "Type":"String" + }, + { + "Name":"FalconServiceComponent", + "Type":"String" + }, + { + "Name":"FalconServiceServletStarts", + "Type":"String" + }, + { + "Name":"FalconServiceState", + "Type":"String" + }, + { + "Name":"ScriptContent", + "Type":"String" + }, + { + "Name":"OriginalContentLength", + "Type":"String" + }, + { + "Name":"ScriptingLanguageId", + "Type":"String" + }, + { + "Name":"ParentImageFileName", + "Type":"String" + }, + { + "Name":"GrandparentImageFileName", + "Type":"String" + }, + { + "Name":"ScriptContentName", + "Type":"String" + }, + { + "Name":"HostProcessType", + "Type":"String" + }, + { + "Name":"ProcessParentCommandLine", + "Type":"String" + }, + { + "Name":"ContentSHA256HashData", + "Type":"String" + }, + { + "Name":"ProcessGrandparentCommandLine", + "Type":"String" + } + ] +} \ No newline at end of file diff --git a/Parsers/CrowdstrikeFDR/CrowdstrikeReplicator b/Parsers/CrowdstrikeFDR/CrowdstrikeReplicator new file mode 100644 index 0000000000..dc6c80d748 --- /dev/null +++ b/Parsers/CrowdstrikeFDR/CrowdstrikeReplicator @@ -0,0 +1,1011 @@ +// Usage Instruction : +// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as CrowdstrikeReplicator. +// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. CrowdstrikeReplicator | take 10). +// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions +let CrowdstrikeReplicatorLogs_view = view () { + CrowdstrikeReplicatorLogs_CL + | extend + EventVendor="Crowdstrike", + EventProduct="Replicator", + FileMode=column_ifexists('FileMode_s', ''), + DeviceSerialNumber=column_ifexists('DeviceSerialNumber_s', ''), + IcmpCode=column_ifexists('IcmpCode_s', ''), + IcmpType=column_ifexists('IcmpType_s', ''), + LastUpdateInstalledTime=column_ifexists('LastUpdateInstalledTime_s', ''), + RebootRequired=column_ifexists('RebootRequired_s', ''), + PendingUpdateIds=column_ifexists('PendingUpdateIds_s', ''), + InstalledUpdateIds=column_ifexists('InstalledUpdateIds_s', ''), + InstalledUpdateExtendedStatus=column_ifexists('InstalledUpdateExtendedStatus_s', ''), + SupersededUpdateIds=column_ifexists('SupersededUpdateIds_s', ''), + ConfigurationDescriptorValue=column_ifexists('ConfigurationDescriptorValue_s', ''), + ConfigurationDescriptorAttributes=column_ifexists('ConfigurationDescriptorAttributes_s', ''), + DeviceDescriptorUniqueIdentifier=column_ifexists('DeviceDescriptorUniqueIdentifier_s', ''), + ConfigurationDescriptorName=column_ifexists('ConfigurationDescriptorName_s', ''), + ConfigurationDescriptorNumInterfaces=column_ifexists('ConfigurationDescriptorNumInterfaces_s', ''), + ConfigurationDescriptorMaxPowerDraw=column_ifexists('ConfigurationDescriptorMaxPowerDraw_s', ''), + ScreenshotsTakenCount=column_ifexists('ScreenshotsTakenCount_s', ''), + ExitCode=column_ifexists('ExitCode_s', ''), + ParentProcessId=column_ifexists('ParentProcessId_s', ''), + DstUserIdentity=column_ifexists('UserSid_s', ''), + NetworkListenCount=column_ifexists('NetworkListenCount_s', ''), + SuspiciousRawDiskReadCount=column_ifexists('SuspiciousRawDiskReadCount_s', ''), + NetworkBindCount=column_ifexists('NetworkBindCount_s', ''), + NetworkRecvAcceptCount=column_ifexists('NetworkRecvAcceptCount_s', ''), + ContextData=column_ifexists('ContextData_s', ''), + Id=column_ifexists('id_g', ''), + NewExecutableWrittenCount=column_ifexists('NewExecutableWrittenCount_s', ''), + ExeAndServiceCount=column_ifexists('ExeAndServiceCount_s', ''), + NetworkCloseCount=column_ifexists('NetworkCloseCount_s', ''), + SuspectStackCount=column_ifexists('SuspectStackCount_s', ''), + CLICreationCount=column_ifexists('CLICreationCount_s', ''), + UnsignedModuleLoadCount=column_ifexists('UnsignedModuleLoadCount_s', ''), + UserTime=column_ifexists('UserTime_s', ''), + EventMessage=column_ifexists('event_simpleName_s', ''), + RawProcessId=column_ifexists('RawProcessId_s', ''), + ContextTimeStamp=column_ifexists('ContextTimeStamp_s', ''), + AllocateVirtualMemoryCount=column_ifexists('AllocateVirtualMemoryCount_s', ''), + ContextProcessId=column_ifexists('ContextProcessId_s', ''), + ServiceEventCount=column_ifexists('ServiceEventCount_s', ''), + SnapshotFileOpenCount=column_ifexists('SnapshotFileOpenCount_s', ''), + RemovableDiskFileWrittenCount=column_ifexists('RemovableDiskFileWrittenCount_s', ''), + InjectedDllCount=column_ifexists('InjectedDllCount_s', ''), + ModuleLoadCount=column_ifexists('ModuleLoadCount_s', ''), + UserMemoryProtectExecutableCount=column_ifexists('UserMemoryProtectExecutableCount_s', ''), + NetworkCapableAsepWriteCount=column_ifexists('NetworkCapableAsepWriteCount_s', ''), + TargetProcessId=column_ifexists('TargetProcessId_s', ''), + DnsRequestCount=column_ifexists('DnsRequestCount_s', ''), + ArchiveFileWrittenCount=column_ifexists('ArchiveFileWrittenCount_s', ''), + Entitlements=column_ifexists('Entitlements_s', ''), + Name=column_ifexists('name_s', ''), + ProcessStartTime=column_ifexists('ProcessStartTime_s', ''), + SetThreadContextCount=column_ifexists('SetThreadContextCount_s', ''), + SuspiciousCredentialModuleLoadCount=column_ifexists('SuspiciousCredentialModuleLoadCount_s', ''), + DvcInterfaceGuid=column_ifexists('aid_g', ''), + Cid=column_ifexists('cid_g', ''), + FileDeletedCount=column_ifexists('FileDeletedCount_s', ''), + UserMemoryAllocateExecutableCount=column_ifexists('UserMemoryAllocateExecutableCount_s', ''), + DirectoryCreatedCount=column_ifexists('DirectoryCreatedCount_s', ''), + NetworkConnectCountUdp=column_ifexists('NetworkConnectCountUdp_s', ''), + QueueApcCount=column_ifexists('QueueApcCount_s', ''), + ContextThreadId=column_ifexists('ContextThreadId_s', ''), + Aip=column_ifexists('aip_s', ''), + SuspiciousFontLoadCount=column_ifexists('SuspiciousFontLoadCount_s', ''), + ConHostId=column_ifexists('ConHostId_s', ''), + NetworkConnectCount=column_ifexists('NetworkConnectCount_s', ''), + BinaryExecutableWrittenCount=column_ifexists('BinaryExecutableWrittenCount_s', ''), + CycleTime=column_ifexists('CycleTime_s', ''), + DvcOs=column_ifexists('event_platform_s', ''), + ConHostProcessId=column_ifexists('ConHostProcessId_s', ''), + PrivilegedProcessHandleCount=column_ifexists('PrivilegedProcessHandleCount_s', ''), + MaxThreadCount=column_ifexists('MaxThreadCount_s', ''), + ImageSubsystem=column_ifexists('ImageSubsystem_s', ''), + GenericFileWrittenCount=column_ifexists('GenericFileWrittenCount_s', ''), + EffectiveTransmissionClass=column_ifexists('EffectiveTransmissionClass_s', ''), + ScriptEngineInvocationCount=column_ifexists('ScriptEngineInvocationCount_s', ''), + RunDllInvocationCount=column_ifexists('RunDllInvocationCount_s', ''), + timestamp=column_ifexists('timestamp_s', ''), + CreateProcessCount=column_ifexists('CreateProcessCount_s', ''), + KernelTime=column_ifexists('KernelTime_s', ''), + DirectoryEnumeratedCount=column_ifexists('DirectoryEnumeratedCount_s', ''), + ConfigStateHash=column_ifexists('ConfigStateHash_s', ''), + AsepWrittenCount=column_ifexists('AsepWrittenCount_s', ''), + SuspiciousDnsRequestCount=column_ifexists('SuspiciousDnsRequestCount_s', ''), + DocumentFileWrittenCount=column_ifexists('DocumentFileWrittenCount_s', ''), + ProtectVirtualMemoryCount=column_ifexists('ProtectVirtualMemoryCount_s', ''), + ProcessHashSha256=column_ifexists('SHA256HashData_s', ''), + UserMemoryProtectExecutableRemoteCount=column_ifexists('UserMemoryProtectExecutableRemoteCount_s', ''), + ConfigBuild=column_ifexists('ConfigBuild_s', ''), + UserMemoryAllocateExecutableRemoteCount=column_ifexists('UserMemoryAllocateExecutableRemoteCount_s', ''), + ExecutableDeletedCount=column_ifexists('ExecutableDeletedCount_s', ''), + RegKeySecurityDecreasedCount=column_ifexists('RegKeySecurityDecreasedCount_s', ''), + InjectedThreadCount=column_ifexists('InjectedThreadCount_s', ''), + NetworkModuleLoadCount=column_ifexists('NetworkModuleLoadCount_s', ''), + WindowTitle=column_ifexists('WindowTitle_s', ''), + ProcessCreateFlags=column_ifexists('ProcessCreateFlags_s', ''), + IntegrityLevel=column_ifexists('IntegrityLevel_s', ''), + SourceProcessId=column_ifexists('SourceProcessId_s', ''), + ProcessHashSha1=column_ifexists('SHA1HashData_s', ''), + TokenType=column_ifexists('TokenType_s', ''), + ProcessEndTime=column_ifexists('ProcessEndTime_s', ''), + AuthenticodeHashData=column_ifexists('AuthenticodeHashData_s', ''), + ParentBaseFileName=column_ifexists('ParentBaseFileName_s', ''), + SessionId=column_ifexists('SessionId_s', ''), + Tags=column_ifexists('Tags_s', ''), + ProcessHashMd5=column_ifexists('MD5HashData_g', ''), + ProcessSxsFlags=column_ifexists('ProcessSxsFlags_s', ''), + AuthenticationId=column_ifexists('AuthenticationId_s', ''), + WindowFlags=column_ifexists('WindowFlags_s', ''), + ProcessCommandLine=column_ifexists('CommandLine_s', ''), + ParentAuthenticationId=column_ifexists('ParentAuthenticationId_s', ''), + FileName=column_ifexists('ImageFileName_s', ''), + SourceThreadId=column_ifexists('SourceThreadId_s', ''), + ProcessParameterFlags=column_ifexists('ProcessParameterFlags_s', ''), + SignInfoFlags=column_ifexists('SignInfoFlags_s', ''), + ChannelVersion=column_ifexists('ChannelVersion_s', ''), + ChannelVersionRequired=column_ifexists('ChannelVersionRequired_s', ''), + ChannelId=column_ifexists('ChannelId_s', ''), + DnsResponseType=column_ifexists('DnsResponseType_s', ''), + IP4Records=column_ifexists('IP4Records_s', ''), + CNAMERecords=column_ifexists('CNAMERecords_s', ''), + QueryStatus=column_ifexists('QueryStatus_s', ''), + InterfaceIndex=column_ifexists('InterfaceIndex_s', ''), + DualRequest=column_ifexists('DualRequest_s', ''), + FirstIP4Record=column_ifexists('FirstIP4Record_s', ''), + UrlDomain=column_ifexists('DomainName_s', ''), + RespondingDnsServer=column_ifexists('RespondingDnsServer_s', ''), + RequestType=column_ifexists('RequestType_s', ''), + FirewallRuleId=column_ifexists('FirewallRuleId_s', ''), + Options=column_ifexists('Options_s', ''), + MinorFunction=column_ifexists('MinorFunction_s', ''), + FileIdentifier=column_ifexists('FileIdentifier_s', ''), + Information=column_ifexists('Information_s', ''), + ShareAccess=column_ifexists('ShareAccess_s', ''), + FileObject=column_ifexists('FileObject_s', ''), + FilePermission=column_ifexists('FileAttributes_s', ''), + Status=column_ifexists('Status_s', ''), + IrpFlags=column_ifexists('IrpFlags_s', ''), + MajorFunction=column_ifexists('MajorFunction_s', ''), + DesiredAccess=column_ifexists('DesiredAccess_s', ''), + OperationFlags=column_ifexists('OperationFlags_s', ''), + TargetFileName=column_ifexists('TargetFileName_s', ''), + CallStackModuleNamesVersion=column_ifexists('CallStackModuleNamesVersion_s', ''), + CsaProcessDataCollectionInstanceId=column_ifexists('CsaProcessDataCollectionInstanceId_s', ''), + CallStackModuleNames=column_ifexists('CallStackModuleNames_s', ''), + CreateProcessType=column_ifexists('CreateProcessType_s', ''), + EtwRawProcessId=column_ifexists('EtwRawProcessId_s', ''), + EventMax=column_ifexists('EventMax_s', ''), + EtwRawThreadId=column_ifexists('EtwRawThreadId_s', ''), + Flags=column_ifexists('Flags_s', ''), + EventMin=column_ifexists('EventMin_s', ''), + RawThreadId=column_ifexists('RawThreadId_s', ''), + SrcIpAddr=column_ifexists('LocalAddressIP4_s', ''), + ConnectionFlags=column_ifexists('ConnectionFlags_s', ''), + DstIpPort=column_ifexists('RemotePort_s', ''), + SrcIpPort=column_ifexists('LocalPort_s', ''), + Protocol=column_ifexists('Protocol_s', ''), + DstIpAddr=column_ifexists('RemoteAddressIP4_s', ''), + ConnectionDirection=column_ifexists('ConnectionDirection_s', ''), + InContext=column_ifexists('InContext_s', ''), + NetworkContainmentState=column_ifexists('NetworkContainmentState_s', ''), + ConfigIDBase=column_ifexists('ConfigIDBase_s', ''), + SensorStateBitMap=column_ifexists('SensorStateBitMap_s', ''), + ConfigurationVersion=column_ifexists('ConfigurationVersion_s', ''), + ConfigIDPlatform=column_ifexists('ConfigIDPlatform_s', ''), + ConfigIDBuild=column_ifexists('ConfigIDBuild_s', ''), + ProvisionState=column_ifexists('ProvisionState_s', ''), + Size=column_ifexists('Size_s', ''), + IsOnNetwork=column_ifexists('IsOnNetwork_s', ''), + DiskParentDeviceInstanceId=column_ifexists('DiskParentDeviceInstanceId_s', ''), + TemporaryFileName=column_ifexists('TemporaryFileName_s', ''), + FileEcpBitmask=column_ifexists('FileEcpBitmask_s', ''), + IsOnRemovableDisk=column_ifexists('IsOnRemovableDisk_s', ''), + ModuleCharacteristics=column_ifexists('ModuleCharacteristics_s', ''), + OriginalEventTimeStamp=column_ifexists('OriginalEventTimeStamp_s', ''), + MappedFromUserMode=column_ifexists('MappedFromUserMode_s', ''), + TreeId=column_ifexists('TreeId_s', ''), + PrimaryModule=column_ifexists('PrimaryModule_s', ''), + UserIsAdmin=column_ifexists('UserIsAdmin_s', ''), + LogoffTime=column_ifexists('LogoffTime_s', ''), + LogonTime=column_ifexists('LogonTime_s', ''), + LogonDomain=column_ifexists('LogonDomain_s', ''), + RemoteAccount=column_ifexists('RemoteAccount_s', ''), + UserFlags=column_ifexists('UserFlags_s', ''), + LogonServer=column_ifexists('LogonServer_s', ''), + DstUserName=column_ifexists('UserName_s', ''), + LogonType=column_ifexists('LogonType_s', ''), + AuthenticationPackage=column_ifexists('AuthenticationPackage_s', ''), + UserPrincipal=column_ifexists('UserPrincipal_s', ''), + PasswordLastSet=column_ifexists('PasswordLastSet_s', ''), + UserLogoffType=column_ifexists('UserLogoffType_s', ''), + UserLogonFlags=column_ifexists('UserLogonFlags_s', ''), + Parameter2=column_ifexists('Parameter2_s', ''), + Parameter1=column_ifexists('Parameter1_s', ''), + Parameter3=column_ifexists('Parameter3_s', ''), + Line=column_ifexists('Line_s', ''), + ErrorStatus=column_ifexists('ErrorStatus_s', ''), + Facility=column_ifexists('Facility_s', ''), + File=column_ifexists('File_s', ''), + PublicKeys=column_ifexists('PublicKeys_s', ''), + HandleCreated=column_ifexists('HandleCreated_s', ''), + ExtendedKeyUsages=column_ifexists('ExtendedKeyUsages_s', ''), + FileSigningTime=column_ifexists('FileSigningTime_s', ''), + Object1Name=column_ifexists('Object1Name_s', ''), + Object1Type=column_ifexists('Object1Type_s', ''), + Certificate=column_ifexists('Certificate_s', ''), + RpcClientProcessId=column_ifexists('RpcClientProcessId_s', ''), + SyntheticPR2Flags=column_ifexists('SyntheticPR2Flags_s', ''), + MachOSubType=column_ifexists('MachOSubType_s', ''), + SessionProcessId=column_ifexists('SessionProcessId_s', ''), + SVUID=column_ifexists('SVUID_s', ''), + ProcessGroupId=column_ifexists('ProcessGroupId_s', ''), + GID=column_ifexists('GID_s', ''), + SVGID=column_ifexists('SVGID_s', ''), + UID=column_ifexists('UID_s', ''), + RGID=column_ifexists('RGID_s', ''), + RUID=column_ifexists('RUID_s', ''), + NeighborList=column_ifexists('NeighborList_s', ''), + DownloadServer=column_ifexists('DownloadServer_s', ''), + DownloadPath=column_ifexists('DownloadPath_s', ''), + DownloadPort=column_ifexists('DownloadPort_s', ''), + CompletionEventId=column_ifexists('CompletionEventId_s', ''), + IsTransactedFile=column_ifexists('IsTransactedFile_s', ''), + WindowStation=column_ifexists('WindowStation_s', ''), + BoundingLimitCount=column_ifexists('BoundingLimitCount_s', ''), + ProcessBehaviorBitfield=column_ifexists('ProcessBehaviorBitfield_s', ''), + Desktop=column_ifexists('Desktop_s', ''), + PatternId=column_ifexists('PatternId_s', ''), + ExclusionType=column_ifexists('ExclusionType_s', ''), + ExclusionSource=column_ifexists('ExclusionSource_s', ''), + DriverLoadFlags=column_ifexists('DriverLoadFlags_s', ''), + CompanyName=column_ifexists('CompanyName_s', ''), + OriginalFilename=column_ifexists('OriginalFilename_s', ''), + FileVersion=column_ifexists('FileVersion_s', ''), + GrandParentBaseFileName=column_ifexists('GrandParentBaseFileName_s', ''), + ShowWindowFlags=column_ifexists('ShowWindowFlags_s', ''), + ThreadStartAddress=column_ifexists('ThreadStartAddress_s', ''), + InjectedThreadFlag=column_ifexists('InjectedThreadFlag_s', ''), + UserThread=column_ifexists('UserThread_s', ''), + TargetThreadModule=column_ifexists('TargetThreadModule_s', ''), + TargetThreadId=column_ifexists('TargetThreadId_s', ''), + ThreadStartContext=column_ifexists('ThreadStartContext_s', ''), + SourceThreadStartAddress=column_ifexists('SourceThreadStartAddress_s', ''), + InterfaceGuid=column_ifexists('InterfaceGuid_g', ''), + InterfaceVersion=column_ifexists('InterfaceVersion_s', ''), + RpcClientThreadId=column_ifexists('RpcClientThreadId_s', ''), + TaskXml=column_ifexists('TaskXml_s', ''), + TaskAuthor=column_ifexists('TaskAuthor_s', ''), + TaskName=column_ifexists('TaskName_s', ''), + RpcOpNum=column_ifexists('RpcOpNum_s', ''), + TaskExecArguments=column_ifexists('TaskExecArguments_s', ''), + TaskExecCommand=column_ifexists('TaskExecCommand_s', ''), + RpcNestingLevel=column_ifexists('RpcNestingLevel_s', ''), + ErrorLocation=column_ifexists('ErrorLocation_s', ''), + ErrorReason=column_ifexists('ErrorReason_s', ''), + Parameter64_1=column_ifexists('Parameter64_1_s', ''), + ErrorSource=column_ifexists('ErrorSource_s', ''), + ParameterSizedBuffer_1=column_ifexists('ParameterSizedBuffer_1_g', ''), + ErrorCode=column_ifexists('ErrorCode_s', ''), + DeviceProductId=column_ifexists('DeviceProductId_s', ''), + DeviceVersion=column_ifexists('DeviceVersion_s', ''), + DeviceTimeStamp=column_ifexists('DeviceTimeStamp_s', ''), + DeviceInstanceId=column_ifexists('DeviceInstanceId_s', ''), + DeviceDescriptorSetHash=column_ifexists('DeviceDescriptorSetHash_s', ''), + DeviceVendorId=column_ifexists('DeviceVendorId_s', ''), + DeviceManufacturer=column_ifexists('DeviceManufacturer_s', ''), + DeviceProduct=column_ifexists('DeviceProduct_s', ''), + GroupRid=column_ifexists('GroupRid_s', ''), + UserRid=column_ifexists('UserRid_s', ''), + DomainSid=column_ifexists('DomainSid_s', ''), + LightningLatencyState=column_ifexists('LightningLatencyState_s', ''), + UnixMode=column_ifexists('UnixMode_s', ''), + VnodeType=column_ifexists('VnodeType_s', ''), + TargetDirectoryName=column_ifexists('TargetDirectoryName_s', ''), + ApiReturnValue=column_ifexists('ApiReturnValue_s', ''), + ServiceDisplayName=column_ifexists('ServiceDisplayName_s', ''), + LinkName=column_ifexists('LinkName_s', ''), + VersionInfo=column_ifexists('VersionInfo_s', ''), + LanguageId=column_ifexists('LanguageId_s', ''), + AsepFlags=column_ifexists('AsepFlags_s', ''), + RegObjectName=column_ifexists('RegObjectName_s', ''), + Data1=column_ifexists('Data1_s', ''), + RegOperationType=column_ifexists('RegOperationType_s', ''), + ProcessArgs=column_ifexists('TargetCommandLineParameters_s', ''), + RegStringValue=column_ifexists('RegStringValue_s', ''), + RegType=column_ifexists('RegType_s', ''), + AsepClass=column_ifexists('AsepClass_s', ''), + AsepIndex=column_ifexists('AsepIndex_s', ''), + RegValueName=column_ifexists('RegValueName_s', ''), + AsepValueType=column_ifexists('AsepValueType_s', ''), + LocalSession=column_ifexists('LocalSession_s', ''), + DstDvcHostname=column_ifexists('ClientComputerName_s', ''), + PrivilegesBitmask=column_ifexists('PrivilegesBitmask_s', ''), + EnabledPrivilegesBitmask=column_ifexists('EnabledPrivilegesBitmask_s', ''), + UserGroupsBitmask=column_ifexists('UserGroupsBitmask_s', ''), + Timeout=column_ifexists('Timeout_s', ''), + ProcessCount=column_ifexists('ProcessCount_s', ''), + SuppressType=column_ifexists('SuppressType_s', ''), + BoundedCount=column_ifexists('BoundedCount_s', ''), + IP6Records=column_ifexists('IP6Records_s', ''), + FirstIP6Record=column_ifexists('FirstIP6Record_s', ''), + WmiQuery=column_ifexists('WmiQuery_s', ''), + WmiNamespaceName=column_ifexists('WmiNamespaceName_s', ''), + RegClassificationIndex=column_ifexists('RegClassificationIndex_s', ''), + RegClassificationFlags=column_ifexists('RegClassificationFlags_s', ''), + RegClassification=column_ifexists('RegClassification_s', ''), + SystemTableIndex=column_ifexists('SystemTableIndex_s', ''), + ScreenshotType=column_ifexists('ScreenshotType_s', ''), + SubStatus=column_ifexists('SubStatus_s', ''), + UmppaInjectAbortCount=column_ifexists('UmppaInjectAbortCount_s', ''), + UmppaInjectFailedCount=column_ifexists('UmppaInjectFailedCount_s', ''), + UmppaInjectionType=column_ifexists('UmppaInjectionType_s', ''), + UmppaInjectLoadFailCount=column_ifexists('UmppaInjectLoadFailCount_s', ''), + UmppaInjectCfgCheckCount=column_ifexists('UmppaInjectCfgCheckCount_s', ''), + UmppaInjectExtensionErrorCount=column_ifexists('UmppaInjectExtensionErrorCount_s', ''), + UmppaInjectInvalidThreadCount=column_ifexists('UmppaInjectInvalidThreadCount_s', ''), + UmppaInjectFileSectionCount=column_ifexists('UmppaInjectFileSectionCount_s', ''), + TotalCount=column_ifexists('TotalCount_s', ''), + UmppaInjectLoadErrorCount=column_ifexists('UmppaInjectLoadErrorCount_s', ''), + UmppaInjectBadAlertCount=column_ifexists('UmppaInjectBadAlertCount_s', ''), + UmppaInjectApcInsertionCount=column_ifexists('UmppaInjectApcInsertionCount_s', ''), + UmppaInjectCopyFailCount=column_ifexists('UmppaInjectCopyFailCount_s', ''), + FirewallRule=column_ifexists('FirewallRule_s', ''), + RegNumericValue=column_ifexists('RegNumericValue_s', ''), + VolumeDriveLetter=column_ifexists('VolumeDriveLetter_s', ''), + VolumeSnapshotName=column_ifexists('VolumeSnapshotName_s', ''), + VolumeName=column_ifexists('VolumeName_s', ''), + UserCanonical=column_ifexists('UserCanonical_s', ''), + LogonId=column_ifexists('LogonId_s', ''), + ConfigStateData=column_ifexists('ConfigStateData_s', ''), + FirewallProfile=column_ifexists('FirewallProfile_s', ''), + FirewallOption=column_ifexists('FirewallOption_s', ''), + FirewallOptionNumericValue=column_ifexists('FirewallOptionNumericValue_s', ''), + SmbShareName=column_ifexists('SmbShareName_s', ''), + TargetSHA256HashData=column_ifexists('TargetSHA256HashData_s', ''), + IsCpuDataCommonOnAllCores=column_ifexists('IsCpuDataCommonOnAllCores_s', ''), + SpibarDataFrap=column_ifexists('SpibarDataFrap_s', ''), + EfiVariableDbxSha256Hash=column_ifexists('EfiVariableDbxSha256Hash_s', ''), + PciConfigDataBgsm=column_ifexists('PciConfigDataBgsm_s', ''), + PciConfigDataDpr=column_ifexists('PciConfigDataDpr_s', ''), + CpuDataCommonSmrrSupported=column_ifexists('CpuDataCommonSmrrSupported_s', ''), + SpibarDataHsfc=column_ifexists('SpibarDataHsfc_s', ''), + EfiVariableSecureBoot=column_ifexists('EfiVariableSecureBoot_s', ''), + PciConfigDataMesegMask=column_ifexists('PciConfigDataMesegMask_s', ''), + PciConfigDataTolud=column_ifexists('PciConfigDataTolud_s', ''), + EfiVariableDbxAttributes=column_ifexists('EfiVariableDbxAttributes_s', ''), + PciConfigDataPavpc=column_ifexists('PciConfigDataPavpc_s', ''), + EfiVariableCustomModeAttributes=column_ifexists('EfiVariableCustomModeAttributes_s', ''), + SpibarDataFreg3=column_ifexists('SpibarDataFreg3_s', ''), + SpibarDataFreg4=column_ifexists('SpibarDataFreg4_s', ''), + SpibarDataFreg1=column_ifexists('SpibarDataFreg1_s', ''), + SpibarDataFreg2=column_ifexists('SpibarDataFreg2_s', ''), + SpibarDataFreg0=column_ifexists('SpibarDataFreg0_s', ''), + EfiSupported=column_ifexists('EfiSupported_s', ''), + EfiVariablePkAttributes=column_ifexists('EfiVariablePkAttributes_s', ''), + CpuDataCommonPrmrrUncorePhysicalMask=column_ifexists('CpuDataCommonPrmrrUncorePhysicalMask_s', ''), + PciConfigDataGenPmconA=column_ifexists('PciConfigDataGenPmconA_s', ''), + PciConfigDataTsegmb=column_ifexists('PciConfigDataTsegmb_s', ''), + SpibarDataVscc0=column_ifexists('SpibarDataVscc0_s', ''), + EfiVariablePkSha256Hash=column_ifexists('EfiVariablePkSha256Hash_s', ''), + SpibarDataVscc1=column_ifexists('SpibarDataVscc1_s', ''), + CpuDataCommonSmrrPhysicalMask=column_ifexists('CpuDataCommonSmrrPhysicalMask_s', ''), + NorthBridgeDeviceId=column_ifexists('NorthBridgeDeviceId_s', ''), + IsNorthBridgeSupported=column_ifexists('IsNorthBridgeSupported_s', ''), + PciConfigDataTom=column_ifexists('PciConfigDataTom_s', ''), + EfiVariableKekSha256Hash=column_ifexists('EfiVariableKekSha256Hash_s', ''), + SouthBridgeVendorId=column_ifexists('SouthBridgeVendorId_s', ''), + EfiVariableSignatureSupport=column_ifexists('EfiVariableSignatureSupport_s', ''), + MmioDataTco1Cnt=column_ifexists('MmioDataTco1Cnt_s', ''), + EfiVariableKekAttributes=column_ifexists('EfiVariableKekAttributes_s', ''), + FirmwareAnalysisCpuSupported=column_ifexists('FirmwareAnalysisCpuSupported_s', ''), + MmioDataSmiEn=column_ifexists('MmioDataSmiEn_s', ''), + CpuDataCommonPrmrrUncoreSupported=column_ifexists('CpuDataCommonPrmrrUncoreSupported_s', ''), + NorthBridgeVendorId=column_ifexists('NorthBridgeVendorId_s', ''), + CpuDataCommonMsrApicBase=column_ifexists('CpuDataCommonMsrApicBase_s', ''), + EfiVariableDbAttributes=column_ifexists('EfiVariableDbAttributes_s', ''), + SpibarDataPr2=column_ifexists('SpibarDataPr2_s', ''), + SpibarDataBfpr=column_ifexists('SpibarDataBfpr_s', ''), + SpibarDataPr1=column_ifexists('SpibarDataPr1_s', ''), + EfiVariableSecureBootAttributes=column_ifexists('EfiVariableSecureBootAttributes_s', ''), + SpibarDataPr0=column_ifexists('SpibarDataPr0_s', ''), + IsSouthBridgeSupported=column_ifexists('IsSouthBridgeSupported_s', ''), + PciConfigDataHfsts1=column_ifexists('PciConfigDataHfsts1_s', ''), + CpuDataCommonMsrFeatureControl=column_ifexists('CpuDataCommonMsrFeatureControl_s', ''), + PciConfigDataRemaplimit=column_ifexists('PciConfigDataRemaplimit_s', ''), + CpuDataCommonSiliconDebugFeatureControl=column_ifexists('CpuDataCommonSiliconDebugFeatureControl_s', ''), + CpuDataCommonSmrrPhysicalBase=column_ifexists('CpuDataCommonSmrrPhysicalBase_s', ''), + SouthBridgeDeviceId=column_ifexists('SouthBridgeDeviceId_s', ''), + CpuDataCommonPrmrrPhysicalMask=column_ifexists('CpuDataCommonPrmrrPhysicalMask_s', ''), + EfiVariableDbSha256Hash=column_ifexists('EfiVariableDbSha256Hash_s', ''), + SpibarDataHsfs=column_ifexists('SpibarDataHsfs_s', ''), + PciConfigDataRemapbase=column_ifexists('PciConfigDataRemapbase_s', ''), + EfiVariableCustomMode=column_ifexists('EfiVariableCustomMode_s', ''), + PciConfigDataGgc=column_ifexists('PciConfigDataGgc_s', ''), + PciConfigDataTouud=column_ifexists('PciConfigDataTouud_s', ''), + SpibarDataPr4=column_ifexists('SpibarDataPr4_s', ''), + SpibarDataPr3=column_ifexists('SpibarDataPr3_s', ''), + CpuDataCommonPrmrrSupported=column_ifexists('CpuDataCommonPrmrrSupported_s', ''), + PciConfigDataSmramc=column_ifexists('PciConfigDataSmramc_s', ''), + EfiVariableSignatureSupportAttributes=column_ifexists('EfiVariableSignatureSupportAttributes_s', ''), + PciConfigDataBdsm=column_ifexists('PciConfigDataBdsm_s', ''), + EfiVariableSetupModeAttributes=column_ifexists('EfiVariableSetupModeAttributes_s', ''), + EfiVariableSetupMode=column_ifexists('EfiVariableSetupMode_s', ''), + PciConfigDataBiosCntl=column_ifexists('PciConfigDataBiosCntl_s', ''), + PciConfigDataMesegBase=column_ifexists('PciConfigDataMesegBase_s', ''), + SourceFileName=column_ifexists('SourceFileName_s', ''), + NewFileIdentifier=column_ifexists('NewFileIdentifier_s', ''), + FeatureVector=column_ifexists('FeatureVector_s', ''), + ModelPrediction=column_ifexists('ModelPrediction_s', ''), + Malicious=column_ifexists('Malicious_s', ''), + FeatureExtractionVersion=column_ifexists('FeatureExtractionVersion_s', ''), + FXFileSize=column_ifexists('FXFileSize_s', ''), + MLModelVersion=column_ifexists('MLModelVersion_s', ''), + FontBufferLength=column_ifexists('FontBufferLength_s', ''), + FontFileCount=column_ifexists('FontFileCount_s', ''), + FontLoadOperation=column_ifexists('FontLoadOperation_s', ''), + FontBuffer=column_ifexists('FontBuffer_s', ''), + FontFileName=column_ifexists('FontFileName_s', ''), + TemplateInstanceId=column_ifexists('TemplateInstanceId_s', ''), + PatternDisposition=column_ifexists('PatternDisposition_s', ''), + ServicePackMajor=column_ifexists('ServicePackMajor_s', ''), + ProductSku=column_ifexists('ProductSku_s', ''), + PointerSize=column_ifexists('PointerSize_s', ''), + ProductName=column_ifexists('ProductName_s', ''), + AgentVersion=column_ifexists('AgentVersion_s', ''), + ServicePackMinor=column_ifexists('ServicePackMinor_s', ''), + SuiteMask=column_ifexists('SuiteMask_s', ''), + SubBuildNumber=column_ifexists('SubBuildNumber_s', ''), + PlatformId=column_ifexists('PlatformId_s', ''), + BuildType=column_ifexists('BuildType_s', ''), + MajorVersion=column_ifexists('MajorVersion_s', ''), + ProductType=column_ifexists('ProductType_s', ''), + MinorVersion=column_ifexists('MinorVersion_s', ''), + CheckedBuild=column_ifexists('CheckedBuild_s', ''), + BuildNumber=column_ifexists('BuildNumber_s', ''), + RFMState=column_ifexists('RFMState_s', ''), + FirmwareAnalysisEclControlInterfaceVersion=column_ifexists('FirmwareAnalysisEclControlInterfaceVersion_s', ''), + FirmwareAnalysisEclConsumerInterfaceVersion=column_ifexists('FirmwareAnalysisEclConsumerInterfaceVersion_s', ''), + BootTimeFunctionalityLevel=column_ifexists('BootTimeFunctionalityLevel_s', ''), + ReasonOfFunctionalityLevel=column_ifexists('ReasonOfFunctionalityLevel_s', ''), + CurrentFunctionalityLevel=column_ifexists('CurrentFunctionalityLevel_s', ''), + PciAttachmentState=column_ifexists('PciAttachmentState_s', ''), + LocalAddressIP6=column_ifexists('LocalAddressIP6_s', ''), + RemoteAddressIP6=column_ifexists('RemoteAddressIP6_s', ''), + RegBinaryValue=column_ifexists('RegBinaryValue_s', ''), + ServiceDescription=column_ifexists('ServiceDescription_s', ''), + ServiceSecurity=column_ifexists('ServiceSecurity_s', ''), + ServiceImagePath=column_ifexists('ServiceImagePath_s', ''), + ServiceStart=column_ifexists('ServiceStart_s', ''), + ServiceType=column_ifexists('ServiceType_s', ''), + ServiceFailureActions=column_ifexists('ServiceFailureActions_s', ''), + ServiceErrorControl=column_ifexists('ServiceErrorControl_s', ''), + SymbolicLinkName=column_ifexists('SymbolicLinkName_s', ''), + SymbolicLinkTarget=column_ifexists('SymbolicLinkTarget_s', ''), + DevicePropertyClassName=column_ifexists('DevicePropertyClassName_s', ''), + DeviceActiveConfigurationNumber=column_ifexists('DeviceActiveConfigurationNumber_s', ''), + DevicePropertyClassGuid=column_ifexists('DevicePropertyClassGuid_g', ''), + DeviceUsbSubclass=column_ifexists('DeviceUsbSubclass_s', ''), + ParentHubInstanceId=column_ifexists('ParentHubInstanceId_s', ''), + DeviceConnectionStatus=column_ifexists('DeviceConnectionStatus_s', ''), + DeviceUsbClass=column_ifexists('DeviceUsbClass_s', ''), + ParentHubPort=column_ifexists('ParentHubPort_s', ''), + DevicePropertyManufacturer=column_ifexists('DevicePropertyManufacturer_s', ''), + DevicePropertyLocationInformation=column_ifexists('DevicePropertyLocationInformation_s', ''), + DeviceProtocol=column_ifexists('DeviceProtocol_s', ''), + DevicePropertyDeviceDescription=column_ifexists('DevicePropertyDeviceDescription_s', ''), + DeviceUsbVersion=column_ifexists('DeviceUsbVersion_s', ''), + ModuleBaseAddress=column_ifexists('ModuleBaseAddress_s', ''), + ModuleSize=column_ifexists('ModuleSize_s', ''), + IsOnClearCaseMvfs=column_ifexists('IsOnClearCaseMvfs_s', ''), + DllCharacteristics=column_ifexists('DllCharacteristics_s', ''), + ActiveCpuCount=column_ifexists('ActiveCpuCount_s', ''), + MemoryTotal=column_ifexists('MemoryTotal_s', ''), + BillingType=column_ifexists('BillingType_s', ''), + ConnectionCipher=column_ifexists('ConnectionCipher_s', ''), + ConnectType=column_ifexists('ConnectType_s', ''), + ConnectionProtocol=column_ifexists('ConnectionProtocol_s', ''), + ConnectionHash=column_ifexists('ConnectionHash_s', ''), + ConnectTime=column_ifexists('ConnectTime_s', ''), + ConnectionHashStrength=column_ifexists('ConnectionHashStrength_s', ''), + FailedConnectCount=column_ifexists('FailedConnectCount_s', ''), + ConnectionCipherStrength=column_ifexists('ConnectionCipherStrength_s', ''), + ConnectionExchangeStrength=column_ifexists('ConnectionExchangeStrength_s', ''), + ConnectionExchange=column_ifexists('ConnectionExchange_s', ''), + PreviousConnectTime=column_ifexists('PreviousConnectTime_s', ''), + FalconServiceServletErrors=column_ifexists('FalconServiceServletErrors_s', ''), + FalconServiceComponent=column_ifexists('FalconServiceComponent_s', ''), + FalconServiceServletStarts=column_ifexists('FalconServiceServletStarts_s', ''), + FalconServiceState=column_ifexists('FalconServiceState_s', ''), + ScriptContent=column_ifexists('ScriptContent_s', ''), + OriginalContentLength=column_ifexists('OriginalContentLength_s', ''), + ScriptingLanguageId=column_ifexists('ScriptingLanguageId_s', ''), + ParentImageFileName=column_ifexists('ParentImageFileName_s', ''), + GrandparentImageFileName=column_ifexists('GrandparentImageFileName_s', ''), + ScriptContentName=column_ifexists('ScriptContentName_s', ''), + HostProcessType=column_ifexists('HostProcessType_s', ''), + ProcessParentCommandLine=column_ifexists('ParentCommandLine_s', ''), + ContentSHA256HashData=column_ifexists('ContentSHA256HashData_s', ''), + ProcessGrandparentCommandLine=column_ifexists('GrandparentCommandLine_s', '') + | project + TimeGenerated, + EventVendor, + EventProduct, + FileMode, + DeviceSerialNumber, + IcmpCode, + IcmpType, + LastUpdateInstalledTime, + RebootRequired, + PendingUpdateIds, + InstalledUpdateIds, + InstalledUpdateExtendedStatus, + SupersededUpdateIds, + ConfigurationDescriptorValue, + ConfigurationDescriptorAttributes, + DeviceDescriptorUniqueIdentifier, + ConfigurationDescriptorName, + ConfigurationDescriptorNumInterfaces, + ConfigurationDescriptorMaxPowerDraw, + ScreenshotsTakenCount, + ExitCode, + ParentProcessId, + DstUserIdentity, + NetworkListenCount, + SuspiciousRawDiskReadCount, + NetworkBindCount, + NetworkRecvAcceptCount, + ContextData, + Id, + NewExecutableWrittenCount, + ExeAndServiceCount, + NetworkCloseCount, + SuspectStackCount, + CLICreationCount, + UnsignedModuleLoadCount, + UserTime, + EventMessage, + RawProcessId, + ContextTimeStamp, + AllocateVirtualMemoryCount, + ContextProcessId, + ServiceEventCount, + SnapshotFileOpenCount, + RemovableDiskFileWrittenCount, + InjectedDllCount, + ModuleLoadCount, + UserMemoryProtectExecutableCount, + NetworkCapableAsepWriteCount, + TargetProcessId, + DnsRequestCount, + ArchiveFileWrittenCount, + Entitlements, + Name, + ProcessStartTime, + SetThreadContextCount, + SuspiciousCredentialModuleLoadCount, + DvcInterfaceGuid, + Cid, + FileDeletedCount, + UserMemoryAllocateExecutableCount, + DirectoryCreatedCount, + NetworkConnectCountUdp, + QueueApcCount, + ContextThreadId, + Aip, + SuspiciousFontLoadCount, + ConHostId, + NetworkConnectCount, + BinaryExecutableWrittenCount, + CycleTime, + DvcOs, + ConHostProcessId, + PrivilegedProcessHandleCount, + MaxThreadCount, + ImageSubsystem, + GenericFileWrittenCount, + EffectiveTransmissionClass, + ScriptEngineInvocationCount, + RunDllInvocationCount, + timestamp, + CreateProcessCount, + KernelTime, + DirectoryEnumeratedCount, + ConfigStateHash, + AsepWrittenCount, + SuspiciousDnsRequestCount, + DocumentFileWrittenCount, + ProtectVirtualMemoryCount, + ProcessHashSha256, + UserMemoryProtectExecutableRemoteCount, + ConfigBuild, + UserMemoryAllocateExecutableRemoteCount, + ExecutableDeletedCount, + RegKeySecurityDecreasedCount, + InjectedThreadCount, + NetworkModuleLoadCount, + WindowTitle, + ProcessCreateFlags, + IntegrityLevel, + SourceProcessId, + ProcessHashSha1, + TokenType, + ProcessEndTime, + AuthenticodeHashData, + ParentBaseFileName, + SessionId, + Tags, + ProcessHashMd5, + ProcessSxsFlags, + AuthenticationId, + WindowFlags, + ProcessCommandLine, + ParentAuthenticationId, + FileName, + SourceThreadId, + ProcessParameterFlags, + SignInfoFlags, + ChannelVersion, + ChannelVersionRequired, + ChannelId, + DnsResponseType, + IP4Records, + CNAMERecords, + QueryStatus, + InterfaceIndex, + DualRequest, + FirstIP4Record, + UrlDomain, + RespondingDnsServer, + RequestType, + FirewallRuleId, + Options, + MinorFunction, + FileIdentifier, + Information, + ShareAccess, + FileObject, + FilePermission, + Status, + IrpFlags, + MajorFunction, + DesiredAccess, + OperationFlags, + TargetFileName, + CallStackModuleNamesVersion, + CsaProcessDataCollectionInstanceId, + CallStackModuleNames, + CreateProcessType, + EtwRawProcessId, + EventMax, + EtwRawThreadId, + Flags, + EventMin, + RawThreadId, + SrcIpAddr, + ConnectionFlags, + DstIpPort, + SrcIpPort, + Protocol, + DstIpAddr, + ConnectionDirection, + InContext, + NetworkContainmentState, + ConfigIDBase, + SensorStateBitMap, + ConfigurationVersion, + ConfigIDPlatform, + ConfigIDBuild, + ProvisionState, + Size, + IsOnNetwork, + DiskParentDeviceInstanceId, + TemporaryFileName, + FileEcpBitmask, + IsOnRemovableDisk, + ModuleCharacteristics, + OriginalEventTimeStamp, + MappedFromUserMode, + TreeId, + PrimaryModule, + UserIsAdmin, + LogoffTime, + LogonTime, + LogonDomain, + RemoteAccount, + UserFlags, + LogonServer, + DstUserName, + LogonType, + AuthenticationPackage, + UserPrincipal, + PasswordLastSet, + UserLogoffType, + UserLogonFlags, + Parameter2, + Parameter1, + Parameter3, + Line, + ErrorStatus, + Facility, + File, + PublicKeys, + HandleCreated, + ExtendedKeyUsages, + FileSigningTime, + Object1Name, + Object1Type, + Certificate, + RpcClientProcessId, + SyntheticPR2Flags, + MachOSubType, + SessionProcessId, + SVUID, + ProcessGroupId, + GID, + SVGID, + UID, + RGID, + RUID, + NeighborList, + DownloadServer, + DownloadPath, + DownloadPort, + CompletionEventId, + IsTransactedFile, + WindowStation, + BoundingLimitCount, + ProcessBehaviorBitfield, + Desktop, + PatternId, + ExclusionType, + ExclusionSource, + DriverLoadFlags, + CompanyName, + OriginalFilename, + FileVersion, + GrandParentBaseFileName, + ShowWindowFlags, + ThreadStartAddress, + InjectedThreadFlag, + UserThread, + TargetThreadModule, + TargetThreadId, + ThreadStartContext, + SourceThreadStartAddress, + InterfaceGuid, + InterfaceVersion, + RpcClientThreadId, + TaskXml, + TaskAuthor, + TaskName, + RpcOpNum, + TaskExecArguments, + TaskExecCommand, + RpcNestingLevel, + ErrorLocation, + ErrorReason, + Parameter64_1, + ErrorSource, + ParameterSizedBuffer_1, + ErrorCode, + DeviceProductId, + DeviceVersion, + DeviceTimeStamp, + DeviceInstanceId, + DeviceDescriptorSetHash, + DeviceVendorId, + DeviceManufacturer, + DeviceProduct, + GroupRid, + UserRid, + DomainSid, + LightningLatencyState, + UnixMode, + VnodeType, + TargetDirectoryName, + ApiReturnValue, + ServiceDisplayName, + LinkName, + VersionInfo, + LanguageId, + AsepFlags, + RegObjectName, + Data1, + RegOperationType, + ProcessArgs, + RegStringValue, + RegType, + AsepClass, + AsepIndex, + RegValueName, + AsepValueType, + LocalSession, + DstDvcHostname, + PrivilegesBitmask, + EnabledPrivilegesBitmask, + UserGroupsBitmask, + Timeout, + ProcessCount, + SuppressType, + BoundedCount, + IP6Records, + FirstIP6Record, + WmiQuery, + WmiNamespaceName, + RegClassificationIndex, + RegClassificationFlags, + RegClassification, + SystemTableIndex, + ScreenshotType, + SubStatus, + UmppaInjectAbortCount, + UmppaInjectFailedCount, + UmppaInjectionType, + UmppaInjectLoadFailCount, + UmppaInjectCfgCheckCount, + UmppaInjectExtensionErrorCount, + UmppaInjectInvalidThreadCount, + UmppaInjectFileSectionCount, + TotalCount, + UmppaInjectLoadErrorCount, + UmppaInjectBadAlertCount, + UmppaInjectApcInsertionCount, + UmppaInjectCopyFailCount, + FirewallRule, + RegNumericValue, + VolumeDriveLetter, + VolumeSnapshotName, + VolumeName, + UserCanonical, + LogonId, + ConfigStateData, + FirewallProfile, + FirewallOption, + FirewallOptionNumericValue, + SmbShareName, + TargetSHA256HashData, + IsCpuDataCommonOnAllCores, + SpibarDataFrap, + EfiVariableDbxSha256Hash, + PciConfigDataBgsm, + PciConfigDataDpr, + CpuDataCommonSmrrSupported, + SpibarDataHsfc, + EfiVariableSecureBoot, + PciConfigDataMesegMask, + PciConfigDataTolud, + EfiVariableDbxAttributes, + PciConfigDataPavpc, + EfiVariableCustomModeAttributes, + SpibarDataFreg3, + SpibarDataFreg4, + SpibarDataFreg1, + SpibarDataFreg2, + SpibarDataFreg0, + EfiSupported, + EfiVariablePkAttributes, + CpuDataCommonPrmrrUncorePhysicalMask, + PciConfigDataGenPmconA, + PciConfigDataTsegmb, + SpibarDataVscc0, + EfiVariablePkSha256Hash, + SpibarDataVscc1, + CpuDataCommonSmrrPhysicalMask, + NorthBridgeDeviceId, + IsNorthBridgeSupported, + PciConfigDataTom, + EfiVariableKekSha256Hash, + SouthBridgeVendorId, + EfiVariableSignatureSupport, + MmioDataTco1Cnt, + EfiVariableKekAttributes, + FirmwareAnalysisCpuSupported, + MmioDataSmiEn, + CpuDataCommonPrmrrUncoreSupported, + NorthBridgeVendorId, + CpuDataCommonMsrApicBase, + EfiVariableDbAttributes, + SpibarDataPr2, + SpibarDataBfpr, + SpibarDataPr1, + EfiVariableSecureBootAttributes, + SpibarDataPr0, + IsSouthBridgeSupported, + PciConfigDataHfsts1, + CpuDataCommonMsrFeatureControl, + PciConfigDataRemaplimit, + CpuDataCommonSiliconDebugFeatureControl, + CpuDataCommonSmrrPhysicalBase, + SouthBridgeDeviceId, + CpuDataCommonPrmrrPhysicalMask, + EfiVariableDbSha256Hash, + SpibarDataHsfs, + PciConfigDataRemapbase, + EfiVariableCustomMode, + PciConfigDataGgc, + PciConfigDataTouud, + SpibarDataPr4, + SpibarDataPr3, + CpuDataCommonPrmrrSupported, + PciConfigDataSmramc, + EfiVariableSignatureSupportAttributes, + PciConfigDataBdsm, + EfiVariableSetupModeAttributes, + EfiVariableSetupMode, + PciConfigDataBiosCntl, + PciConfigDataMesegBase, + SourceFileName, + NewFileIdentifier, + FeatureVector, + ModelPrediction, + Malicious, + FeatureExtractionVersion, + FXFileSize, + MLModelVersion, + FontBufferLength, + FontFileCount, + FontLoadOperation, + FontBuffer, + FontFileName, + TemplateInstanceId, + PatternDisposition, + ServicePackMajor, + ProductSku, + PointerSize, + ProductName, + AgentVersion, + ServicePackMinor, + SuiteMask, + SubBuildNumber, + PlatformId, + BuildType, + MajorVersion, + ProductType, + MinorVersion, + CheckedBuild, + BuildNumber, + RFMState, + FirmwareAnalysisEclControlInterfaceVersion, + FirmwareAnalysisEclConsumerInterfaceVersion, + BootTimeFunctionalityLevel, + ReasonOfFunctionalityLevel, + CurrentFunctionalityLevel, + PciAttachmentState, + LocalAddressIP6, + RemoteAddressIP6, + RegBinaryValue, + ServiceDescription, + ServiceSecurity, + ServiceImagePath, + ServiceStart, + ServiceType, + ServiceFailureActions, + ServiceErrorControl, + SymbolicLinkName, + SymbolicLinkTarget, + DevicePropertyClassName, + DeviceActiveConfigurationNumber, + DevicePropertyClassGuid, + DeviceUsbSubclass, + ParentHubInstanceId, + DeviceConnectionStatus, + DeviceUsbClass, + ParentHubPort, + DevicePropertyManufacturer, + DevicePropertyLocationInformation, + DeviceProtocol, + DevicePropertyDeviceDescription, + DeviceUsbVersion, + ModuleBaseAddress, + ModuleSize, + IsOnClearCaseMvfs, + DllCharacteristics, + ActiveCpuCount, + MemoryTotal, + BillingType, + ConnectionCipher, + ConnectType, + ConnectionProtocol, + ConnectionHash, + ConnectTime, + ConnectionHashStrength, + FailedConnectCount, + ConnectionCipherStrength, + ConnectionExchangeStrength, + ConnectionExchange, + PreviousConnectTime, + FalconServiceServletErrors, + FalconServiceComponent, + FalconServiceServletStarts, + FalconServiceState, + ScriptContent, + OriginalContentLength, + ScriptingLanguageId, + ParentImageFileName, + GrandparentImageFileName, + ScriptContentName, + HostProcessType, + ProcessParentCommandLine, + ContentSHA256HashData, + ProcessGrandparentCommandLine +}; +CrowdstrikeReplicatorLogs_view \ No newline at end of file diff --git a/Sample Data/Custom/CrowdstrikeReplicatorLogs_CL.json b/Sample Data/Custom/CrowdstrikeReplicatorLogs_CL.json new file mode 100644 index 0000000000..0be0ade6b9 --- /dev/null +++ b/Sample Data/Custom/CrowdstrikeReplicatorLogs_CL.json @@ -0,0 +1,663 @@ +[{ + "ProcessCreateFlags":"525332", + "IntegrityLevel":"4096", + "ParentProcessId":"2065892889926", + "SourceProcessId":"2065892889926", + "aip":"165.165.165.165", + "SHA1HashData":"0000000000000000000000000000000000000000", + "UserSid":"S-1-12-1-3105947409-1312664182-3305734049-3050736265", + "event_platform":"Win", + "TokenType":"2", + "ProcessEndTime":"", + "AuthenticodeHashData":"7e23eb59249cc9d1be47b6e0dd9e89039d5dc6eb70b5105051ed739418a68c5e", + "ParentBaseFileName":"svchost.exe", + "RpcClientProcessId":"2065892889926", + "ImageSubsystem":"2", + "id":"8b1852b8-649f-11eb-811e-06ca739c04b7", + "EffectiveTransmissionClass":"3", + "SessionId":"1", + "Tags":"53, 54, 55, 12094627905582, 12094627906234", + "timestamp":"1612192196113", + "event_simpleName":"ProcessRollup2", + "RawProcessId":"19076", + "ConfigStateHash":"4091923303", + "MD5HashData":"b7fc4a29431d4f795bbab1fb182b759a", + "SHA256HashData":"48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b", + "ProcessSxsFlags":"1600", + "AuthenticationId":"1259939", + "ConfigBuild":"1007.3.0012806.1", + "WindowFlags":"128", + "CommandLine":"\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider", + "ParentAuthenticationId":"1259939", + "TargetProcessId":"2119008022556", + "ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe", + "SourceThreadId":"67139455641525", + "Entitlements":"15", + "name":"ProcessRollup2V19", + "ProcessStartTime":"1612192197.855", + "ProcessParameterFlags":"16385", + "aid":"f0b5394377fb4cc1592c660de3ac2ccb", + "SignInfoFlags":"9175042", + "cid":"e941027a2d1141f189b6c6c049c83215" + }, + { + "ScreenshotsTakenCount":"0", + "ExitCode":"0", + "ParentProcessId":"1421648597103", + "UserSid":"S-1-5-20", + "NetworkListenCount":"0", + "SuspiciousRawDiskReadCount":"0", + "NetworkBindCount":"0", + "NetworkRecvAcceptCount":"0", + "ContextData":"", + "id":"9047859a-649f-11eb-b1b3-068090ee3e49", + "NewExecutableWrittenCount":"0", + "ExeAndServiceCount":"0", + "NetworkCloseCount":"0", + "SuspectStackCount":"0", + "CLICreationCount":"0", + "UnsignedModuleLoadCount":"0", + "UserTime":"156250", + "event_simpleName":"EndOfProcess", + "RawProcessId":"13184", + "ContextTimeStamp":"1612192202.219", + "AllocateVirtualMemoryCount":"0", + "ContextProcessId":"1437581318764", + "ServiceEventCount":"0", + "SnapshotFileOpenCount":"0", + "RemovableDiskFileWrittenCount":"0", + "InjectedDllCount":"0", + "ModuleLoadCount":"39", + "UserMemoryProtectExecutableCount":"0", + "NetworkCapableAsepWriteCount":"0", + "TargetProcessId":"1437581318764", + "DnsRequestCount":"0", + "ArchiveFileWrittenCount":"0", + "Entitlements":"15", + "name":"EndOfProcessV15", + "ProcessStartTime":"1612192112.216", + "SetThreadContextCount":"0", + "SuspiciousCredentialModuleLoadCount":"0", + "aid":"d4a94db4404b42d95ae69960dd2364a5", + "cid":"e941027a2d1141f189b6c6c049c83215", + "FileDeletedCount":"0", + "UserMemoryAllocateExecutableCount":"0", + "DirectoryCreatedCount":"0", + "NetworkConnectCountUdp":"0", + "QueueApcCount":"0", + "ContextThreadId":"75529593909860", + "aip":"165.165.165.165", + "SuspiciousFontLoadCount":"0", + "ConHostId":"1152", + "NetworkConnectCount":"0", + "BinaryExecutableWrittenCount":"0", + "CycleTime":"105226185", + "event_platform":"Win", + "ConHostProcessId":"1421648597103", + "PrivilegedProcessHandleCount":"0", + "MaxThreadCount":"10", + "ImageSubsystem":"2", + "GenericFileWrittenCount":"0", + "EffectiveTransmissionClass":"3", + "ScriptEngineInvocationCount":"0", + "RunDllInvocationCount":"0", + "timestamp":"1612192204811", + "CreateProcessCount":"0", + "KernelTime":"312500", + "DirectoryEnumeratedCount":"0", + "ConfigStateHash":"4091923303", + "AsepWrittenCount":"0", + "SuspiciousDnsRequestCount":"0", + "DocumentFileWrittenCount":"0", + "ProtectVirtualMemoryCount":"0", + "SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15", + "UserMemoryProtectExecutableRemoteCount":"0", + "ConfigBuild":"1007.3.0012806.1", + "UserMemoryAllocateExecutableRemoteCount":"0", + "ExecutableDeletedCount":"0", + "RegKeySecurityDecreasedCount":"0", + "InjectedThreadCount":"0", + "NetworkModuleLoadCount":"0" + }, + { + "event_simpleName":"DnsRequest", + "ContextTimeStamp":"1612192188.546", + "ConfigStateHash":"1187562179", + "ContextProcessId":"593354899211", + "DomainName":"domain1", + "ContextThreadId":"26667268649418", + "aip":"82.82.82.82", + "QueryStatus":"9003", + "InterfaceIndex":"0", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "DnsRequestCount":"1", + "DualRequest":"0", + "Entitlements":"15", + "name":"DnsRequestV4", + "id":"881d1128-649f-11eb-9c59-022209fbed9d", + "EffectiveTransmissionClass":"3", + "aid":"eb2763e9afca47c996acf2a8e6651f18", + "timestamp":"1612192191111", + "cid":"e941027a2d1141f189b6c6c049c83215", + "RequestType":"1" + }, + { + "ChannelVersion":"2353", + "event_simpleName":"ChannelVersionRequired", + "ConfigStateHash":"3574986334", + "aip":"165.165.165.165", + "ChannelVersionRequired":"0", + "ChannelId":"200", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "Entitlements":"15", + "name":"ChannelVersionRequiredV1", + "id":"7d66d49d-649f-11eb-8ef0-06f5d9b66909", + "EffectiveTransmissionClass":"0", + "aid":"ec61c9f00a054a7c499eb92b9f67e2ab", + "timestamp":"1612192173140", + "cid":"e941027a2d1141f189b6c6c049c83215" + }, + { + "LocalAddressIP4":"10.10.10.10", + "event_simpleName":"NetworkConnectIP4", + "ContextTimeStamp":"1612192203.293", + "ConfigStateHash":"3840237054", + "ConnectionFlags":"0", + "ContextProcessId":"1435198812605", + "RemotePort":"443", + "ContextThreadId":"35388335972466", + "aip":"104.104.104.104", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "LocalPort":"54781", + "Entitlements":"15", + "name":"NetworkConnectIP4V5", + "id":"8fbf8c4c-649f-11eb-93e6-06d64cd93503", + "Protocol":"6", + "EffectiveTransmissionClass":"3", + "aid":"124bdfdf1dcf4bdb6cf503d3b93a8e36", + "RemoteAddressIP4":"52.52.52.52", + "ConnectionDirection":"0", + "InContext":"0", + "timestamp":"1612192203920", + "cid":"e941027a2d1141f189bc6c049c83215" + }, + { + "ModuleCharacteristics":"8450", + "ContextThreadId":"118013339024792", + "aip":"189.189.189.189", + "OriginalEventTimeStamp":"1612192206.828", + "SHA1HashData":"0000000000000000000000000000000000000000", + "event_platform":"Win", + "MappedFromUserMode":"1", + "AuthenticodeHashData":"c733fb7f27aeb8af40676839d86bf52a58e175436de685abbc25bb881c3da65f", + "id":"92b01584-649f-11eb-b4d4-02d8cc9f6f77", + "EffectiveTransmissionClass":"3", + "timestamp":"1612192208852", + "event_simpleName":"ImageHash", + "ContextTimeStamp":"1612192206.828", + "ConfigStateHash":"4091923303", + "ContextProcessId":"4770863664501", + "MD5HashData":"2d84620a2580073a2940067e9153243b", + "SHA256HashData":"7db6c8d5f59adbcda1fd8e4052cd0f0ad2d409b19e4ead5d9800e63913c478fb", + "ConfigBuild":"1007.3.0012806.1", + "TargetProcessId":"4770863664501", + "TreeId":"249108533330", + "ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\gdi32.dll", + "Entitlements":"15", + "name":"ImageHashV4", + "PrimaryModule":"0", + "aid":"f46cf24c09c545c06826924f56e9b12", + "SignInfoFlags":"9175042", + "cid":"e941027a2d1141f89b6c6c049c83215" + }, + { + "event_simpleName":"SensorHeartbeat", + "ConfigStateHash":"1187562179", + "NetworkContainmentState":"0", + "aip":"165.165.165.165", + "ConfigIDBase":"65994753", + "SensorStateBitMap":"0", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "ConfigurationVersion":"10", + "Entitlements":"15", + "name":"SensorHeartbeatV4", + "ConfigIDPlatform":"3", + "id":"99d1e81e-649f-11eb-b627-06e39ca35a05", + "ConfigIDBuild":"12806", + "EffectiveTransmissionClass":"0", + "aid":"265ebfb466e649e14f739b2ec82ef4c0", + "ProvisionState":"1", + "timestamp":"1612192220818", + "cid":"e941027a2d1141f89b6c6c049c83215" + }, + { + "Parameter2":"104741656", + "event_simpleName":"ErrorEvent", + "Parameter1":"3934815034", + "Parameter3":"0", + "ConfigStateHash":"4091923303", + "aip":"104.104.104.104", + "Line":"1066", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "ErrorStatus":"3221227780", + "Entitlements":"15", + "name":"ErrorEventV1", + "id":"851075fd-649f-11eb-9d98-0256c1ba3b87", + "Facility":"67109928", + "EffectiveTransmissionClass":"0", + "aid":"7eece200f1444be9650676f1460ec1f4", + "File":"0", + "timestamp":"1612192185995", + "cid":"e941027a2d114189b6c6c049c83215" + }, + { + "Options":"35651617", + "ContextThreadId":"34965671247409", + "MinorFunction":"0", + "aip":"47.47.47.47", + "FileIdentifier":"f31039767b57934cab36a2c87ff011b649010000001a00", + "Information":"2", + "event_platform":"Win", + "ShareAccess":"3", + "id":"9c750397-649f-11eb-a468-02143f29d047", + "FileObject":"18446614397218495824", + "EffectiveTransmissionClass":"3", + "FileAttributes":"128", + "timestamp":"1612192225242", + "Status":"0", + "event_simpleName":"DirectoryCreate", + "ContextTimeStamp":"1612192225.647", + "ConfigStateHash":"370429029", + "ContextProcessId":"1015925104824", + "IrpFlags":"2180", + "ConfigBuild":"1007.3.0012806.1", + "MajorFunction":"0", + "DesiredAccess":"1048577", + "Entitlements":"15", + "name":"DirectoryCreateV1", + "OperationFlags":"0", + "aid":"d9a8e94338e34c667ac3c406b33a26", + "cid":"e941027a2d114189b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume4\\Users\\T\\AppData\\Local\\Temp\\{A6EDA298-D2B2-43BD-BF53-4AAC80A8F624}" + }, + { + "event_simpleName":"SetWinEventHookEtw", + "RawProcessId":"0", + "ContextTimeStamp":"1612192180.085", + "ConfigStateHash":"1002018934", + "EtwRawProcessId":"12680", + "ContextProcessId":"1462865029781", + "EventMax":"2147483410", + "SourceProcessId":"0", + "aip":"147.147.147.147", + "EtwRawThreadId":"13348", + "Flags":"0", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "EventMin":"2147483408", + "SourceThreadId":"0", + "Entitlements":"15", + "name":"SetWinEventHookEtwV1", + "RawThreadId":"0", + "id":"8004b527-649f-11eb-9488-024e6bf3d6b1", + "EffectiveTransmissionClass":"3", + "aid":"e30dfd2dac46425c721ffb42691c1c", + "timestamp":"1612192177530", + "cid":"e941027a2d1141f9b6c6c049c83215" + }, + { + "LocalAddressIP4":"10.10.10.10", + "event_simpleName":"NetworkReceiveAcceptIP4", + "ContextTimeStamp":"1612192231.439", + "ConfigStateHash":"976821965", + "ConnectionFlags":"0", + "ContextProcessId":"138285062270780", + "RemotePort":"137", + "aip":"165.165.165.165", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "LocalPort":"137", + "Entitlements":"15", + "name":"NetworkReceiveAcceptIP4V5", + "id":"a02b6add-649f-11eb-a61c-027816f012a3", + "Protocol":"17", + "EffectiveTransmissionClass":"3", + "aid":"acd89ebd166344b17e6d7018dbde25cc", + "RemoteAddressIP4":"23.23.23.23", + "ConnectionDirection":"1", + "InContext":"0", + "timestamp":"1612192231470", + "cid":"e941027a2d1141f186c6c049c83215" + }, + { + "event_simpleName":"RegisterRawInputDevicesEtw", + "ContextTimeStamp":"1612192192.661", + "ConfigStateHash":"4091923303", + "EtwRawProcessId":"9528", + "ContextProcessId":"2801870511975", + "aip":"71.71.71.71", + "EtwRawThreadId":"9428", + "ApiReturnValue":"1", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "Entitlements":"15", + "name":"RegisterRawInputDevicesEtwV1", + "id":"89e6dbf0-649f-11eb-b45d-022d70a19ab5", + "EffectiveTransmissionClass":"3", + "aid":"ede5911c3ded4cac6927ee72eef376ba", + "timestamp":"1612192194111", + "cid":"e941027a2d1141f9b6c6c049c83215" + }, + { + "Size":"14712251", + "ContextThreadId":"165986129080464", + "MinorFunction":"0", + "aip":"185.185.185.185", + "IsOnNetwork":"0", + "FileIdentifier":"5399f2747c5de811960c806e6f6e69632cc701000000e31f", + "event_platform":"Win", + "TokenType":"1", + "id":"7d82fc3d-649f-11eb-86d4-06271f28c015", + "FileObject":"2292681824", + "EffectiveTransmissionClass":"3", + "timestamp":"1612192173324", + "event_simpleName":"DmpFileWritten", + "ContextTimeStamp":"1612192172.528", + "ConfigStateHash":"3840237054", + "ContextProcessId":"30359610206388", + "IrpFlags":"1028", + "AuthenticationId":"237790", + "ConfigBuild":"1007.3.0012806.1", + "FileEcpBitmask":"0", + "MajorFunction":"18", + "IsOnRemovableDisk":"0", + "Entitlements":"15", + "name":"DmpFileWrittenV12", + "OperationFlags":"0", + "aid":"e7149f2a8a69453b74a072f67cfc4d", + "cid":"e941027a2d1141f9b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume1\\ProgramData\\Zscaler\\ZSATray.exe.11924.dmp" + }, + { + "Size":"5120", + "ContextThreadId":"20459934839588", + "MinorFunction":"0", + "aip":"165.165.165.165", + "IsOnNetwork":"0", + "FileIdentifier":"405e4cec2cac994b802c88a89583ce852db9000000002e00", + "event_platform":"Win", + "TokenType":"1", + "DiskParentDeviceInstanceId":"PCI\\VEN_8086&DEV_F1A6&SUBSYS_390B8086&REV_03\\4&280be160&0&00E4", + "id":"954b4f19-649f-11eb-86b9-06f80c26adc1", + "FileObject":"18446698488861015536", + "EffectiveTransmissionClass":"3", + "timestamp":"1612192213225", + "event_simpleName":"PeFileWritten", + "ContextTimeStamp":"1612192154.275", + "ConfigStateHash":"1187562179", + "IsTransactedFile":"0", + "ContextProcessId":"538129154765", + "IrpFlags":"1028", + "SHA256HashData":"28ca0d1c692331a22174be034be2d6a39f4c1868e2a7b23172335554fcd1e681", + "AuthenticationId":"999", + "ConfigBuild":"1007.3.0012806.1", + "FileEcpBitmask":"0", + "MajorFunction":"18", + "IsOnRemovableDisk":"0", + "Entitlements":"15", + "name":"PeFileWrittenV15", + "OperationFlags":"0", + "aid":"578817b172b44b32fec1ab92ea86b0", + "cid":"e941027a2d1141f1b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\2C957836-F162-4817-87B7-A6668CC4AE78\\en-US\\UnattendProvider.dll.mui" + }, + { + "Options":"33554532", + "ContextThreadId":"76915493345508", + "MinorFunction":"0", + "aip":"147.147.147.147", + "Information":"2", + "FileIdentifier":"edc203080b0ab8458680afe68146b1ed6c62010000009700", + "event_platform":"Win", + "ShareAccess":"0", + "id":"80d5ae7b-649f-11eb-9488-024e6bf3d6b1", + "FileObject":"18446634184237273600", + "EffectiveTransmissionClass":"3", + "FileAttributes":"0", + "timestamp":"1612192178899", + "Status":"0", + "event_simpleName":"NewExecutableWritten", + "ContextTimeStamp":"1612192178.595", + "ConfigStateHash":"1002018934", + "ContextProcessId":"1462865029781", + "IrpFlags":"2180", + "ConfigBuild":"1007.3.0012806.1", + "MajorFunction":"0", + "DesiredAccess":"1180054", + "Entitlements":"15", + "name":"NewExecutableWrittenV1", + "OperationFlags":"0", + "aid":"e30dfd2dac464a925c721ffb42691c1c", + "cid":"e941027a2d1141f189b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume3\\Users\\S\\AppData\\Local\\assembly\\tmp\\VVCQJISQ\\Newtonsoft.Json.DLL" + }, + { + "Options":"88080484", + "ContextThreadId":"121390994923701", + "MinorFunction":"0", + "aip":"165.165.165.165", + "Information":"2", + "FileIdentifier":"8e22c65ac1de534d924b77bef9724e893b34000000007e01", + "event_platform":"Win", + "ShareAccess":"1", + "id":"9a1112a6-649f-11eb-a1a0-02d051f2be4b", + "FileObject":"18446705066600845600", + "EffectiveTransmissionClass":"3", + "FileAttributes":"0", + "timestamp":"1612192221231", + "Status":"0", + "event_simpleName":"NewScriptWritten", + "ContextTimeStamp":"1612192219.844", + "ConfigStateHash":"4091923303", + "ContextProcessId":"2092451718379", + "IrpFlags":"2180", + "ConfigBuild":"1007.3.0012806.1", + "MajorFunction":"0", + "DesiredAccess":"1180054", + "Entitlements":"15", + "name":"NewScriptWrittenV7", + "OperationFlags":"0", + "aid":"1d26eadfb948448653c36c1b900df377", + "cid":"e941027a2d1141f189b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\__PSS.ps1" + }, + { + "event_simpleName":"ExecutableDeleted", + "ContextTimeStamp":"1612192183.367", + "ConfigStateHash":"4091923303", + "ContextProcessId":"2235221295047", + "IrpFlags":"1028", + "ContextThreadId":"115372276358029", + "MinorFunction":"0", + "aip":"165.165.165.165", + "FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8e86ea010000006c00", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "MajorFunction":"18", + "Entitlements":"15", + "name":"ExecutableDeletedV3", + "OperationFlags":"0", + "id":"840c4b68-649f-11eb-bde3-024e3dec27db", + "FileObject":"18446713894431458368", + "EffectiveTransmissionClass":"3", + "aid":"e17bf6ec831e4f3976553f9969664271", + "timestamp":"1612192184290", + "cid":"e941027a2d1141f186c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume3\\Users\\k\\AppData\\Local\\assembly\\tmp\\QN76W635\\WinZipExpressForOffice.DLL" + }, + { + "Status":"3221225506", + "KernelTime":"0", + "event_simpleName":"SignInfoError", + "ConfigStateHash":"4091923303", + "aip":"165.165.165.165", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\iwprn.dll", + "Entitlements":"15", + "name":"SignInfoErrorV3", + "id":"8257ef61-649f-11eb-b376-02f6607228a3", + "EffectiveTransmissionClass":"2", + "aid":"c0da753d75ff4e7971901ab055d804b4", + "timestamp":"1612192181431", + "cid":"e941027a2d1141fb6c6c049c83215" + }, + { + "Size":"104753", + "ContextThreadId":"68150305082852", + "MinorFunction":"0", + "aip":"165.165.165.165", + "IsOnNetwork":"0", + "FileIdentifier":"8e22c65ac1de534d924b77bef9724e89bd9c000000009300", + "event_platform":"Win", + "TokenType":"1", + "DiskParentDeviceInstanceId":"PCI\\VEN_15B7&DEV_5002&SUBSYS_500215B7&REV_00\\4&18cf69ef&0&00E4", + "id":"7d068550-649f-11eb-9be1-065505666d6f", + "FileObject":"18446655072069839760", + "EffectiveTransmissionClass":"3", + "timestamp":"1612192172508", + "event_simpleName":"OoxmlFileWritten", + "ContextTimeStamp":"1612192167.261", + "ConfigStateHash":"1187562179", + "ContextProcessId":"1961692248212", + "TemporaryFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix", + "IrpFlags":"1028", + "AuthenticationId":"286344857", + "ConfigBuild":"1007.3.0012806.1", + "FileEcpBitmask":"0", + "MajorFunction":"18", + "IsOnRemovableDisk":"0", + "Entitlements":"15", + "name":"OoxmlFileWrittenV12", + "OperationFlags":"0", + "aid":"cfbece25ef5444715fb3340fad3cab37", + "cid":"e941027a2d1141f189b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix" + }, + { + "event_simpleName":"ProcessRollup2Stats", + "ConfigStateHash":"2191674825", + "Timeout":"600", + "aip":"77.77.77.77", + "SHA256HashData":"7b7d042adc61f6bd613c202e72b88045702d3171ab27e4702411d337dd0ccb4b", + "ProcessCount":"6", + "ConfigBuild":"1007.4.0012204.1", + "UID":"0", + "event_platform":"Mac", + "CommandLine":"/usr/bin/awk {print $1;}", + "Entitlements":"15", + "name":"ProcessRollup2StatsMacV1", + "id":"7ddb47a2-649f-11eb-b100-069ffba97e11", + "aid":"4a685c5af31c441b78b96df71752f303", + "timestamp":"1612192173903", + "cid":"e941027a2d1141f189b6c6c049c83215" + }, + { + "event_simpleName":"PeVersionInfo", + "ConfigStateHash":"4091923303", + "aip":"147.147.147.147", + "SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15", + "ConfigBuild":"1007.3.0012806.1", + "VersionInfo":"880334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000a000100634500000a00010063453f000000000000000400040002000000000000000000000000000000e6020000010053007400720069006e006700460069006c00650049006e0066006f000000c202000001003000340030003900300034004200300000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e0000004c0012000100460069006c0065004400650073006300720069007000740069006f006e000000000057004d0049002000500072006f0076006900640065007200200048006f00730074000000680024000100460069006c006500560065007200730069006f006e0000000000310030002e0030002e00310037003700360033002e00310020002800570069006e004200750069006c0064002e003100360030003100300031002e003000380030003000290000003a000d00010049006e007400650072006e0061006c004e0061006d006500000057006d006900700072007600730065002e006500780065000000000080002e0001004c006500670061006c0043006f0070007900720069006700680074000000a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e00000042000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000057006d006900700072007600730065002e00650078006500000000006a0025000100500072006f0064007500630074004e0061006d006500000000004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d00000000003e000d000100500072006f006400750063007400560065007200730069006f006e000000310030002e0030002e00310037003700360033002e00310000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000904b00400000000000000000000000000000000", + "CompanyName":"Microsoft Corporation", + "event_platform":"Win", + "OriginalFilename":"Wmiprvse.exe", + "TargetProcessId":"1467339488123", + "ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "FileVersion":"10.0.17763.1 (WinBuild.160101.0800)", + "Entitlements":"15", + "name":"PeVersionInfoV3", + "id":"85d170dd-649f-11eb-b7ab-02c72af1f307", + "EffectiveTransmissionClass":"3", + "aid":"8a7c4aa9c11944aa7afa437b73a4817d", + "LanguageId":"1033", + "timestamp":"1612192187260", + "cid":"e941027a2d1141f189b6c6c049c83215" + }, + { + "Size":"5120", + "ContextThreadId":"37505999371785", + "MinorFunction":"0", + "aip":"84.84.84.84", + "IsOnNetwork":"0", + "FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8ed2da010000007f00", + "event_platform":"Win", + "TokenType":"1", + "DiskParentDeviceInstanceId":"PCI\\VEN_17AA&DEV_0003&SUBSYS_100317AA&REV_00\\4&18cf69ef&0&00E4", + "id":"7fca95a3-649f-11eb-87c5-0608a1cc49e3", + "FileObject":"18446668234812634352", + "EffectiveTransmissionClass":"3", + "timestamp":"1612192177149", + "event_simpleName":"OleFileWritten", + "ContextTimeStamp":"1612192175.957", + "ConfigStateHash":"4091923303", + "ContextProcessId":"1017509766761", + "IrpFlags":"1028", + "AuthenticationId":"757446330", + "ConfigBuild":"1007.3.0012806.1", + "FileEcpBitmask":"0", + "MajorFunction":"18", + "IsOnRemovableDisk":"0", + "Entitlements":"15", + "name":"OleFileWrittenV12", + "OperationFlags":"0", + "aid":"b324ab19ddf34b8f6672c64a05758b", + "cid":"e941027a2d1141f9b6c6c049c83215", + "TargetFileName":"\\Device\\HarddiskVolume3\\Users\\D\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\AutomationManager\\Active\\{990EF5F6-645A-11EB-AE23-7C2A31092D5A}.dat" + }, + { + "event_simpleName":"DriverLoad", + "ContextTimeStamp":"1612192188.246", + "ConfigStateHash":"1036481984", + "ContextProcessId":"1305670660340", + "DriverLoadFlags":"0", + "ContextThreadId":"47805865802230", + "aip":"104.104.104.104", + "MD5HashData":"3c15a5ac47b1ca4d9a9f8680e224996f", + "SHA256HashData":"f95ec4e4e5fdff1d68179205430aad01a0124dbd682faff6270b99b4aacc793f", + "ConfigBuild":"1007.3.0012806.1", + "CompanyName":"Microsoft Corporation", + "event_platform":"Win", + "OriginalFilename":"WSDScan.sys", + "ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\drivers\\WSDScan.sys", + "FileVersion":"10.0.17134.1 (WinBuild.160101.0800)", + "Entitlements":"15", + "name":"DriverLoadV3", + "id":"948cb457-649f-11eb-a03c-065d96aa71d1", + "EffectiveTransmissionClass":"3", + "aid":"6bbe3993fd594f45d25512aeabbfd4", + "timestamp":"1612192211975", + "cid":"e941027a2d1141f9b6c6c049c83215" + }, + { + "event_simpleName":"NeighborListIP4", + "ConfigStateHash":"1187562179", + "NeighborList":"BC-0F-9A-F5-62-FW|192.168.0.1|0|!!!!UNKNOWN!!!!;", + "aip":"103.103.103.103", + "InterfaceIndex":"7", + "ConfigBuild":"1007.3.0012806.1", + "event_platform":"Win", + "Entitlements":"15", + "name":"NeighborListIP4V2", + "id":"9926a93d-649f-11eb-910e-024bf0016c79", + "EffectiveTransmissionClass":"3", + "aid":"504c07d9cdbb47ac793b11238a2476e1", + "timestamp":"1612192219695", + "cid":"e941027a2d114189b6c6c049c83215" + } + ] \ No newline at end of file