From 5e26eb5c1e86c18f2c2e2189f5189fc4f2c67058 Mon Sep 17 00:00:00 2001 From: chicduong <59736871+chicduong@users.noreply.github.com> Date: Thu, 17 Dec 2020 15:19:01 -0800 Subject: [PATCH] parser updates --- .../SymantecEndpointProtection.txt | 119 ++++-- .../Syslog/SymantecEndpointProtection.json | 386 +++++++++--------- 2 files changed, 284 insertions(+), 221 deletions(-) diff --git a/Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt b/Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt index eed3a421b9..130aa52fa9 100644 --- a/Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt +++ b/Parsers/SymantecEndpointProtection/SymantecEndpointProtection.txt @@ -1,7 +1,7 @@ // Title: Broadcom Symantec Endpoint Protection (SEP) // Author: Microsoft // Version: 1.0 -// Last Updated: 12/01/2020 +// Last Updated: 12/15/2020 // Comment: Inital Release // // DESCRIPTION: @@ -21,49 +21,62 @@ // LOG SAMPLES: // This parser assumes the raw log are formatted as follows: // -// <54>Nov 12 00:37:31 SAMPLE0007 SymantecServer: Site: Site_RMG_BBP,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST18,sampleuser99,sample.abccompany.com +// Site: Site_TEST_SITE,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST18,sampleuser99,sample.abccompany.com // -// <50>Nov 12 09:48:17 SAMPLE0007 SymantecServer: sam196136,10.221.252.252,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:22:22,End Time: 2020-11-12 09:22:22,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,16464,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: +// sam196136,10.221.252.252,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:22:22,End Time: 2020-11-12 09:22:22,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,16464,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: // -// <51>Nov 11 19:43:36 SAMPLE0007 SymantecServer: sam733904,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000 +// sam733904,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000 // // let LogHeader = Syslog | where Computer in ("server1", "server2") // server1 and server2 are examples, replace this list with your SEP device names -| extend ServerName = extract(@"SymantecServer:\s([\w\-\_]+)?(,|\Site:)",1,SyslogMessage) +| extend ServerName = extract(@"^([\w\-\_]+)?(,|\Site:)",1,SyslogMessage) // Agent System Log Header -| extend AgentSystemLogsParser = extract_all(@"SymantecServer:\s([^,]+)\,Category:\s([\d]+)\,([^,]+)\,Event\sDescription:\s([^,]+)(\,Event time:\s([^,]+)\,Group Name:\s([^,]+)$?)?",dynamic([1,2,3,4,6,7]), SyslogMessage) +| extend AgentSystemLogsParser = extract_all(@'^([^,]+)\,Category:\s([\d]+)\,([^,]+)\,\"?Event\sDescription:\s([^,]+\"?)(\,Event time:\s([^,]+)\,Group Name:\s([^,]+)$?)?',dynamic([1,2,3,4,6,7]), SyslogMessage) | mv-expand AgentSystemLogsParser | extend LogType = iif(isnotempty(AgentSystemLogsParser),"Agent System Logs","") // Agent Activity Log Header -| extend AgentActivityLogsParser = extract_all(@"Site:\s([^,]+)\,Server\sName\:\s([^,]+)\,Domain\sName\:\s([^,]+)\,([^,]+)\,([^,]+)\,([^,]+)\,([^,]+)",dynamic([1,2,3,4,5,6,7]), SyslogMessage) +| extend AgentActivityLogsParser = extract_all(@"Site:\s([^,]+)\,Server\sName\:\s([^,]+)\,Domain\sName\:\s([^,]+)?\,([^,]+)?\,([^,]+)?\,([^,]+)?\,([^,]+)?",dynamic([1,2,3,4,5,6,7]), SyslogMessage) | mv-expand AgentActivityLogsParser | extend LogType = iif(isempty(LogType) and isnotempty(AgentActivityLogsParser),"Agent Activity Logs", LogType) // Agent Behavior Log Header -| extend AgentBehaviorLogsParser = extract_all(@"SymantecServer:\s([^,]+)\,([\d\.]+)\,([^,]+)\,([^,]+)\,([^,]+)\,Begin:\s([^,]+)\,End Time:\s([^,]+)\,Rule:\s([^,]+)\,(\d+)\,([^,]+)\,([\S\s]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11]),SyslogMessage) +| extend AgentBehaviorLogsParser = extract_all(@"^([^,]+)\,([\d\.]+)\,([^,]+)\,([^,]+)\,([^,]+)\,Begin:\s([^,]+)\,End Time:\s([^,]+)\,Rule:\s([^,]+)\,(\d+)\,([^,]+)\,([\S\s]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11]),SyslogMessage) | mv-expand AgentBehaviorLogsParser | extend AgentBehaviorLogsSubstring = tostring(AgentBehaviorLogsParser[10]) | extend AgentBehaviorLogsParser2 = extract_all(@"([^,]+)\,([^,]+)\,([^,]+)\,User Name:\s([^,]+)?\,Domain Name:\s([^,]+)?\,Action Type:\s([^,]+)?\,File size \(bytes\):\s(\d+)?\,Device ID:\s([^,]+)?",dynamic([1,2,3,4,5,6,7,8]),AgentBehaviorLogsSubstring) | mv-expand AgentBehaviorLogsParser2 | extend LogType = iif(isempty(LogType) and isnotempty(AgentBehaviorLogsParser) and isnotempty(AgentBehaviorLogsParser2),"Agent Behavior Logs",LogType) // Agent Traffic Log Header -| extend AgentTrafficLogsParser = extract_all(@"SymantecServer:\s([^,]+)\,Local Host IP:\s([^,]+)?\,Local Port:\s([^,]+)?\,Local Host MAC:\s([^,]+)?\,Remote Host IP:\s([^,]+)?\,Remote Host Name:\s([^,]+)?\,Remote Port:\s([^,]+)?\,Remote Host MAC:\s([^,]+)?\,([^,]+)?\,([^,]+)?\,Begin:\s([^,]+)?\,End Time:\s([^,]+)?\,([\s\S]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]),SyslogMessage) +| extend AgentTrafficLogsParser = extract_all(@"^([^,]+)\,Local Host IP:\s([^,]+)?\,Local Port:\s([^,]+)?\,Local Host MAC:\s([^,]+)?\,Remote Host IP:\s([^,]+)?\,Remote Host Name:\s([^,]+)?\,Remote Port:\s([^,]+)?\,Remote Host MAC:\s([^,]+)?\,([^,]+)?\,([^,]+)?\,Begin:\s([^,]+)?\,End Time:\s([^,]+)?\,([\s\S]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]),SyslogMessage) | mv-expand AgentTrafficLogsParser | extend AgentTrafficLogsSubstring = tostring(AgentTrafficLogsParser[12]) | extend AgentTrafficLogsParser2 = extract_all(@"Occurrences:\s([^,]+)?\,Application:\s([^,]+)?\,Rule:\s([^,]+)?\,Location:\s([^,]+)?\,User Name:\s([^,]+)?\,Domain Name:\s([^,]+)?\,Action:\s([^,]+)?\,SHA-256:\s([^,]+)?\,MD-5:\s([^,]+)?",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),AgentTrafficLogsSubstring) | mv-expand AgentTrafficLogsParser2 | extend LogType = iif(isempty(LogType) and isnotempty(AgentTrafficLogsParser) and isnotempty(AgentTrafficLogsParser2),"Agent Traffic Logs",LogType) // Agent Security Log Header -| extend AgentSecurityLogsParser = extract_all(@"SymantecServer:\s([^,]+)\,\W?Event Description:\s([^,]+)\W?\,Local Host IP:\s([^,]+)?\,Local Host MAC:\s([^,]+)?\,Remote Host Name:\s([^,]+)?\,Remote Host IP:\s([^,]+)?\,Remote Host MAC:\s([^,]+)?\,([^,]+)?\,([^,]+)?\,Intrusion ID:\s([^,]+)?\,Begin:\s([^,]+)?\,End Time:\s([^,]+)?\,([\s\S]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]),SyslogMessage) +| extend AgentSecurityLogsParser = extract_all(@'^([^,]+)\,(Event Description:\s([^,]+)?|\"Event Description:\s([^"]+)?\")\,Local Host IP:\s([^,]+)?\,Local Host MAC:\s([^,]+)?\,Remote Host Name:\s([^,]+)?\,Remote Host IP:\s([^,]+)?\,Remote Host MAC:\s([^,]+)?\,([^,]+)?\,([^,]+)?\,(Intrusion ID:\s)?([^,]+)?\,Begin:\s([^,]+)?\,End Time:\s([^,]+)?\,([\s\S]+)',dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16]),SyslogMessage) | mv-expand AgentSecurityLogsParser -| extend AgentSecurityLogsSubstring = tostring(AgentSecurityLogsParser[12]) +| extend AgentSecurityLogsSubstring = tostring(AgentSecurityLogsParser[15]) | extend AgentSecurityLogsParser2 = extract_all(@"Occurrences:\s([^,]+)?\,Application:\s([^,]+)?\,Location:\s([^,]+)?\,User Name:\s([^,]+)?\,Domain Name:\s([^,]+)?\,Local Port:\s([^,]+)?\,Remote Port:\s([^,]+)?\,CIDS Signature ID:\s([^,]+)?\,CIDS Signature string:\s([^,]+)?\,CIDS Signature SubID:\s([^,]+)?\,Intrusion URL:\s([^,]+)?\,Intrusion Payload URL:\s([^,]+)?\,SHA-256:\s([^,]+)?\,MD-5:\s([^,]+)?",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13]),AgentSecurityLogsSubstring) | mv-expand AgentSecurityLogsParser2 | extend LogType = iif(isempty(LogType) and isnotempty(AgentSecurityLogsParser) and isnotempty(AgentSecurityLogsParser2),"Agent Security Logs",LogType) // Agent Packet Log Header | extend AgentPacketLogsParser = extract_all(@"Local Host IP:\s([^,]+)?\,Local Port:\s([^,]+)?\,Remote Host IP:\s([^,]+)?\,Remote Host Name:\s([^,]+)?\,Remote Port:\s([^,]+)?\,([^,]+)?\,Application:\s([^,]+)?\,Action:\s([^,]+)?\,",dynamic([1,2,3,4,5,6,7]), SyslogMessage) | mv-expand AgentPacketLogsParser -| extend LogType = iif(isempty(LogType) and isnotempty(AgentPacketLogsParser),"Agent Packet Logs",LogType); +| extend LogType = iif(isempty(LogType) and isnotempty(AgentPacketLogsParser),"Agent Packet Logs",LogType) +// Agent Risk Log Header +| extend AgentRiskLogsParser = extract_all(@'^([^,]+)\,IP Address:\s([^,]+)?\,Computer name:\s([^,]+)?\,Source:\s([^,]+)?\,Risk name:\s([^,]+)?\,Occurrences:\s([^,]+)?\,(File path:\s([^,]+)?|File path:\s\"([^"]+)\"?\")\,Description:\s([^,]+)?\,Actual action:\s([^,]+)?\,Requested action:\s([^,]+)?\,Secondary action:\s([^,]+)?\,Event time:\s([^,]+)?\,Event Insert Time:\s([^,]+)?\,([\s\S]+)',dynamic([1,2,3,4,5,6,8,9,10,11,12,13,14,15,16]), SyslogMessage) +| mv-expand AgentRiskLogsParser +| extend AgentRiskLogsSubstring = tostring(AgentRiskLogsParser[14]) +| extend AgentRiskLogsParser2 = extract_all(@"^End Time:\s([^,]+)?\,Last update time:\s([^,]+)?\,Domain Name:\s([^,]+)?\,Group Name:\s([^,]+)?\,Server Name:\s([^,]+)?\,User Name:\s([^,]+)?\,Source Computer Name:\s([^,]+)?\,Source Computer IP:\s([^,]+)?\,Disposition:\s([^,]+)?\,Download site:\s([^,]+)?\,Web domain:\s([^,]+)?\,Downloaded by:\s([^,]+)?\,Prevalence:\s([^,]+)?\,Confidence:\s([^,]+)?\,URL Tracking Status:\s([^,]+)?\,([\s\S]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16]),AgentRiskLogsSubstring) +| mv-expand AgentRiskLogsParser2 +| extend AgentRiskLogsSubstring2 = tostring(AgentRiskLogsParser2[15]) +| extend AgentRiskLogsParser3 = extract_all(@"^First Seen:\s([^,]+)?\,Sensitivity:\s([^,]+)?\,Permitted application reason:\s([^,]+)?\,Application hash:\s([^,]+)?\,Hash type:\s([^,]+)?\,Company name:\s([^,]+)?\,Application name:\s([^,]+)?\,Application version:\s([^,]+)?\,Application type:\s([^,]+)?\,File size \(bytes\):\s([^,]+)?\,Category set:\s([^,]+)?\,Category type:\s([^,]+)?\,Location:\s([^,]+)?\,Intensive Protection Level:\s([^,]+)?\,Certificate issuer:\s([^,]+)?\,([\s\S]+)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16]),AgentRiskLogsSubstring2) +| mv-expand AgentRiskLogsParser3 +| extend AgentRiskLogsSubstring3 = tostring(AgentRiskLogsParser3[15]) +| extend AgentRiskLogsParser4 = extract_all(@"^Certificate signer:\s([^,]+)?\,Certificate thumbprint:\s([^,]+)?\,Signing timestamp:\s([^,]+)?\,Certificate serial number:\s([^,]+)?(\,|$)",dynamic([1,2,3,4]),AgentRiskLogsSubstring3) +| mv-expand AgentRiskLogsParser4 +| extend LogType = iif(isempty(LogType) and isnotempty(AgentRiskLogsParser) and isnotempty(AgentRiskLogsParser2) and isnotempty(AgentRiskLogsParser3),"Agent Risk Logs",LogType); // Agent System Log Parser let AgentSystemLogs = LogHeader | where LogType == "Agent System Logs" @@ -110,7 +123,7 @@ let AgentTrafficLogs = LogHeader LocalPortNumber = toint(AgentTrafficLogsParser[2]), LocalHostMacAddr = tostring(AgentTrafficLogsParser[3]), RemoteHostIpAddr = tostring(AgentTrafficLogsParser[4]), - RemoteHostName = todatetime(AgentTrafficLogsParser[5]), + RemoteHostName = tostring(AgentTrafficLogsParser[5]), RemotePortNumber = toint(AgentTrafficLogsParser[6]), RemoteHostMacAddr = tostring(AgentTrafficLogsParser[7]), NetworkProtocol = toint(AgentTrafficLogsParser[8]), @@ -130,18 +143,17 @@ let AgentTrafficLogs = LogHeader // Agent Security Logs let AgentSecurityLogs = LogHeader | where LogType == "Agent Security Logs" -| extend EventDescription = tostring(AgentSecurityLogsParser[1]), - LocalHostIpAddr = tostring(AgentSecurityLogsParser[2]), - LocalHostMacAddr = tostring(AgentSecurityLogsParser[3]), - RemoteHostName = todatetime(AgentSecurityLogsParser[4]), - RemoteHostIpAddr = tostring(AgentSecurityLogsParser[5]), - RemoteHostMacAddr = tostring(AgentSecurityLogsParser[6]), - TrafficDirection = tostring(AgentSecurityLogsParser[7]), - NetworkProtocol = toint(AgentSecurityLogsParser[8]), - IntrusionId = tostring(AgentSecurityLogsParser[9]), - EventStartTime = todatetime(AgentSecurityLogsParser[10]), - EventEndTime = todatetime(AgentSecurityLogsParser[11]), - AgentSecurityLogsSubstring = tostring(AgentSecurityLogsParser[12]) +| extend EventDescription = iif(isempty(tostring(AgentSecurityLogsParser[2])),tostring(AgentSecurityLogsParser[3]),tostring(AgentSecurityLogsParser[2])), + LocalHostIpAddr = tostring(AgentSecurityLogsParser[4]), + LocalHostMacAddr = tostring(AgentSecurityLogsParser[5]), + RemoteHostName = tostring(AgentSecurityLogsParser[6]), + RemoteHostIpAddr = tostring(AgentSecurityLogsParser[7]), + RemoteHostMacAddr = tostring(AgentSecurityLogsParser[8]), + TrafficDirection = tostring(AgentSecurityLogsParser[9]), + NetworkProtocol = toint(AgentSecurityLogsParser[10]), + IntrusionId = tostring(AgentSecurityLogsParser[11]), + EventStartTime = todatetime(AgentSecurityLogsParser[13]), + EventEndTime = todatetime(AgentSecurityLogsParser[14]) | extend Occurrences = toint(AgentSecurityLogsParser2[0]), ApplicationName = tostring(AgentSecurityLogsParser2[1]), Location = tostring(AgentSecurityLogsParser2[2]), @@ -165,8 +177,59 @@ let AgentPacketLogs = LogHeader RemotePortNumber = toint(AgentPacketLogsParser[4]), Application = tostring(AgentPacketLogsParser[5]), Action = tostring(AgentPacketLogsParser[6]); +// Agent Risk Logs +let AgentRiskLogs = LogHeader +| where LogType == "Agent Risk Logs" +| extend Action = tostring(AgentRiskLogsParser[0]), + SrcIpAddr = tostring(AgentRiskLogsParser[1]), + SrcHostName = tostring(AgentRiskLogsParser[2]), + Source = tostring(AgentRiskLogsParser[3]), + RiskName = tostring(AgentRiskLogsParser[4]), + Occurences = toint(AgentRiskLogsParser[5]), + FilePath = iif(isempty(tostring(AgentRiskLogsParser[6])),tostring(AgentRiskLogsParser[7]),tostring(AgentRiskLogsParser[6])), + EventDescription = tostring(AgentRiskLogsParser[8]), + ActualAction = tostring(AgentRiskLogsParser[9]), + RequestedAction = tostring(AgentRiskLogsParser[10]), + SecondaryAction = tostring(AgentRiskLogsParser[11]), + EventStartTime = todatetime(AgentRiskLogsParser[12]), + EventInsertTime = todatetime(AgentRiskLogsParser[13]), + EventEndTime = todatetime(AgentRiskLogsParser[14]) +| extend EventEndTime = todatetime(AgentRiskLogsParser2[0]), + LastUpdateTime = todatetime(AgentRiskLogsParser2[1]), + DomainName = tostring(AgentRiskLogsParser2[2]), + GroupName = tostring(AgentRiskLogsParser2[3]), + ServerName = tostring(AgentRiskLogsParser2[4]), + UserName = tostring(AgentRiskLogsParser2[5]), + SrcComputerName = tostring(AgentRiskLogsParser2[6]), + SrcComputerIPAddr = tostring(AgentRiskLogsParser2[7]), + Disposition = tostring(AgentRiskLogsParser2[8]), + DownloadSite = tostring(AgentRiskLogsParser2[9]), + WebDomain = tostring(AgentRiskLogsParser2[10]), + DonwloadedBy = tostring(AgentRiskLogsParser2[11]), + Prevalence = tostring(AgentRiskLogsParser2[12]), + Confidence = tostring(AgentRiskLogsParser2[13]), + UrlTrackingStatus = tostring(AgentRiskLogsParser2[14]) +| extend FirstSeen = tostring(AgentRiskLogsParser3[0]), + Sensitivity = tostring(AgentRiskLogsParser3[1]), + PermittedApplicationReason = tostring(AgentRiskLogsParser3[2]), + ApplicationHash = tostring(AgentRiskLogsParser3[3]), + HashType = tostring(AgentRiskLogsParser3[4]), + CompanyName = tostring(AgentRiskLogsParser3[5]), + ApplicationName = tostring(AgentRiskLogsParser3[6]), + ApplicationVersion = tostring(AgentRiskLogsParser3[7]), + ApplicationType = tostring(AgentRiskLogsParser3[8]), + FileSize = tostring(AgentRiskLogsParser3[9]), + CategorySet = tostring(AgentRiskLogsParser3[10]), + CategoryType = tostring(AgentRiskLogsParser3[11]), + Location = tostring(AgentRiskLogsParser3[12]), + IntensiveProtectionLevel = tostring(AgentRiskLogsParser3[13]), + CertificateIssuer = tostring(AgentRiskLogsParser3[14]) +| extend CertificateSigner = tostring(AgentRiskLogsParser4[0]), + CertificateThumprint = tostring(AgentRiskLogsParser4[1]), + SigningTimestamp = tostring(AgentRiskLogsParser4[2]), + CertificateSerialNumber = tostring(AgentRiskLogsParser4[3]); // All Other Logs - Captures all other logs not specifically identified let AllOtherLogs = LogHeader -| where LogType !in ("Agent System Logs","Agent Activity Logs","Agent Behavior Logs", "Agent Traffic Logs","Agent Security Logs", "Agent Packet Logs"); -union AgentActivityLogs, AgentBehaviorLogs, AgentSystemLogs, AgentTrafficLogs, AgentSecurityLogs, AgentPacketLogs, AllOtherLogs -| project-away AgentBehaviorLogsParser, AgentBehaviorLogsParser2, AgentTrafficLogsParser, AgentTrafficLogsParser2, AgentTrafficLogsSubstring, AgentActivityLogsParser, AgentBehaviorLogsSubstring, AgentSecurityLogsParser, AgentSecurityLogsSubstring, AgentSecurityLogsParser2, AgentSystemLogsParser, AgentPacketLogsParser \ No newline at end of file +| where LogType !in ("Agent System Logs","Agent Activity Logs","Agent Behavior Logs", "Agent Traffic Logs","Agent Security Logs", "Agent Packet Logs", "Agent Risk Logs"); +union AgentActivityLogs, AgentBehaviorLogs, AgentSystemLogs, AgentTrafficLogs, AgentSecurityLogs, AgentPacketLogs, AgentRiskLogs, AllOtherLogs +| project-away AgentBehaviorLogsParser, AgentBehaviorLogsParser2, AgentTrafficLogsParser, AgentTrafficLogsParser2, AgentTrafficLogsSubstring, AgentActivityLogsParser, AgentBehaviorLogsSubstring, AgentSecurityLogsParser, AgentSecurityLogsSubstring, AgentSecurityLogsParser2, AgentSystemLogsParser, AgentPacketLogsParser, AgentRiskLogsParser, AgentRiskLogsParser2, AgentRiskLogsParser3, AgentRiskLogsParser4, AgentRiskLogsSubstring, AgentRiskLogsSubstring2, AgentRiskLogsSubstring3 \ No newline at end of file diff --git a/Sample Data/Syslog/SymantecEndpointProtection.json b/Sample Data/Syslog/SymantecEndpointProtection.json index 04431e6c38..6acdfd559d 100644 --- a/Sample Data/Syslog/SymantecEndpointProtection.json +++ b/Sample Data/Syslog/SymantecEndpointProtection.json @@ -1,6 +1,6 @@ [ { - "SyslogMessage": "<54>Nov 12 00:39:06 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0003,Domain Name: Default,The client has reconnected with the management server,TESTHOST01,sampleuser019,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0003,Domain Name: Default,The client has reconnected with the management server,TESTHOST01,sampleuser019,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -63,7 +63,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:54:54 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST02,sampleuser023,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST02,sampleuser023,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -126,7 +126,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 01:01:28 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST03,sampleuser14,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST03,sampleuser14,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -189,7 +189,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:03 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST04,sampleuser422,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST04,sampleuser422,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -252,7 +252,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:37:05 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST05,sampleuser041,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST05,sampleuser041,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -315,7 +315,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:38:10 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0003,Domain Name: Default,The management server received the client log successfully,TESTHOST06,sampleuser6,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0003,Domain Name: Default,The management server received the client log successfully,TESTHOST06,sampleuser6,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -378,7 +378,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:55:26 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST07,sampleuser16,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST07,sampleuser16,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -441,7 +441,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:15 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST08,sampleuser017,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST08,sampleuser017,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -504,7 +504,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:37:25 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The client has reconnected with the management server,TESTHOST09,sampleuser25,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The client has reconnected with the management server,TESTHOST09,sampleuser25,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -567,7 +567,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:52 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST10,sampleuser9,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST10,sampleuser9,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -630,7 +630,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:37:50 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0003,Domain Name: Default,The management server received the client log successfully,TESTHOST12,sampleuser029,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0003,Domain Name: Default,The management server received the client log successfully,TESTHOST12,sampleuser029,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -693,7 +693,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:38:53 SAMPLE0003 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST13,sampleuser20,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0004,Domain Name: Default,The management server received the client log successfully,TESTHOST13,sampleuser20,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -756,7 +756,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:42:20 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST14,sampleuser32,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST14,sampleuser32,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -819,7 +819,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:37:30 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST15,sampleuser034,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST15,sampleuser034,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -882,7 +882,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 01:01:37 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST16,sampleuser56,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The management server received the client log successfully,TESTHOST16,sampleuser56,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -945,7 +945,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:37:31 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST18,sampleuser99,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST18,sampleuser99,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1008,7 +1008,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:41:53 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST19,sampleuser497,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST19,sampleuser497,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1071,7 +1071,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:25 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser011,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser011,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1134,7 +1134,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:42:03 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser020,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser020,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1197,7 +1197,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:15 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser026,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser026,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1260,7 +1260,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:08 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser030,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser030,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1323,7 +1323,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:41:54 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser031,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser031,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1386,7 +1386,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 01:01:43 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser035,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser035,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1449,7 +1449,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:40:02 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser040,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser040,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1512,7 +1512,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:37:49 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser049,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser049,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1575,7 +1575,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 01:01:17 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser050,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0007,Domain Name: Default,The client has downloaded the content package successfully,sample.abccompany.com,sampleuser050,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1638,7 +1638,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:39:47 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST20,sampleuser016,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST20,sampleuser016,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1701,7 +1701,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<54>Nov 12 00:38:43 SAMPLE0007 SymantecServer: Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST21,sampleuser027,sample.abccompany.com", + "SyslogMessage": "Site: Site_TEST,Server Name: SAMPLE0008,Domain Name: Default,The management server received the client log successfully,TESTHOST21,sampleuser027,sample.abccompany.com", "ServerName": "", "LogType": "Agent Activity Logs", "SiteName": "Site_TEST", @@ -1764,7 +1764,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:12:25 SAMPLE0003 SymantecServer: SERVER01,10.65.37.108,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:46:20,End Time: 2020-11-12 09:46:20,Rule: All Applications | lnk,6008,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER33.uk.consignia.com/TeamDirsRMUK/XBusiness (B64AADC1.uk.consignia.com) (X) - Shortcut.lnk,User Name: sampleuser48,Domain Name: SMPL,Action Type: ,File size (bytes): 663,Device ID: ", + "SyslogMessage": "SERVER01,10.65.37.108,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:46:20,End Time: 2020-11-12 09:46:20,Rule: All Applications | lnk,6008,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER33.uk.consignia.com/TeamDirsRMUK/XBusiness (B64AADC1.uk.consignia.com) (X) - Shortcut.lnk,User Name: sampleuser48,Domain Name: SMPL,Action Type: ,File size (bytes): 663,Device ID:", "ServerName": "SERVER01", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -1827,7 +1827,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:21:03 SAMPLE0003 SymantecServer: SERVER02,10.66.17.150,Blocked, - Caller MD5=9c10b456357b5d768cd40b19a565c184,File Read,Begin: 2020-11-11 22:28:02,End Time: 2020-11-11 22:28:02,Rule: All Applications | lnk,15988,C:/Program Files (x86)/Adobe/Acrobat Reader DC/Reader/AcroRd32.exe,0,No Module Name,//SAMPLESERVER25/sampleuser1/York Boards - Shortcut.lnk,User Name: sampleuser1,Domain Name: SMPL,Action Type: ,File size (bytes): 2079,Device ID: ", + "SyslogMessage": "SERVER02,10.66.17.150,Blocked, - Caller MD5=9c10b456357b5d768cd40b19a565c184,File Read,Begin: 2020-11-11 22:28:02,End Time: 2020-11-11 22:28:02,Rule: All Applications | lnk,15988,C:/Program Files (x86)/Adobe/Acrobat Reader DC/Reader/AcroRd32.exe,0,No Module Name,//SAMPLESERVER25/sampleuser1/York Boards - Shortcut.lnk,User Name: sampleuser1,Domain Name: SMPL,Action Type: ,File size (bytes): 2079,Device ID:", "ServerName": "SERVER02", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -1890,7 +1890,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:31:34 SAMPLE0007 SymantecServer: SERVER03,10.113.17.102,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:29:51,End Time: 2020-11-11 23:29:51,Rule: All Applications | lnk,8700,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER32.uk.consignia.com/publicpw/Damien (Skills Matrix) - Shortcut (2).lnk,User Name: sampleuser028,Domain Name: SMPL,Action Type: ,File size (bytes): 2038,Device ID: ", + "SyslogMessage": "SERVER03,10.113.17.102,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:29:51,End Time: 2020-11-11 23:29:51,Rule: All Applications | lnk,8700,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER32.uk.consignia.com/publicpw/Damien (Skills Matrix) - Shortcut (2).lnk,User Name: sampleuser028,Domain Name: SMPL,Action Type: ,File size (bytes): 2038,Device ID:", "ServerName": "SERVER03", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -1953,7 +1953,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:50:55 SAMPLE0003 SymantecServer: SERVER04,10.52.154.141,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:05:50,End Time: 2020-11-11 23:05:50,Rule: All Applications | lnk,6396,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER05.uk.consignia.com/PublicLS/World Class Mail1/8 Logistics/T48/Outlook.lnk,User Name: sampleuser468,Domain Name: SMPL,Action Type: ,File size (bytes): 993,Device ID: ", + "SyslogMessage": "SERVER04,10.52.154.141,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:05:50,End Time: 2020-11-11 23:05:50,Rule: All Applications | lnk,6396,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER05.uk.consignia.com/PublicLS/World Class Mail1/8 Logistics/T48/Outlook.lnk,User Name: sampleuser468,Domain Name: SMPL,Action Type: ,File size (bytes): 993,Device ID:", "ServerName": "SERVER04", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2016,7 +2016,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:33:15 SAMPLE0007 SymantecServer: sam616356,10.49.164.106,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:28:03,End Time: 2020-11-11 23:28:03,Rule: All Applications | lnk,2172,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER13.uk.consignia.com/filestore/rmg/publicrmuk/Hours submission matrix - for calcs only.xlsx - Shortcut.lnk,User Name: sampleuser010,Domain Name: SMPL,Action Type: ,File size (bytes): 1543,Device ID: ", + "SyslogMessage": "sam616356,10.49.164.106,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:28:03,End Time: 2020-11-11 23:28:03,Rule: All Applications | lnk,2172,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER13.uk.consignia.com/filestore/rmg/publicrmuk/Hours submission matrix - for calcs only.xlsx - Shortcut.lnk,User Name: sampleuser010,Domain Name: SMPL,Action Type: ,File size (bytes): 1543,Device ID:", "ServerName": "SERVER06", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2079,7 +2079,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:44:17 SAMPLE0007 SymantecServer: sam972778,10.6.116.105,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:16:43,End Time: 2020-11-12 09:16:44,Rule: All Applications | lnk,7344,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER815.uk.consignia.com/APPS/OSDisk (C) - Shortcut.lnk,User Name: sampleuser033,Domain Name: SMPL,Action Type: ,File size (bytes): 513,Device ID: ", + "SyslogMessage": "sam972778,10.6.116.105,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:16:43,End Time: 2020-11-12 09:16:44,Rule: All Applications | lnk,7344,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER815.uk.consignia.com/APPS/OSDisk (C) - Shortcut.lnk,User Name: sampleuser033,Domain Name: SMPL,Action Type: ,File size (bytes): 513,Device ID:", "ServerName": "SERVER07", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2142,7 +2142,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:01:36 SAMPLE0007 SymantecServer: sam304630,10.65.169.102,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 04:56:07,End Time: 2020-11-12 04:56:07,Rule: All Applications | lnk,9700,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER88/TeamDirsRMUK/PUBLICRMUK (NG92RRDC2.uk.consignia.com) (P) - Shortcut.lnk,User Name: sampleuser17,Domain Name: SMPL,Action Type: ,File size (bytes): 673,Device ID: ", + "SyslogMessage": "sam304630,10.65.169.102,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 04:56:07,End Time: 2020-11-12 04:56:07,Rule: All Applications | lnk,9700,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER88/TeamDirsRMUK/PUBLICRMUK (NG92RRDC2.uk.consignia.com) (P) - Shortcut.lnk,User Name: sampleuser17,Domain Name: SMPL,Action Type: ,File size (bytes): 673,Device ID:", "ServerName": "SERVER08", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2205,7 +2205,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:41:30 SAMPLE0003 SymantecServer: sam649681,10.33.105.109,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 21:52:22,End Time: 2020-11-11 21:52:22,Rule: All Applications | lnk,2580,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER484.uk.consignia.com/PublicRMUK/BOX PICTURES.lnk,User Name: sampleuser023,Domain Name: SMPL,Action Type: ,File size (bytes): 3121,Device ID: ", + "SyslogMessage": "sam649681,10.33.105.109,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 21:52:22,End Time: 2020-11-11 21:52:22,Rule: All Applications | lnk,2580,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER484.uk.consignia.com/PublicRMUK/BOX PICTURES.lnk,User Name: sampleuser023,Domain Name: SMPL,Action Type: ,File size (bytes): 3121,Device ID:", "ServerName": "SERVER09", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2268,7 +2268,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:41:30 SAMPLE0003 SymantecServer: sam851748,10.33.105.109,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 21:54:22,End Time: 2020-11-11 21:54:22,Rule: All Applications | lnk,2580,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER484.uk.consignia.com/PublicRMUK/shared/s/Challenge Monitor.lnk,User Name: sampleuser023,Domain Name: SMPL,Action Type: ,File size (bytes): 1711,Device ID: ", + "SyslogMessage": "sam851748,10.33.105.109,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 21:54:22,End Time: 2020-11-11 21:54:22,Rule: All Applications | lnk,2580,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER484.uk.consignia.com/PublicRMUK/shared/s/Challenge Monitor.lnk,User Name: sampleuser023,Domain Name: SMPL,Action Type: ,File size (bytes): 1711,Device ID:", "ServerName": "SERVER10", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2331,7 +2331,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 23:42:29 SAMPLE0003 SymantecServer: sam656816,10.48.71.49,Blocked,[AC9-1.1] Block access to autorun.inf - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:05:56,End Time: 2020-11-11 23:06:13,Rule: Explorer | [AC9-1.1] Autorun.inf,10520,C:/Windows/explorer.exe,0,No Module Name,D:/autorun.inf,User Name: sampleuser044,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\60A44C3FAC7DE26099720C19&0", + "SyslogMessage": "sam656816,10.48.71.49,Blocked,[AC9-1.1] Block access to autorun.inf - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:05:56,End Time: 2020-11-11 23:06:13,Rule: Explorer | [AC9-1.1] Autorun.inf,10520,C:/Windows/explorer.exe,0,No Module Name,D:/autorun.inf,User Name: sampleuser044,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\60A44C3FAC7DE26099720C19&0", "ServerName": "SERVER11", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2394,7 +2394,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:03:37 SAMPLE0007 SymantecServer: sam301591,10.29.8.184,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:41:25,End Time: 2020-11-12 09:41:25,Rule: All Applications | lnk,8768,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER621.uk.consignia.com/PUBLICLOG/Logistics/COACHES - Shortcut.lnk,User Name: sampleuser2323,Domain Name: SMPL,Action Type: ,File size (bytes): 854,Device ID: ", + "SyslogMessage": "sam301591,10.29.8.184,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:41:25,End Time: 2020-11-12 09:41:25,Rule: All Applications | lnk,8768,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER621.uk.consignia.com/PUBLICLOG/Logistics/COACHES - Shortcut.lnk,User Name: sampleuser2323,Domain Name: SMPL,Action Type: ,File size (bytes): 854,Device ID:", "ServerName": "SERVER12", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2457,7 +2457,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:07:17 SAMPLE0007 SymantecServer: sam889986,10.205.27.119,Blocked, - Caller MD5=df26cf498e632a7e40036ed84d063cc7,File Read,Begin: 2020-11-12 09:38:58,End Time: 2020-11-12 09:38:58,Rule: All Applications | lnk,11852,C:/Program Files (x86)/Microsoft Office/root/Office16/EXCEL.EXE,0,No Module Name,//SAMPLESERVER44.uk.consignia.com/TeamdirsIS/Network Team/Daily Allocations PCS & Network Team - Shortcut (5).lnk,User Name: sampleuser04,Domain Name: SMPL,Action Type: ,File size (bytes): 2205,Device ID: ", + "SyslogMessage": "sam889986,10.205.27.119,Blocked, - Caller MD5=df26cf498e632a7e40036ed84d063cc7,File Read,Begin: 2020-11-12 09:38:58,End Time: 2020-11-12 09:38:58,Rule: All Applications | lnk,11852,C:/Program Files (x86)/Microsoft Office/root/Office16/EXCEL.EXE,0,No Module Name,//SAMPLESERVER44.uk.consignia.com/TeamdirsIS/Network Team/Daily Allocations PCS & Network Team - Shortcut (5).lnk,User Name: sampleuser04,Domain Name: SMPL,Action Type: ,File size (bytes): 2205,Device ID:", "ServerName": "SERVER14", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2520,7 +2520,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:54:15 SAMPLE0007 SymantecServer: sam563302,10.37.153.102,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:23:26,End Time: 2020-11-11 23:23:26,Rule: All Applications | lnk,6900,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER03.uk.consignia.com/PublicRMUK/Belfast MC Production Control/Daily Production Plan - Shortcut (2).lnk,User Name: sampleuser037,Domain Name: SMPL,Action Type: ,File size (bytes): 1106,Device ID: ", + "SyslogMessage": "sam563302,10.37.153.102,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:23:26,End Time: 2020-11-11 23:23:26,Rule: All Applications | lnk,6900,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER03.uk.consignia.com/PublicRMUK/Belfast MC Production Control/Daily Production Plan - Shortcut (2).lnk,User Name: sampleuser037,Domain Name: SMPL,Action Type: ,File size (bytes): 1106,Device ID:", "ServerName": "SERVER15", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2583,7 +2583,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:39:30 SAMPLE0007 SymantecServer: sam844362,10.33.53.107,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:53:40,End Time: 2020-11-12 08:53:40,Rule: All Applications | lnk,7648,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER1515.uk.consignia.com/shared/DI Report - Shortcut (2).lnk,User Name: sampleuser77,Domain Name: SMPL,Action Type: ,File size (bytes): 2498,Device ID: ", + "SyslogMessage": "sam844362,10.33.53.107,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:53:40,End Time: 2020-11-12 08:53:40,Rule: All Applications | lnk,7648,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER1515.uk.consignia.com/shared/DI Report - Shortcut (2).lnk,User Name: sampleuser77,Domain Name: SMPL,Action Type: ,File size (bytes): 2498,Device ID:", "ServerName": "SERVER17", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2646,7 +2646,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:10:57 SAMPLE0007 SymantecServer: sam716238,10.62.85.108,Blocked,[AC9-1.1] Block access to autorun.inf - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:26:18,End Time: 2020-11-12 09:26:18,Rule: Explorer | [AC9-1.1] Autorun.inf,10216,C:/Windows/explorer.exe,0,No Module Name,I:/autorun.inf,User Name: sampleuser12,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: USBSTOR\\Disk&Ven_Linux&Prod_File-CD_Gadget&Rev_0319\\7&34f3d5ce&0&000001193127&0", + "SyslogMessage": "sam716238,10.62.85.108,Blocked,[AC9-1.1] Block access to autorun.inf - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:26:18,End Time: 2020-11-12 09:26:18,Rule: Explorer | [AC9-1.1] Autorun.inf,10216,C:/Windows/explorer.exe,0,No Module Name,I:/autorun.inf,User Name: sampleuser12,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: USBSTOR\\Disk&Ven_Linux&Prod_File-CD_Gadget&Rev_0319\\7&34f3d5ce&0&000001193127&0", "ServerName": "SERVER19", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2709,7 +2709,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:12:25 SAMPLE0003 SymantecServer: sam522335,10.54.45.119,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 10:07:16,End Time: 2020-11-12 10:07:32,Rule: All Applications | lnk,5436,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER884.uk.consignia.com/TeamDirsTS1/TeamdirsTS/Data_Management/Health and Safety.lnk,User Name: sampleuser013,Domain Name: SMPL,Action Type: ,File size (bytes): 1082,Device ID: ", + "SyslogMessage": "sam522335,10.54.45.119,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 10:07:16,End Time: 2020-11-12 10:07:32,Rule: All Applications | lnk,5436,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER884.uk.consignia.com/TeamDirsTS1/TeamdirsTS/Data_Management/Health and Safety.lnk,User Name: sampleuser013,Domain Name: SMPL,Action Type: ,File size (bytes): 1082,Device ID:", "ServerName": "SERVER20", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2772,7 +2772,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:52:15 SAMPLE0007 SymantecServer: sam741945,10.54.73.77,Blocked, - Caller MD5=b52237ff4501e7d9ae543518ee26df16,File Read,Begin: 2020-11-11 23:49:29,End Time: 2020-11-11 23:49:29,Rule: All Applications | lnk,4840,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER5424.uk.consignia.com/teamdirsls/Computer - Shortcut.lnk,User Name: sampleuser12,Domain Name: SMPL,Action Type: ,File size (bytes): 355,Device ID: ", + "SyslogMessage": "sam741945,10.54.73.77,Blocked, - Caller MD5=b52237ff4501e7d9ae543518ee26df16,File Read,Begin: 2020-11-11 23:49:29,End Time: 2020-11-11 23:49:29,Rule: All Applications | lnk,4840,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER5424.uk.consignia.com/teamdirsls/Computer - Shortcut.lnk,User Name: sampleuser12,Domain Name: SMPL,Action Type: ,File size (bytes): 355,Device ID:", "ServerName": "SERVER21", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2835,7 +2835,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:05:37 SAMPLE0007 SymantecServer: sam322603,10.37.108.49,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:38:35,End Time: 2020-11-12 09:38:35,Rule: All Applications | lnk,8884,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC03.uk.consignia.com/TeamdirsTS/Network - Shortcut (2).lnk,User Name: sampleuser2,Domain Name: SMPL,Action Type: ,File size (bytes): 351,Device ID: ", + "SyslogMessage": "sam322603,10.37.108.49,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:38:35,End Time: 2020-11-12 09:38:35,Rule: All Applications | lnk,8884,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC03.uk.consignia.com/TeamdirsTS/Network - Shortcut (2).lnk,User Name: sampleuser2,Domain Name: SMPL,Action Type: ,File size (bytes): 351,Device ID:", "ServerName": "SERVER25", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2898,7 +2898,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:05:17 SAMPLE0007 SymantecServer: sam516093,10.222.228.252,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:38:47,End Time: 2020-11-12 09:38:47,Rule: All Applications | lnk,6564,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC03.uk.consignia.com/TeamdirsTS/Credit Risk Team/Downloads.lnk,User Name: sampleuser76,Domain Name: SMPL,Action Type: ,File size (bytes): 893,Device ID: ", + "SyslogMessage": "sam516093,10.222.228.252,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:38:47,End Time: 2020-11-12 09:38:47,Rule: All Applications | lnk,6564,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC03.uk.consignia.com/TeamdirsTS/Credit Risk Team/Downloads.lnk,User Name: sampleuser76,Domain Name: SMPL,Action Type: ,File size (bytes): 893,Device ID:", "ServerName": "SERVER26", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -2961,7 +2961,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:30:57 SAMPLE0007 SymantecServer: sam703970,10.221.255.205,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:57:23,End Time: 2020-11-12 08:57:23,Rule: All Applications | lnk,9476,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER003/teamdirsts/OSDisk (C) - Shortcut.lnk,User Name: sampleuser5,Domain Name: SMPL,Action Type: ,File size (bytes): 456,Device ID: ", + "SyslogMessage": "sam703970,10.221.255.205,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:57:23,End Time: 2020-11-12 08:57:23,Rule: All Applications | lnk,9476,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER003/teamdirsts/OSDisk (C) - Shortcut.lnk,User Name: sampleuser5,Domain Name: SMPL,Action Type: ,File size (bytes): 456,Device ID:", "ServerName": "SERVER30", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3024,7 +3024,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:30:57 SAMPLE0007 SymantecServer: sam381348,10.221.255.205,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:57:24,End Time: 2020-11-12 08:57:24,Rule: All Applications | lnk,9476,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER003/teamdirsts/teamdirsrmuk (w1t1hqdc1.uk.consignia.com) (Y) - Shortcut.lnk,User Name: sampleuser5,Domain Name: SMPL,Action Type: ,File size (bytes): 517,Device ID: ", + "SyslogMessage": "sam381348,10.221.255.205,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:57:24,End Time: 2020-11-12 08:57:24,Rule: All Applications | lnk,9476,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER003/teamdirsts/teamdirsrmuk (w1t1hqdc1.uk.consignia.com) (Y) - Shortcut.lnk,User Name: sampleuser5,Domain Name: SMPL,Action Type: ,File size (bytes): 517,Device ID:", "ServerName": "SERVER31", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3087,7 +3087,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:03:37 SAMPLE0007 SymantecServer: sam721235,192.168.0.129,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:33:54,End Time: 2020-11-12 09:33:54,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,13532,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam721235,192.168.0.129,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:33:54,End Time: 2020-11-12 09:33:54,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,13532,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER32", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3150,7 +3150,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:38:55 SAMPLE0007 SymantecServer: sam654440,10.113.6.7,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:14:08,End Time: 2020-11-11 23:14:14,Rule: All Applications | lnk,9920,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER32/publicPW/1singerma - Shortcut (2).lnk,User Name: sampleuser68,Domain Name: SMPL,Action Type: ,File size (bytes): 727,Device ID: ", + "SyslogMessage": "sam654440,10.113.6.7,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:14:08,End Time: 2020-11-11 23:14:14,Rule: All Applications | lnk,9920,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER32/publicPW/1singerma - Shortcut (2).lnk,User Name: sampleuser68,Domain Name: SMPL,Action Type: ,File size (bytes): 727,Device ID:", "ServerName": "SERVER34", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3213,7 +3213,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:11:51 SAMPLE0007 SymantecServer: sam289300,10.221.240.7,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:28:32,End Time: 2020-11-12 09:28:32,Rule: All Applications | lnk,9172,C:/Windows/explorer.exe,0,No Module Name,//portal.abccompany.com@SSL/DavWWWRoot/sites/A1260/AnalyticsReports/SAP Sales Order daily extract - Shortcut (2).lnk,User Name: sampleuser10,Domain Name: SMPL,Action Type: ,File size (bytes): 2283,Device ID: ", + "SyslogMessage": "sam289300,10.221.240.7,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:28:32,End Time: 2020-11-12 09:28:32,Rule: All Applications | lnk,9172,C:/Windows/explorer.exe,0,No Module Name,//portal.abccompany.com@SSL/DavWWWRoot/sites/A1260/AnalyticsReports/SAP Sales Order daily extract - Shortcut (2).lnk,User Name: sampleuser10,Domain Name: SMPL,Action Type: ,File size (bytes): 2283,Device ID:", "ServerName": "SERVER37", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3276,7 +3276,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:42:15 SAMPLE0007 SymantecServer: sam128102,10.221.238.121,Blocked, - Caller MD5=c25cf941ee6c7927c0a2ab0cb7fabe0b,File Read,Begin: 2020-11-11 23:20:50,End Time: 2020-11-11 23:20:50,Rule: All Applications | lnk,4636,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER54/APPS/APPS (SAMPLESERVER815.uk.consignia.com)/target.lnk,User Name: sampleuser012,Domain Name: SMPL,Action Type: ,File size (bytes): 1424,Device ID: ", + "SyslogMessage": "sam128102,10.221.238.121,Blocked, - Caller MD5=c25cf941ee6c7927c0a2ab0cb7fabe0b,File Read,Begin: 2020-11-11 23:20:50,End Time: 2020-11-11 23:20:50,Rule: All Applications | lnk,4636,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER54/APPS/APPS (SAMPLESERVER815.uk.consignia.com)/target.lnk,User Name: sampleuser012,Domain Name: SMPL,Action Type: ,File size (bytes): 1424,Device ID:", "ServerName": "SERVER38", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3339,7 +3339,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:07:31 SAMPLE0007 SymantecServer: sam229093,10.221.238.68,Blocked, - Caller MD5=cf4a6104a1b8567f26cca894a84ec8d2,File Read,Begin: 2020-11-12 09:21:13,End Time: 2020-11-12 09:21:13,Rule: All Applications | lnk,15116,C:/Program Files (x86)/Microsoft Office/root/Office16/OUTLOOK.EXE,0,No Module Name,//SAMPLESERVER5124.uk.consignia.com/sampleuser021/google_plus image 2.JPG - Shortcut.lnk,User Name: sampleuser021,Domain Name: SMPL,Action Type: ,File size (bytes): 1052,Device ID: ", + "SyslogMessage": "sam229093,10.221.238.68,Blocked, - Caller MD5=cf4a6104a1b8567f26cca894a84ec8d2,File Read,Begin: 2020-11-12 09:21:13,End Time: 2020-11-12 09:21:13,Rule: All Applications | lnk,15116,C:/Program Files (x86)/Microsoft Office/root/Office16/OUTLOOK.EXE,0,No Module Name,//SAMPLESERVER5124.uk.consignia.com/sampleuser021/google_plus image 2.JPG - Shortcut.lnk,User Name: sampleuser021,Domain Name: SMPL,Action Type: ,File size (bytes): 1052,Device ID:", "ServerName": "SERVER40", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3402,7 +3402,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:48:57 SAMPLE0007 SymantecServer: sam641400,10.221.235.9,Blocked, - Caller MD5=e883b381fdad6e3125938dcb4ea798bb,File Read,Begin: 2020-11-12 09:13:23,End Time: 2020-11-12 09:13:23,Rule: All Applications | lnk,9872,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER99.uk.consignia.com/teamdirsrmuk/Production Control/Shortcut to Schedules.lnk,User Name: sampleuser014,Domain Name: SMPL,Action Type: ,File size (bytes): 1702,Device ID: ", + "SyslogMessage": "sam641400,10.221.235.9,Blocked, - Caller MD5=e883b381fdad6e3125938dcb4ea798bb,File Read,Begin: 2020-11-12 09:13:23,End Time: 2020-11-12 09:13:23,Rule: All Applications | lnk,9872,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER99.uk.consignia.com/teamdirsrmuk/Production Control/Shortcut to Schedules.lnk,User Name: sampleuser014,Domain Name: SMPL,Action Type: ,File size (bytes): 1702,Device ID:", "ServerName": "SERVER41", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3465,7 +3465,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:02:16 SAMPLE0007 SymantecServer: sam894693,10.221.253.149,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 04:26:45,End Time: 2020-11-12 04:26:45,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,21068,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam894693,10.221.253.149,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 04:26:45,End Time: 2020-11-12 04:26:45,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,21068,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER45", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3528,7 +3528,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:02:16 SAMPLE0007 SymantecServer: sam363489,10.221.253.149,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 04:29:07,End Time: 2020-11-12 04:29:07,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,23840,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam363489,10.221.253.149,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 04:29:07,End Time: 2020-11-12 04:29:07,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,23840,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER46", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3591,7 +3591,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:48:17 SAMPLE0007 SymantecServer: sam196136,10.221.252.252,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:22:22,End Time: 2020-11-12 09:22:22,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,16464,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam196136,10.221.252.252,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:22:22,End Time: 2020-11-12 09:22:22,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,16464,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER53", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3654,7 +3654,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:52:55 SAMPLE0003 SymantecServer: sam144687,10.41.239.34,Blocked,[AC16-1.1] Prevent registration of new Toolbars - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-11 23:36:24,End Time: 2020-11-11 23:36:24,Rule: Prevent registration of new Toolbars | [AC16-1.1] Prevent registration of new Toolbars,12900,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Internet Explorer/Toolbar,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam144687,10.41.239.34,Blocked,[AC16-1.1] Prevent registration of new Toolbars - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-11 23:36:24,End Time: 2020-11-11 23:36:24,Rule: Prevent registration of new Toolbars | [AC16-1.1] Prevent registration of new Toolbars,12900,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Internet Explorer/Toolbar,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER55", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3717,7 +3717,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 23:52:55 SAMPLE0003 SymantecServer: sam572633,10.41.239.34,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-11 23:38:47,End Time: 2020-11-11 23:38:47,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,3932,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077},User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam572633,10.41.239.34,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-11 23:38:47,End Time: 2020-11-11 23:38:47,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,3932,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077},User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER56", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3780,7 +3780,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:23:17 SAMPLE0007 SymantecServer: sam336777,10.222.225.146,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 08:48:47,End Time: 2020-11-12 08:48:47,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,15064,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam336777,10.222.225.146,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 08:48:47,End Time: 2020-11-12 08:48:47,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,15064,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER57", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3843,7 +3843,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:28:16 SAMPLE0007 SymantecServer: sam590578,10.221.236.103,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=URLRedirectionBHO - Caller MD5=51dfba4d2992da8320fc23b9d648f069,Registry Write,Begin: 2020-11-12 05:08:58,End Time: 2020-11-12 05:08:58,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,17492,C:/Windows/System32/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{B4F3A835-0E21-4959-BA22-42B3008E02FF}/,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam590578,10.221.236.103,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=URLRedirectionBHO - Caller MD5=51dfba4d2992da8320fc23b9d648f069,Registry Write,Begin: 2020-11-12 05:08:58,End Time: 2020-11-12 05:08:58,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,17492,C:/Windows/System32/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{B4F3A835-0E21-4959-BA22-42B3008E02FF}/,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER60", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3906,7 +3906,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:28:16 SAMPLE0007 SymantecServer: sam151538,10.221.236.103,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=51dfba4d2992da8320fc23b9d648f069,Registry Write,Begin: 2020-11-12 05:12:59,End Time: 2020-11-12 05:12:59,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,17492,C:/Windows/System32/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{B4F3A835-0E21-4959-BA22-42B3008E02FF}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam151538,10.221.236.103,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=51dfba4d2992da8320fc23b9d648f069,Registry Write,Begin: 2020-11-12 05:12:59,End Time: 2020-11-12 05:12:59,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,17492,C:/Windows/System32/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{B4F3A835-0E21-4959-BA22-42B3008E02FF}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER61", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -3969,7 +3969,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:23:09 SAMPLE0003 SymantecServer: sam457558,10.6.120.106,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 08:55:03,End Time: 2020-11-12 08:55:03,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,13748,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam457558,10.6.120.106,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Registry Value=0x1 - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 08:55:03,End Time: 2020-11-12 08:55:03,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,13748,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{F4971EE7-DAA0-4053-9964-665D8EE6A077}/NoExplorer,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER63", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4032,7 +4032,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:23:09 SAMPLE0003 SymantecServer: sam580251,10.6.120.106,Blocked,[AC16-1.1] Prevent registration of new Toolbars - Registry Value=00 - Caller MD5=51dfba4d2992da8320fc23b9d648f069,Registry Write,Begin: 2020-11-12 08:52:58,End Time: 2020-11-12 08:52:58,Rule: Prevent registration of new Toolbars | [AC16-1.1] Prevent registration of new Toolbars,11208,C:/Windows/System32/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/WOW6432Node/Microsoft/Internet Explorer/Toolbar/{47833539-D0C5-4125-9FA8-0819E2EAAC93},User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam580251,10.6.120.106,Blocked,[AC16-1.1] Prevent registration of new Toolbars - Registry Value=00 - Caller MD5=51dfba4d2992da8320fc23b9d648f069,Registry Write,Begin: 2020-11-12 08:52:58,End Time: 2020-11-12 08:52:58,Rule: Prevent registration of new Toolbars | [AC16-1.1] Prevent registration of new Toolbars,11208,C:/Windows/System32/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/WOW6432Node/Microsoft/Internet Explorer/Toolbar/{47833539-D0C5-4125-9FA8-0819E2EAAC93},User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER64", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4095,7 +4095,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:44:10 SAMPLE0007 SymantecServer: sam177868,10.222.225.221,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:31:23,End Time: 2020-11-12 09:31:23,Rule: All Applications | lnk,6492,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER26.uk.consignia.com/publicbcm/Commercial Pricing/Desktop - Shortcut (3).lnk,User Name: sampleuser043,Domain Name: SMPL,Action Type: ,File size (bytes): 924,Device ID: ", + "SyslogMessage": "sam177868,10.222.225.221,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:31:23,End Time: 2020-11-12 09:31:23,Rule: All Applications | lnk,6492,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER26.uk.consignia.com/publicbcm/Commercial Pricing/Desktop - Shortcut (3).lnk,User Name: sampleuser043,Domain Name: SMPL,Action Type: ,File size (bytes): 924,Device ID:", "ServerName": "SERVER66", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4158,7 +4158,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:12:11 SAMPLE0003 SymantecServer: sam331451,10.221.229.163,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:19:09,End Time: 2020-11-12 09:20:07,Rule: All Applications | lnk,10468,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC03.uk.consignia.com/TeamdirsTS/PUBLICTS (SAMPLEDC03.uk.consignia.com) (P) - Shortcut.lnk,User Name: sampleuser039,Domain Name: SMPL,Action Type: ,File size (bytes): 668,Device ID: ", + "SyslogMessage": "sam331451,10.221.229.163,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:19:09,End Time: 2020-11-12 09:20:07,Rule: All Applications | lnk,10468,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC03.uk.consignia.com/TeamdirsTS/PUBLICTS (SAMPLEDC03.uk.consignia.com) (P) - Shortcut.lnk,User Name: sampleuser039,Domain Name: SMPL,Action Type: ,File size (bytes): 668,Device ID:", "ServerName": "SERVER68", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4221,7 +4221,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:11:43 SAMPLE0003 SymantecServer: sam374294,10.222.253.79,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 05:05:32,End Time: 2020-11-12 05:06:07,Rule: All Applications | lnk,9248,C:/Windows/explorer.exe,0,No Module Name,//portal.abccompany.com@ssl/sites/A2046/Shared Documents/Pallets/Palletways Invoices - Shortcut.lnk,User Name: sampleuser3,Domain Name: SMPL,Action Type: ,File size (bytes): 1061,Device ID: ", + "SyslogMessage": "sam374294,10.222.253.79,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 05:05:32,End Time: 2020-11-12 05:06:07,Rule: All Applications | lnk,9248,C:/Windows/explorer.exe,0,No Module Name,//portal.abccompany.com@ssl/sites/A2046/Shared Documents/Pallets/Palletways Invoices - Shortcut.lnk,User Name: sampleuser3,Domain Name: SMPL,Action Type: ,File size (bytes): 1061,Device ID:", "ServerName": "SERVER69", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4284,7 +4284,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:20:16 SAMPLE0007 SymantecServer: sam347379,10.128.15.109,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 04:42:47,End Time: 2020-11-12 04:42:47,Rule: All Applications | lnk,9920,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER434.uk.consignia.com/TeamDirsPFW/TeamDirsPFW (SAMPLESERVER434.uk.consignia.com) (T) - Shortcut.lnk,User Name: sampleuser043,Domain Name: SMPL,Action Type: ,File size (bytes): 1586,Device ID: ", + "SyslogMessage": "sam347379,10.128.15.109,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 04:42:47,End Time: 2020-11-12 04:42:47,Rule: All Applications | lnk,9920,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER434.uk.consignia.com/TeamDirsPFW/TeamDirsPFW (SAMPLESERVER434.uk.consignia.com) (T) - Shortcut.lnk,User Name: sampleuser043,Domain Name: SMPL,Action Type: ,File size (bytes): 1586,Device ID:", "ServerName": "SERVER70", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4347,7 +4347,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:13:23 SAMPLE0003 SymantecServer: sam538635,10.125.80.92,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 14:05:45,End Time: 2020-11-11 14:05:46,Rule: All Applications | lnk,8656,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER84.uk.consignia.com/PublicLS/NDC Performance Report/Daily Shift Report/Short Interval Control - All Streams/Computer - Shortcut.lnk,User Name: sampleuser024,Domain Name: SMPL,Action Type: ,File size (bytes): 355,Device ID: ", + "SyslogMessage": "sam538635,10.125.80.92,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 14:05:45,End Time: 2020-11-11 14:05:46,Rule: All Applications | lnk,8656,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER84.uk.consignia.com/PublicLS/NDC Performance Report/Daily Shift Report/Short Interval Control - All Streams/Computer - Shortcut.lnk,User Name: sampleuser024,Domain Name: SMPL,Action Type: ,File size (bytes): 355,Device ID:", "ServerName": "SERVER71", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4410,7 +4410,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:53:54 SAMPLE0007 SymantecServer: sam327852,10.120.34.153,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:48:28,End Time: 2020-11-11 23:48:28,Rule: All Applications | lnk,3696,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER881.uk.consignia.com/PublicPFW/NH Control Room Reports (CV34PFDC1PublicPW) (Y) - Shortcut.lnk,User Name: sampleuser038,Domain Name: SMPL,Action Type: ,File size (bytes): 674,Device ID: ", + "SyslogMessage": "sam327852,10.120.34.153,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:48:28,End Time: 2020-11-11 23:48:28,Rule: All Applications | lnk,3696,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER881.uk.consignia.com/PublicPFW/NH Control Room Reports (CV34PFDC1PublicPW) (Y) - Shortcut.lnk,User Name: sampleuser038,Domain Name: SMPL,Action Type: ,File size (bytes): 674,Device ID:", "ServerName": "SERVER72", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4473,7 +4473,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:56:50 SAMPLE0003 SymantecServer: sam922419,0.0.0.0,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=afce1abbf5369c6f3971d8031f9b42f4,Registry Write,Begin: 2020-11-12 09:24:06,End Time: 2020-11-12 09:24:07,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,5240,C:/Program Files (x86)/Microsoft Office/root/Integration/Integrator.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{31D09BA0-12F5-4CCE-BE8A-2923E76605DA},User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam922419,0.0.0.0,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=afce1abbf5369c6f3971d8031f9b42f4,Registry Write,Begin: 2020-11-12 09:24:06,End Time: 2020-11-12 09:24:07,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,5240,C:/Program Files (x86)/Microsoft Office/root/Integration/Integrator.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/{31D09BA0-12F5-4CCE-BE8A-2923E76605DA},User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER73", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4536,7 +4536,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:32:56 SAMPLE0007 SymantecServer: sam594804,10.222.225.15,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 05:30:17,End Time: 2020-11-12 05:30:17,Rule: All Applications | lnk,8640,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC01/PublicRMUK/Addressograph - Shortcut.lnk,User Name: sampleuser84,Domain Name: SMPL,Action Type: ,File size (bytes): 746,Device ID: ", + "SyslogMessage": "sam594804,10.222.225.15,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 05:30:17,End Time: 2020-11-12 05:30:17,Rule: All Applications | lnk,8640,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC01/PublicRMUK/Addressograph - Shortcut.lnk,User Name: sampleuser84,Domain Name: SMPL,Action Type: ,File size (bytes): 746,Device ID:", "ServerName": "SERVER75", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4599,7 +4599,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:32:56 SAMPLE0007 SymantecServer: sam783607,10.222.225.15,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 05:30:21,End Time: 2020-11-12 05:30:21,Rule: All Applications | lnk,8640,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC01/PublicRMUK/Google Chrome.lnk,User Name: sampleuser84,Domain Name: SMPL,Action Type: ,File size (bytes): 2553,Device ID: ", + "SyslogMessage": "sam783607,10.222.225.15,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 05:30:21,End Time: 2020-11-12 05:30:21,Rule: All Applications | lnk,8640,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC01/PublicRMUK/Google Chrome.lnk,User Name: sampleuser84,Domain Name: SMPL,Action Type: ,File size (bytes): 2553,Device ID:", "ServerName": "SERVER76", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4662,7 +4662,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:38:34 SAMPLE0003 SymantecServer: sam241264,10.53.16.114,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:06:58,End Time: 2020-11-11 23:06:58,Rule: All Applications | lnk,9496,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC05.uk.consignia.com/PUBLICRMUK/A REVENUE PROTECTION - Shortcut (2).lnk,User Name: sampleuser051,Domain Name: SMPL,Action Type: ,File size (bytes): 811,Device ID: ", + "SyslogMessage": "sam241264,10.53.16.114,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:06:58,End Time: 2020-11-11 23:06:58,Rule: All Applications | lnk,9496,C:/Windows/explorer.exe,0,No Module Name,//SAMPLEDC05.uk.consignia.com/PUBLICRMUK/A REVENUE PROTECTION - Shortcut (2).lnk,User Name: sampleuser051,Domain Name: SMPL,Action Type: ,File size (bytes): 811,Device ID:", "ServerName": "SERVER77", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4725,7 +4725,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:05:31 SAMPLE0007 SymantecServer: sam705164,192.168.0.49,Blocked,[AC16-1.1] Prevent registration of new Toolbars - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:57:24,End Time: 2020-11-12 09:57:24,Rule: Prevent registration of new Toolbars | [AC16-1.1] Prevent registration of new Toolbars,1484,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Internet Explorer/Toolbar,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam705164,192.168.0.49,Blocked,[AC16-1.1] Prevent registration of new Toolbars - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:57:24,End Time: 2020-11-12 09:57:24,Rule: Prevent registration of new Toolbars | [AC16-1.1] Prevent registration of new Toolbars,1484,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Internet Explorer/Toolbar,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER78", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4788,7 +4788,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:03:37 SAMPLE0007 SymantecServer: sam853690,10.222.226.176,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:39:40,End Time: 2020-11-12 08:39:40,Rule: All Applications | lnk,1408,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER811/security vetting/Security Vetting Team/Disclosure Scotland Process/DS PROCESS/Angard/DS PROCESS - Shortcut.lnk,User Name: sampleuser015,Domain Name: SMPL,Action Type: ,File size (bytes): 1228,Device ID: ", + "SyslogMessage": "sam853690,10.222.226.176,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 08:39:40,End Time: 2020-11-12 08:39:40,Rule: All Applications | lnk,1408,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER811/security vetting/Security Vetting Team/Disclosure Scotland Process/DS PROCESS/Angard/DS PROCESS - Shortcut.lnk,User Name: sampleuser015,Domain Name: SMPL,Action Type: ,File size (bytes): 1228,Device ID:", "ServerName": "SERVER79", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4851,7 +4851,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:11:51 SAMPLE0007 SymantecServer: sam490585,10.222.255.230,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:49:06,End Time: 2020-11-12 09:49:06,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,1840,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "sam490585,10.222.255.230,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=747c6064888f11f5431b34a422780650,Registry Write,Begin: 2020-11-12 09:49:06,End Time: 2020-11-12 09:49:06,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,1840,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER80", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4914,7 +4914,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:12:11 SAMPLE0003 SymantecServer: sam170802,10.54.37.127,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:45:55,End Time: 2020-11-12 09:45:56,Rule: All Applications | lnk,10280,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER815.uk.consignia.com/teamdirsts/OSDisk (C) - Shortcut (2).lnk,User Name: sampleuser15,Domain Name: SMPL,Action Type: ,File size (bytes): 456,Device ID: ", + "SyslogMessage": "sam170802,10.54.37.127,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:45:55,End Time: 2020-11-12 09:45:56,Rule: All Applications | lnk,10280,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER815.uk.consignia.com/teamdirsts/OSDisk (C) - Shortcut (2).lnk,User Name: sampleuser15,Domain Name: SMPL,Action Type: ,File size (bytes): 456,Device ID:", "ServerName": "SERVER82", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -4977,7 +4977,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:12:11 SAMPLE0003 SymantecServer: sam241290,10.54.37.127,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:45:56,End Time: 2020-11-12 09:45:56,Rule: All Applications | lnk,10280,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER815.uk.consignia.com/teamdirsts/teamdirsrmuk (w1t1hqdc1.uk.consignia.com) (Y) - Shortcut.lnk,User Name: sampleuser15,Domain Name: SMPL,Action Type: ,File size (bytes): 517,Device ID: ", + "SyslogMessage": "sam241290,10.54.37.127,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 09:45:56,End Time: 2020-11-12 09:45:56,Rule: All Applications | lnk,10280,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER815.uk.consignia.com/teamdirsts/teamdirsrmuk (w1t1hqdc1.uk.consignia.com) (Y) - Shortcut.lnk,User Name: sampleuser15,Domain Name: SMPL,Action Type: ,File size (bytes): 517,Device ID:", "ServerName": "SERVER83", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5040,7 +5040,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:31:39 SAMPLE0003 SymantecServer: SERVER1,10.6.127.158,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=f9a3eee1c3a4067702bc9a59bc894285,Registry Write,Begin: 2020-11-12 04:44:41,End Time: 2020-11-12 04:44:41,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,27672,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: NT AUTHORITY,Action Type: ,File size (bytes): 0,Device ID: ", + "SyslogMessage": "SERVER1,10.6.127.158,Blocked,[AC15-1.1] Prevent registration of new Browser Helper Objects - Caller MD5=f9a3eee1c3a4067702bc9a59bc894285,Registry Write,Begin: 2020-11-12 04:44:41,End Time: 2020-11-12 04:44:41,Rule: Prevent registration of new Browser Helper Objects | [AC15-1.1] Prevent registration of new Browser Helper Objects,27672,C:/Windows/SysWOW64/msiexec.exe,0,No Module Name,/REGISTRY/MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects,User Name: SYSTEM,Domain Name: NT AUTHORITY,Action Type: ,File size (bytes): 0,Device ID:", "ServerName": "SERVER1", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5103,7 +5103,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:11:23 SAMPLE0003 SymantecServer: SERVER2,10.11.11.11,Blocked, - Caller MD5=47ea9e0efb7dbfbsfeba368sfdfd25b,File Read,Begin: 2020-11-11 19:50:25,End Time: 2020-11-11 19:50:25,Rule: All Applications | lnk,1928,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER230.uk.consignia.com/TeamdirsPFW/CD Drive - Shortcut (2).lnk,User Name: sampleuser02,Domain Name: SMPL,Action Type: ,File size (bytes): 443,Device ID: ", + "SyslogMessage": "SERVER2,10.11.11.11,Blocked, - Caller MD5=47ea9e0efb7dbfbsfeba368sfdfd25b,File Read,Begin: 2020-11-11 19:50:25,End Time: 2020-11-11 19:50:25,Rule: All Applications | lnk,1928,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER230.uk.consignia.com/TeamdirsPFW/CD Drive - Shortcut (2).lnk,User Name: sampleuser02,Domain Name: SMPL,Action Type: ,File size (bytes): 443,Device ID:", "ServerName": "SERVER2", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5166,7 +5166,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:57:15 SAMPLE0007 SymantecServer: SERVER3,10.45.71.176,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:47:17,End Time: 2020-11-11 23:47:17,Rule: All Applications | lnk,9684,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER55/publicrmuk/OSDisk (C) - Shortcut.lnk,User Name: sampleuser18,Domain Name: SMPL,Action Type: ,File size (bytes): 513,Device ID: ", + "SyslogMessage": "SERVER3,10.45.71.176,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:47:17,End Time: 2020-11-11 23:47:17,Rule: All Applications | lnk,9684,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER55/publicrmuk/OSDisk (C) - Shortcut.lnk,User Name: sampleuser18,Domain Name: SMPL,Action Type: ,File size (bytes): 513,Device ID:", "ServerName": "SERVER3", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5229,7 +5229,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:58:35 SAMPLE0007 SymantecServer: SERVER4,10.29.70.101,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:18:40,End Time: 2020-11-11 23:18:40,Rule: All Applications | lnk,10708,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER63/fileshare/RMUK/TeamDirsRMUK/SEABOS/ANNUAL LEAVE 2013-2014 - Shortcut (2).lnk,User Name: sampleuser19,Domain Name: SMPL,Action Type: ,File size (bytes): 962,Device ID: ", + "SyslogMessage": "SERVER4,10.29.70.101,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-11 23:18:40,End Time: 2020-11-11 23:18:40,Rule: All Applications | lnk,10708,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER63/fileshare/RMUK/TeamDirsRMUK/SEABOS/ANNUAL LEAVE 2013-2014 - Shortcut (2).lnk,User Name: sampleuser19,Domain Name: SMPL,Action Type: ,File size (bytes): 962,Device ID:", "ServerName": "SERVER4", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5292,7 +5292,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:18:03 SAMPLE0007 SymantecServer: SERVER5,10.54.78.41,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 04:59:54,End Time: 2020-11-12 05:00:36,Rule: All Applications | lnk,10824,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER727.uk.consignia.com/TeamdirsLS/REALTIME GATE SHEETS/publicls (SAMPLESERVER5424.uk.consignia.com) (Z) - Shortcut.lnk,User Name: sampleuser048,Domain Name: SMPL,Action Type: ,File size (bytes): 509,Device ID: ", + "SyslogMessage": "SERVER5,10.54.78.41,Blocked, - Caller MD5=47ea9e07b7dbfbeba368bd95a3a2d25b,File Read,Begin: 2020-11-12 04:59:54,End Time: 2020-11-12 05:00:36,Rule: All Applications | lnk,10824,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER727.uk.consignia.com/TeamdirsLS/REALTIME GATE SHEETS/publicls (SAMPLESERVER5424.uk.consignia.com) (Z) - Shortcut.lnk,User Name: sampleuser048,Domain Name: SMPL,Action Type: ,File size (bytes): 509,Device ID:", "ServerName": "SERVER5", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5355,7 +5355,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:39:15 SAMPLE0007 SymantecServer: SERVER6,10.64.60.52,Blocked, - Caller MD5=e1cb52c97c27f702cc96cf886b67fb8b,File Read,Begin: 2020-11-11 22:44:22,End Time: 2020-11-11 22:44:23,Rule: All Applications | lnk,9280,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER857/TeamDirsRMUK1/Recording/Despatch sheets - Shortcut.lnk,User Name: sampleuser11,Domain Name: SMPL,Action Type: ,File size (bytes): 914,Device ID: ", + "SyslogMessage": "SERVER6,10.64.60.52,Blocked, - Caller MD5=e1cb52c97c27f702cc96cf886b67fb8b,File Read,Begin: 2020-11-11 22:44:22,End Time: 2020-11-11 22:44:23,Rule: All Applications | lnk,9280,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER857/TeamDirsRMUK1/Recording/Despatch sheets - Shortcut.lnk,User Name: sampleuser11,Domain Name: SMPL,Action Type: ,File size (bytes): 914,Device ID:", "ServerName": "SERVER6", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5418,7 +5418,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:32:54 SAMPLE0007 SymantecServer: T1015567,10.33.92.117,Blocked, - Caller MD5=3d0ca8c2a2c4db230975e486200a7da4,File Read,Begin: 2020-11-11 23:28:24,End Time: 2020-11-11 23:28:24,Rule: All Applications | lnk,4148,C:/Users/sampleuser200/AppData/Local/Google/Chrome/User Data/SwReporter/86.249.200/software_reporter_tool.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/sampleuser200/Desktop/IMP 7 & 8 Team Green - Shortcut.lnk,User Name: sampleuser200,Domain Name: SMPL,Action Type: ,File size (bytes): 2340,Device ID: ", + "SyslogMessage": "T1015567,10.33.92.117,Blocked, - Caller MD5=3d0ca8c2a2c4db230975e486200a7da4,File Read,Begin: 2020-11-11 23:28:24,End Time: 2020-11-11 23:28:24,Rule: All Applications | lnk,4148,C:/Users/sampleuser200/AppData/Local/Google/Chrome/User Data/SwReporter/86.249.200/software_reporter_tool.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/sampleuser200/Desktop/IMP 7 & 8 Team Green - Shortcut.lnk,User Name: sampleuser200,Domain Name: SMPL,Action Type: ,File size (bytes): 2340,Device ID:", "ServerName": "T1015567", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5481,7 +5481,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:32:54 SAMPLE0007 SymantecServer: T1015567,0.0.0.0,Blocked, - Caller MD5=c10a66189dc8c090e7c84873edcebc88,File Read,Begin: 2020-11-11 23:27:16,End Time: 2020-11-11 23:27:16,Rule: All Applications | lnk,7996,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/sampleuser200/Desktop/Leeds MC Engineers (ls101azfp1TeamDirsRMUK) (Z) - Shortcut (2).lnk,User Name: sampleuser200,Domain Name: SMPL,Action Type: ,File size (bytes): 2003,Device ID: ", + "SyslogMessage": "T1015567,0.0.0.0,Blocked, - Caller MD5=c10a66189dc8c090e7c84873edcebc88,File Read,Begin: 2020-11-11 23:27:16,End Time: 2020-11-11 23:27:16,Rule: All Applications | lnk,7996,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/sampleuser200/Desktop/Leeds MC Engineers (ls101azfp1TeamDirsRMUK) (Z) - Shortcut (2).lnk,User Name: sampleuser200,Domain Name: SMPL,Action Type: ,File size (bytes): 2003,Device ID:", "ServerName": "T1015567", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5544,7 +5544,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 23:32:54 SAMPLE0007 SymantecServer: T1015567,10.33.92.117,Blocked, - Caller MD5=c10a66189dc8c090e7c84873edcebc88,File Read,Begin: 2020-11-11 23:27:23,End Time: 2020-11-11 23:27:24,Rule: All Applications | lnk,7996,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/sampleuser200/Desktop/publicrmuk (ls101azfp1) (Y) - Shortcut.lnk,User Name: sampleuser200,Domain Name: SMPL,Action Type: ,File size (bytes): 593,Device ID: ", + "SyslogMessage": "T1015567,10.33.92.117,Blocked, - Caller MD5=c10a66189dc8c090e7c84873edcebc88,File Read,Begin: 2020-11-11 23:27:23,End Time: 2020-11-11 23:27:24,Rule: All Applications | lnk,7996,C:/Windows/explorer.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/sampleuser200/Desktop/publicrmuk (ls101azfp1) (Y) - Shortcut.lnk,User Name: sampleuser200,Domain Name: SMPL,Action Type: ,File size (bytes): 593,Device ID:", "ServerName": "T1015567", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5607,7 +5607,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:48:10 SAMPLE0007 SymantecServer: T1015648,10.222.225.125,Allowed, - Caller MD5=e3a2ad05e24105b35e986cf9cb38ec47,File Delete,Begin: 2020-11-12 09:43:36,End Time: 2020-11-12 09:43:36,Rule: All Applications | lnk,4552,C:/Windows/System32/svchost.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/stephen.crick/Desktop/XP Drives.lnk,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 1707,Device ID: ", + "SyslogMessage": "T1015648,10.222.225.125,Allowed, - Caller MD5=e3a2ad05e24105b35e986cf9cb38ec47,File Delete,Begin: 2020-11-12 09:43:36,End Time: 2020-11-12 09:43:36,Rule: All Applications | lnk,4552,C:/Windows/System32/svchost.exe,0,No Module Name,//SAMPLESERVER3232.sample.abccompany.com/USERS$/stephen.crick/Desktop/XP Drives.lnk,User Name: SYSTEM,Domain Name: SMPL,Action Type: ,File size (bytes): 1707,Device ID:", "ServerName": "T1015648", "LogType": "Agent Behavior Logs", "SiteName": "", @@ -5670,7 +5670,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 00:49:54 SAMPLE0007 SymantecServer: SERVER02,Category: 2,LiveUpdate Manager,Event Description: An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error: Security check failed (204),Event time: 2020-11-12 00:05:30,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", + "SyslogMessage": "SERVER02,Category: 2,LiveUpdate Manager,Event Description: An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error: Security check failed (204),Event time: 2020-11-12 00:05:30,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", "ServerName": "SERVER02", "LogType": "Agent System Logs", "SiteName": "", @@ -5733,7 +5733,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 03:38:35 SAMPLE0007 SymantecServer: SERVER05,Category: 2,REP,Event Description: Reputation check for unproven files failed because of network errors for the last 3 days.,Event time: 2020-11-12 03:31:55,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", + "SyslogMessage": "SERVER05,Category: 2,REP,Event Description: Reputation check for unproven files failed because of network errors for the last 3 days.,Event time: 2020-11-12 03:31:55,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", "ServerName": "SERVER05", "LogType": "Agent System Logs", "SiteName": "", @@ -5796,7 +5796,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 00:39:14 SAMPLE0007 SymantecServer: sam566623,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0004.sample.abccompany.com:443/content/{67F66706-F04B-4432-9947-F8354949D2A6}sam56662322/xdelta201110022_To_201111002.dax,Event time: 2020-11-11 22:39:14,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", + "SyslogMessage": "sam566623,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0004.sample.abccompany.com:443/content/{67F66706-F04B-4432-9947-F8354949D2A6}sam56662322/xdelta201110022_To_201111002.dax,Event time: 2020-11-11 22:39:14,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", "ServerName": "SERVER13", "LogType": "Agent System Logs", "SiteName": "", @@ -5859,7 +5859,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 00:51:16 SAMPLE0003 SymantecServer: sam641606,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 14:21:12,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", + "SyslogMessage": "sam641606,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 14:21:12,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", "ServerName": "SERVER16", "LogType": "Agent System Logs", "SiteName": "", @@ -5922,7 +5922,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:04:07 SAMPLE0003 SymantecServer: sam660204,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0004.sample.abccompany.com:443/content/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}sam66020402/xdelta201107002_To_201111002.dax,Event time: 2020-11-11 15:18:49,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", + "SyslogMessage": "sam660204,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0004.sample.abccompany.com:443/content/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}sam66020402/xdelta201107002_To_201111002.dax,Event time: 2020-11-11 15:18:49,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", "ServerName": "SERVER18", "LogType": "Agent System Logs", "SiteName": "", @@ -5985,7 +5985,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:42:46 SAMPLE0003 SymantecServer: sam485631,Category: 2,REP,Event Description: Reputation check for unproven files failed because of network errors for the last 3 days.,Event time: 2020-11-12 07:34:33,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", + "SyslogMessage": "sam485631,Category: 2,REP,Event Description: Reputation check for unproven files failed because of network errors for the last 3 days.,Event time: 2020-11-12 07:34:33,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Desktops", "ServerName": "SERVER22", "LogType": "Agent System Logs", "SiteName": "", @@ -6048,7 +6048,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 00:56:55 SAMPLE0007 SymantecServer: sam972422,Category: 2,LiveUpdate Manager,Event Description: The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: 2020-11-12 00:56:30,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Devices marked Disabled", + "SyslogMessage": "sam972422,Category: 2,LiveUpdate Manager,Event Description: The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: 2020-11-12 00:56:30,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Devices marked Disabled", "ServerName": "SERVER23", "LogType": "Agent System Logs", "SiteName": "", @@ -6111,7 +6111,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:03:55 SAMPLE0007 SymantecServer: sam972422,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:05:26,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Desktops - Production", + "SyslogMessage": "sam972422,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:05:26,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Desktops - Production", "ServerName": "SERVER24", "LogType": "Agent System Logs", "SiteName": "", @@ -6174,7 +6174,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:03:27 SAMPLE0007 SymantecServer: sam343945,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 16:40:32,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "sam343945,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 16:40:32,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "SERVER27", "LogType": "Agent System Logs", "SiteName": "", @@ -6237,7 +6237,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:02:07 SAMPLE0003 SymantecServer: sam901264,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 08:01:38,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam901264,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 08:01:38,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER28", "LogType": "Agent System Logs", "SiteName": "", @@ -6300,7 +6300,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:42:36 SAMPLE0007 SymantecServer: sam338293,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/{810D5A61-809F-49c2-BD75-177F0647D2BA}sam33829307/xdelta201110007_To_201110009.dax,Event time: 2020-11-12 07:40:52,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam338293,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/{810D5A61-809F-49c2-BD75-177F0647D2BA}sam33829307/xdelta201110007_To_201110009.dax,Event time: 2020-11-12 07:40:52,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER29", "LogType": "Agent System Logs", "SiteName": "", @@ -6363,7 +6363,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:57:42 SAMPLE0003 SymantecServer: sam890610,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:57:17,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam890610,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:57:17,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER33", "LogType": "Agent System Logs", "SiteName": "", @@ -6426,7 +6426,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:02:56 SAMPLE0007 SymantecServer: sam262818,Category: 0,CVE,Event Description: Failed to contact server for more than 10 times.,Event time: 2020-11-12 07:50:22,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam262818,Category: 0,CVE,Event Description: Failed to contact server for more than 10 times.,Event time: 2020-11-12 07:50:22,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER36", "LogType": "Agent System Logs", "SiteName": "", @@ -6489,7 +6489,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 03:43:35 SAMPLE0007 SymantecServer: sam262514,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 03:43:09,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam262514,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 03:43:09,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER39", "LogType": "Agent System Logs", "SiteName": "", @@ -6552,7 +6552,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:41:27 SAMPLE0007 SymantecServer: sam688557,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:40:14,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam688557,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:40:14,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER42", "LogType": "Agent System Logs", "SiteName": "", @@ -6615,7 +6615,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:14:01 SAMPLE0003 SymantecServer: sam270750,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 17:44:02,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam270750,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 17:44:02,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER43", "LogType": "Agent System Logs", "SiteName": "", @@ -6678,7 +6678,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:39:47 SAMPLE0007 SymantecServer: sam458544,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 15:18:33,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam458544,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 15:18:33,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER44", "LogType": "Agent System Logs", "SiteName": "", @@ -6741,7 +6741,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:48:16 SAMPLE0007 SymantecServer: sam489964,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:44:36,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam489964,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:44:36,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER47", "LogType": "Agent System Logs", "SiteName": "", @@ -6804,7 +6804,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:04:02 SAMPLE0003 SymantecServer: sam724576,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 08:03:08,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam724576,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 08:03:08,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER48", "LogType": "Agent System Logs", "SiteName": "", @@ -6867,7 +6867,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:15:55 SAMPLE0007 SymantecServer: sam484276,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0008.sample.abccompany.com:443/content/{67F66706-F04B-4432-9947-F8354949D2A6}sam48427622/xdelta201110022_To_201111002.dax,Event time: 2020-11-12 04:13:58,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam484276,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0008.sample.abccompany.com:443/content/{67F66706-F04B-4432-9947-F8354949D2A6}sam48427622/xdelta201110022_To_201111002.dax,Event time: 2020-11-12 04:13:58,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER49", "LogType": "Agent System Logs", "SiteName": "", @@ -6930,7 +6930,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:50:26 SAMPLE0003 SymantecServer: sam766017,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:48:37,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam766017,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:48:37,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER50", "LogType": "Agent System Logs", "SiteName": "", @@ -6993,7 +6993,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:49:46 SAMPLE0003 SymantecServer: sam361890,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-08 11:35:13,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam361890,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-08 11:35:13,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER51", "LogType": "Agent System Logs", "SiteName": "", @@ -7056,7 +7056,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:11:47 SAMPLE0007 SymantecServer: sam428525,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/{810D5A61-809F-49c2-BD75-177F0647D2BA}sam42852506/xdelta201111006_To_201111008.dax,Event time: 2020-11-12 08:09:50,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "sam428525,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/{810D5A61-809F-49c2-BD75-177F0647D2BA}sam42852506/xdelta201111006_To_201111008.dax,Event time: 2020-11-12 08:09:50,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "SERVER52", "LogType": "Agent System Logs", "SiteName": "", @@ -7119,7 +7119,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:07:01 SAMPLE0003 SymantecServer: sam469959,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:02:45,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam469959,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:02:45,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER54", "LogType": "Agent System Logs", "SiteName": "", @@ -7182,7 +7182,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:40:27 SAMPLE0007 SymantecServer: sam721905,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:24:12,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "sam721905,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:24:12,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "SERVER58", "LogType": "Agent System Logs", "SiteName": "", @@ -7245,7 +7245,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:43:46 SAMPLE0003 SymantecServer: sam729772,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:29:19,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam729772,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:29:19,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER59", "LogType": "Agent System Logs", "SiteName": "", @@ -7308,7 +7308,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:44:42 SAMPLE0003 SymantecServer: sam846040,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://10.105.48.60:443/content/{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}sam84604009/xdelta201106009_To_201110016.dax,Event time: 2020-11-12 07:43:49,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam846040,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://10.105.48.60:443/content/{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}sam84604009/xdelta201106009_To_201110016.dax,Event time: 2020-11-12 07:43:49,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER62", "LogType": "Agent System Logs", "SiteName": "", @@ -7371,7 +7371,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:12:35 SAMPLE0007 SymantecServer: sam590553,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:12:15,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam590553,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:12:15,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER65", "LogType": "Agent System Logs", "SiteName": "", @@ -7434,7 +7434,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:01:47 SAMPLE0007 SymantecServer: sam552870,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 08:01:22,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam552870,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 08:01:22,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER67", "LogType": "Agent System Logs", "SiteName": "", @@ -7497,7 +7497,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:11:01 SAMPLE0007 SymantecServer: sam981480,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:09:02,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam981480,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 04:09:02,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER74", "LogType": "Agent System Logs", "SiteName": "", @@ -7560,7 +7560,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:55:47 SAMPLE0007 SymantecServer: sam326291,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:55:21,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam326291,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 07:55:21,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER81", "LogType": "Agent System Logs", "SiteName": "", @@ -7623,7 +7623,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:40:42 SAMPLE0003 SymantecServer: sam894744,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://10.105.48.60:443/content/{0A4513F4-5EC7-4ED2-B100-538C75C0D87A}sam89474461/xdelta201110061_To_201111061.dax,Event time: 2020-11-12 07:14:13,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", + "SyslogMessage": "sam894744,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://10.105.48.60:443/content/{0A4513F4-5EC7-4ED2-B100-538C75C0D87A}sam89474461/xdelta201110061_To_201111061.dax,Event time: 2020-11-12 07:14:13,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Windows 10 Devices\\Laptops", "ServerName": "SERVER84", "LogType": "Agent System Logs", "SiteName": "", @@ -7686,7 +7686,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:10:16 SAMPLE0007 SymantecServer: sam181189,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 17:28:25,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "sam181189,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-11 17:28:25,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "SERVER85", "LogType": "Agent System Logs", "SiteName": "", @@ -7749,7 +7749,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:08:15 SAMPLE0007 SymantecServer: T1015296,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/TempCache/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}sam79980102/xdelta201105002_To_201111002.dax,Event time: 2020-11-12 03:46:50,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "T1015296,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/TempCache/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}sam79980102/xdelta201105002_To_201111002.dax,Event time: 2020-11-12 03:46:50,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "T1015296", "LogType": "Agent System Logs", "SiteName": "", @@ -7812,7 +7812,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:44:16 SAMPLE0007 SymantecServer: T1015517,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 06:44:02,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "T1015517,Category: 0,Smc,Event Description: Symantec Endpoint Protection is unable to download the newest policy from the management server.,Event time: 2020-11-12 06:44:02,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "T1015517", "LogType": "Agent System Logs", "SiteName": "", @@ -7875,7 +7875,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 01:07:55 SAMPLE0007 SymantecServer: T1015649,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}sam42340909/xdelta201106009_To_201110016.dax,Event time: 2020-11-12 00:11:09,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Devices marked Disabled", + "SyslogMessage": "T1015649,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://SAMPLE0007.sample.abccompany.com:443/content/{E8827B4A-4F58-4dea-8C93-07B32A63D1C5}sam42340909/xdelta201106009_To_201110016.dax,Event time: 2020-11-12 00:11:09,Group Name: My Company\\SMPL - Production\\Workstations - Production\\Devices marked Disabled", "ServerName": "T1015649", "LogType": "Agent System Logs", "SiteName": "", @@ -7938,7 +7938,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 04:12:35 SAMPLE0007 SymantecServer: T1015652,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://10.107.48.95:443/content/TempCache/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}sam28788302/xdelta201101002_To_201111002.dax,Event time: 2020-11-12 03:26:58,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", + "SyslogMessage": "T1015652,Category: 0,CVE,Event Description: New content update failed to download from the management server. Remote file path: https://10.107.48.95:443/content/TempCache/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}sam28788302/xdelta201101002_To_201111002.dax,Event time: 2020-11-12 03:26:58,Group Name: My Company\\SMPL - Production\\Workstations - Production\\BBP\\Laptops - Production", "ServerName": "T1015652", "LogType": "Agent System Logs", "SiteName": "", @@ -8001,7 +8001,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 10:16:33 SAMPLE0007 SymantecServer: sam164727,Local Host IP: 10.136.49.37,Local Port: 23,Local Host MAC: 3052CBD8E076,Remote Host IP: 10.221.120.41,Remote Host Name: ,Remote Port: 50542,Remote Host MAC: 28AC9E7C5FD1,TCP,Inbound,Begin: 2020-11-12 09:44:54,End Time: 2020-11-12 09:44:55,Occurrences: 2,Application: ,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser21,Domain Name: SMPL,Action: Blocked,SHA-256: ,MD-5: ", + "SyslogMessage": "sam164727,Local Host IP: 10.136.49.37,Local Port: 23,Local Host MAC: 3052CBD8E076,Remote Host IP: 10.221.120.41,Remote Host Name: ,Remote Port: 50542,Remote Host MAC: 28AC9E7C5FD1,TCP,Inbound,Begin: 2020-11-12 09:44:54,End Time: 2020-11-12 09:44:55,Occurrences: 2,Application: ,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser21,Domain Name: SMPL,Action: Blocked,SHA-256: ,MD-5:", "ServerName": "SERVER35", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8064,7 +8064,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 09:56:39 SAMPLE0007 SymantecServer: sam942897,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 34163,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 09:37:16,End Time: 2020-11-12 09:37:23,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam942897,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 34163,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 09:37:16,End Time: 2020-11-12 09:37:23,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER86", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8108,7 +8108,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8127,7 +8127,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 05:16:38 SAMPLE0007 SymantecServer: sam184219,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 44367,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 04:56:01,End Time: 2020-11-12 04:56:08,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam184219,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 44367,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 04:56:01,End Time: 2020-11-12 04:56:08,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER87", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8171,7 +8171,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8190,7 +8190,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 03:31:38 SAMPLE0007 SymantecServer: sam995487,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 40406,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 03:13:06,End Time: 2020-11-12 03:13:13,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam995487,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 40406,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 03:13:06,End Time: 2020-11-12 03:13:13,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER88", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8234,7 +8234,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8253,7 +8253,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:36:59 SAMPLE0007 SymantecServer: sam570641,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 39457,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 07:14:51,End Time: 2020-11-12 07:14:58,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam570641,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 39457,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 07:14:51,End Time: 2020-11-12 07:14:58,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER89", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8297,7 +8297,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8316,7 +8316,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 07:01:39 SAMPLE0007 SymantecServer: sam423123,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 41564,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 06:39:10,End Time: 2020-11-12 06:39:17,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam423123,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 41564,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 06:39:10,End Time: 2020-11-12 06:39:17,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER90", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8360,7 +8360,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8379,7 +8379,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 19:43:36 SAMPLE0007 SymantecServer: sam733904,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam733904,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER91", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8423,7 +8423,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8442,7 +8442,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 11 16:48:35 SAMPLE0007 SymantecServer: sam484305,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33314,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 16:27:43,End Time: 2020-11-11 16:27:50,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam484305,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33314,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 16:27:43,End Time: 2020-11-11 16:27:50,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER92", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8486,7 +8486,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8505,7 +8505,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 08:46:59 SAMPLE0007 SymantecServer: sam410815,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 36713,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 08:26:18,End Time: 2020-11-12 08:26:25,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam410815,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 36713,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 08:26:18,End Time: 2020-11-12 08:26:25,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER93", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8549,7 +8549,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8568,7 +8568,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<51>Nov 12 06:26:38 SAMPLE0007 SymantecServer: sam545666,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 44175,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 06:08:45,End Time: 2020-11-12 06:08:52,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", + "SyslogMessage": "sam545666,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 44175,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-12 06:08:45,End Time: 2020-11-12 06:08:52,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", "ServerName": "SERVER94", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8612,7 +8612,7 @@ "ApplicationName": "C:/WINDOWS/system32/NTOSKRNL.EXE", "RuleName": "Block Unapproved Incoming Ports", "Location": "Default", - "Sha256": "5.37973E+31", + "Sha256": "5.38E+31", "Md5": "", "IntrusionId": "", "CidsSignatureId": "", @@ -8631,7 +8631,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam164061.sample.abccompany.com,Remote Port: 64747,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:42:59,End Time: 2020-11-12 08:43:02,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1640617ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam164061.sample.abccompany.com,Remote Port: 64747,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:42:59,End Time: 2020-11-12 08:43:02,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1640617ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8694,7 +8694,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam370480.sample.abccompany.com,Remote Port: 54932,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 09:08:59,End Time: 2020-11-12 09:09:02,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3704807ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam370480.sample.abccompany.com,Remote Port: 54932,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 09:08:59,End Time: 2020-11-12 09:09:02,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3704807ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8757,7 +8757,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam815913.sample.abccompany.com,Remote Port: 57061,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:36:59,End Time: 2020-11-12 08:37:02,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8159137ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam815913.sample.abccompany.com,Remote Port: 57061,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:36:59,End Time: 2020-11-12 08:37:02,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8159137ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8820,7 +8820,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.52,Remote Host Name: ,Remote Port: 62649,Remote Host MAC: 84A93EA8D4B8,UDP,Inbound,Begin: 2020-11-12 08:39:07,End Time: 2020-11-12 08:39:22,Occurrences: 6,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6944057ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.52,Remote Host Name: ,Remote Port: 62649,Remote Host MAC: 84A93EA8D4B8,UDP,Inbound,Begin: 2020-11-12 08:39:07,End Time: 2020-11-12 08:39:22,Occurrences: 6,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6944057ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8883,7 +8883,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 23:45:14 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam474001.sample.abccompany.com,Remote Port: 52643,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 23:00:58,End Time: 2020-11-11 23:01:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4740017ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam474001.sample.abccompany.com,Remote Port: 52643,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 23:00:58,End Time: 2020-11-11 23:01:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4740017ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -8946,7 +8946,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 23:45:14 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam585833.sample.abccompany.com,Remote Port: 53555,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 23:20:58,End Time: 2020-11-11 23:21:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5858337ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam585833.sample.abccompany.com,Remote Port: 53555,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 23:20:58,End Time: 2020-11-11 23:21:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5858337ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9009,7 +9009,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:45:04 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.11.103.69,Remote Host Name: ,Remote Port: 65527,Remote Host MAC: 00267390954C,UDP,Inbound,Begin: 2020-11-12 04:59:30,End Time: 2020-11-12 04:59:30,Occurrences: 2,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6694807ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.11.103.69,Remote Host Name: ,Remote Port: 65527,Remote Host MAC: 00267390954C,UDP,Inbound,Begin: 2020-11-12 04:59:30,End Time: 2020-11-12 04:59:30,Occurrences: 2,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6694807ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9072,7 +9072,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:45:04 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam344672.sample.abccompany.com,Remote Port: 63689,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:10:58,End Time: 2020-11-12 05:11:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3446727ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam344672.sample.abccompany.com,Remote Port: 63689,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:10:58,End Time: 2020-11-12 05:11:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3446727ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9135,7 +9135,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:45:04 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam151292.sample.abccompany.com,Remote Port: 62720,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:18:58,End Time: 2020-11-12 05:19:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1512927ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam151292.sample.abccompany.com,Remote Port: 62720,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:18:58,End Time: 2020-11-12 05:19:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1512927ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9198,7 +9198,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:45:04 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam700410.sample.abccompany.com,Remote Port: 50787,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:28:57,End Time: 2020-11-12 05:29:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam7004107ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam700410.sample.abccompany.com,Remote Port: 50787,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:28:57,End Time: 2020-11-12 05:29:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam7004107ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9261,7 +9261,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 05:45:04 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam625171.sample.abccompany.com,Remote Port: 63297,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:42:57,End Time: 2020-11-12 05:43:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6251717ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam625171.sample.abccompany.com,Remote Port: 63297,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 05:42:57,End Time: 2020-11-12 05:43:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6251717ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9324,7 +9324,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam463209.sample.abccompany.com,Remote Port: 58120,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 14:34:57,End Time: 2020-11-11 14:35:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4632097ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam463209.sample.abccompany.com,Remote Port: 58120,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 14:34:57,End Time: 2020-11-11 14:35:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4632097ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9387,7 +9387,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam236427.sample.abccompany.com,Remote Port: 54577,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 14:42:57,End Time: 2020-11-11 14:43:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam2364277ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam236427.sample.abccompany.com,Remote Port: 54577,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 14:42:57,End Time: 2020-11-11 14:43:00,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam2364277ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9450,7 +9450,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.49,Remote Host Name: sam932685.sample.abccompany.com,Remote Port: 65209,Remote Host MAC: EC8EB56E6EC4,UDP,Inbound,Begin: 2020-11-11 15:12:30,End Time: 2020-11-11 15:12:45,Occurrences: 6,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam9326857ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.49,Remote Host Name: sam932685.sample.abccompany.com,Remote Port: 65209,Remote Host MAC: EC8EB56E6EC4,UDP,Inbound,Begin: 2020-11-11 15:12:30,End Time: 2020-11-11 15:12:45,Occurrences: 6,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam9326857ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9513,7 +9513,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 56972,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 07:41:46,End Time: 2020-11-12 07:44:04,Occurrences: 18,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1148077ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 56972,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 07:41:46,End Time: 2020-11-12 07:44:04,Occurrences: 18,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1148077ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9576,7 +9576,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 56972,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 07:54:07,End Time: 2020-11-12 07:54:22,Occurrences: 6,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8859027ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 56972,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 07:54:07,End Time: 2020-11-12 07:54:22,Occurrences: 6,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8859027ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9639,7 +9639,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam621140.sample.abccompany.com,Remote Port: 56024,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:04:58,End Time: 2020-11-12 08:05:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6211407ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 1900,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.42,Remote Host Name: sam621140.sample.abccompany.com,Remote Port: 56024,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:04:58,End Time: 2020-11-12 08:05:01,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow UPnP Discovery from private IP addresses,Location: Default,User Name: LOCAL SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6211407ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9702,7 +9702,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.42,Remote Host Name: sam341788.sample.abccompany.com,Remote Port: 63460,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:47:39,End Time: 2020-11-12 08:47:53,Occurrences: 35,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3417887ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.42,Remote Host Name: sam341788.sample.abccompany.com,Remote Port: 63460,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-12 08:47:39,End Time: 2020-11-12 08:47:53,Occurrences: 35,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3417887ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9765,7 +9765,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 59373,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:50:50,End Time: 2020-11-12 08:51:42,Occurrences: 8,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5450067ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 59373,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:50:50,End Time: 2020-11-12 08:51:42,Occurrences: 8,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5450067ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9828,7 +9828,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.46,Remote Host Name: sam874521.sample.abccompany.com,Remote Port: 57637,Remote Host MAC: 84A93EA815EF,UDP,Inbound,Begin: 2020-11-12 08:57:33,End Time: 2020-11-12 08:57:34,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8745217ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.46,Remote Host Name: sam874521.sample.abccompany.com,Remote Port: 57637,Remote Host MAC: 84A93EA815EF,UDP,Inbound,Begin: 2020-11-12 08:57:33,End Time: 2020-11-12 08:57:34,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8745217ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9891,7 +9891,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57564,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 09:04:27,End Time: 2020-11-12 09:04:34,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam7506637ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57564,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 09:04:27,End Time: 2020-11-12 09:04:34,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam7506637ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9954,7 +9954,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 03:30:00 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 10.10.01.01,Remote Host Name: ,Remote Port: 57205,Remote Host MAC: 480FCF31B08F,UDP,Inbound,Begin: 2020-11-12 02:55:16,End Time: 2020-11-12 02:55:16,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4391887ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 10.10.01.01,Remote Host Name: ,Remote Port: 57205,Remote Host MAC: 480FCF31B08F,UDP,Inbound,Begin: 2020-11-12 02:55:16,End Time: 2020-11-12 02:55:16,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4391887ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -9985,7 +9985,7 @@ "LocalHostIpAddr": "ff02::1:3", "LocalPortNumber_int": "5355", "LocalPortNumber_string": "", - "LocalHostMacAddr": "3.333E+11", + "LocalHostMacAddr": "3.33E+11", "RemoteHostIpAddr": "10.10.01.01", "RemoteHostName_datetime [UTC]": "", "RemoteHostName_string": "", @@ -10017,7 +10017,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 20.20.20.20,Remote Host Name: ,Remote Port: 63935,Remote Host MAC: 5065F348CFD4,UDP,Inbound,Begin: 2020-11-12 08:11:55,End Time: 2020-11-12 08:15:21,Occurrences: 54,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8497007ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 20.20.20.20,Remote Host Name: ,Remote Port: 63935,Remote Host MAC: 5065F348CFD4,UDP,Inbound,Begin: 2020-11-12 08:11:55,End Time: 2020-11-12 08:15:21,Occurrences: 54,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8497007ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10048,7 +10048,7 @@ "LocalHostIpAddr": "ff02::1:3", "LocalPortNumber_int": "5355", "LocalPortNumber_string": "", - "LocalHostMacAddr": "3.333E+11", + "LocalHostMacAddr": "3.33E+11", "RemoteHostIpAddr": "20.20.20.20", "RemoteHostName_datetime [UTC]": "", "RemoteHostName_string": "", @@ -10080,7 +10080,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.152,Remote Host Name: sam591810.sample.abccompany.com,Remote Port: 60020,Remote Host MAC: 480FCF3761DC,UDP,Inbound,Begin: 2020-11-12 08:26:29,End Time: 2020-11-12 08:26:29,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5918107ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.152,Remote Host Name: sam591810.sample.abccompany.com,Remote Port: 60020,Remote Host MAC: 480FCF3761DC,UDP,Inbound,Begin: 2020-11-12 08:26:29,End Time: 2020-11-12 08:26:29,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5918107ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10143,7 +10143,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.153,Remote Host Name: sam853258.sample.abccompany.com,Remote Port: 56410,Remote Host MAC: 186024861259,UDP,Inbound,Begin: 2020-11-12 08:32:25,End Time: 2020-11-12 08:32:25,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8532587ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.153,Remote Host Name: sam853258.sample.abccompany.com,Remote Port: 56410,Remote Host MAC: 186024861259,UDP,Inbound,Begin: 2020-11-12 08:32:25,End Time: 2020-11-12 08:32:25,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam8532587ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10180,7 +10180,7 @@ "RemoteHostName_string": "", "RemotePortNumber_datetime [UTC]": "", "RemotePortNumber_int": "", - "RemoteHostMacAddr": "1.86025E+11", + "RemoteHostMacAddr": "1.86E+11", "NetworkProtocol": "", "TrafficDirection": "Inbound", "Occurrences": "1", @@ -10206,7 +10206,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 23:45:14 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.49,Remote Host Name: sam690874.sample.abccompany.com,Remote Port: 56606,Remote Host MAC: EC8EB56E6EC4,UDP,Inbound,Begin: 2020-11-11 23:12:31,End Time: 2020-11-11 23:12:31,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6908747ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.49,Remote Host Name: sam690874.sample.abccompany.com,Remote Port: 56606,Remote Host MAC: EC8EB56E6EC4,UDP,Inbound,Begin: 2020-11-11 23:12:31,End Time: 2020-11-11 23:12:31,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam6908747ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10269,7 +10269,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 23:45:14 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.42,Remote Host Name: sam766644.sample.abccompany.com,Remote Port: 56907,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 23:33:11,End Time: 2020-11-11 23:33:11,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam7666447ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.42,Remote Host Name: sam766644.sample.abccompany.com,Remote Port: 56907,Remote Host MAC: 480FCF376223,UDP,Inbound,Begin: 2020-11-11 23:33:11,End Time: 2020-11-11 23:33:11,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam7666447ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10332,7 +10332,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.52,Remote Host Name: ,Remote Port: 51245,Remote Host MAC: 84A93EA8D4B8,UDP,Inbound,Begin: 2020-11-11 14:20:03,End Time: 2020-11-11 14:20:03,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam9743957ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.52,Remote Host Name: ,Remote Port: 51245,Remote Host MAC: 84A93EA8D4B8,UDP,Inbound,Begin: 2020-11-11 14:20:03,End Time: 2020-11-11 14:20:03,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam9743957ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10395,7 +10395,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.50,Remote Host Name: sam941872.sample.abccompany.com,Remote Port: 63779,Remote Host MAC: 5065F339DF34,UDP,Inbound,Begin: 2020-11-11 14:49:15,End Time: 2020-11-11 14:49:15,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam9418727ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.50,Remote Host Name: sam941872.sample.abccompany.com,Remote Port: 63779,Remote Host MAC: 5065F339DF34,UDP,Inbound,Begin: 2020-11-11 14:49:15,End Time: 2020-11-11 14:49:15,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam9418727ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10458,7 +10458,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 12.12.12.12,Remote Host Name: ,Remote Port: 59972,Remote Host MAC: 5065F33AFE67,UDP,Inbound,Begin: 2020-11-11 14:54:16,End Time: 2020-11-11 14:56:28,Occurrences: 39,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1285167ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 12.12.12.12,Remote Host Name: ,Remote Port: 59972,Remote Host MAC: 5065F33AFE67,UDP,Inbound,Begin: 2020-11-11 14:54:16,End Time: 2020-11-11 14:56:28,Occurrences: 39,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1285167ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10489,7 +10489,7 @@ "LocalHostIpAddr": "ff02::1:3", "LocalPortNumber_int": "5355", "LocalPortNumber_string": "", - "LocalHostMacAddr": "3.333E+11", + "LocalHostMacAddr": "3.33E+11", "RemoteHostIpAddr": "12.12.12.12", "RemoteHostName_datetime [UTC]": "", "RemoteHostName_string": "", @@ -10521,7 +10521,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 45.42.1.25,Remote Host Name: ,Remote Port: 50933,Remote Host MAC: 186024861259,UDP,Inbound,Begin: 2020-11-11 15:02:23,End Time: 2020-11-11 15:03:23,Occurrences: 3,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4608267ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 45.42.1.25,Remote Host Name: ,Remote Port: 50933,Remote Host MAC: 186024861259,UDP,Inbound,Begin: 2020-11-11 15:02:23,End Time: 2020-11-11 15:03:23,Occurrences: 3,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam4608267ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10552,13 +10552,13 @@ "LocalHostIpAddr": "ff02::1:3", "LocalPortNumber_int": "5355", "LocalPortNumber_string": "", - "LocalHostMacAddr": "3.333E+11", + "LocalHostMacAddr": "3.33E+11", "RemoteHostIpAddr": "45.42.1.25", "RemoteHostName_datetime [UTC]": "", "RemoteHostName_string": "", "RemotePortNumber_datetime [UTC]": "", "RemotePortNumber_int": "", - "RemoteHostMacAddr": "1.86025E+11", + "RemoteHostMacAddr": "1.86E+11", "NetworkProtocol": "", "TrafficDirection": "Inbound", "Occurrences": "3", @@ -10584,7 +10584,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 50.20.10.20,Remote Host Name: ,Remote Port: 63506,Remote Host MAC: 84A93EA815EF,UDP,Inbound,Begin: 2020-11-12 07:57:33,End Time: 2020-11-12 07:57:33,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1040267ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: ff02::1:3,Local Port: 5355,Local Host MAC: 333300010003,Remote Host IP: 50.20.10.20,Remote Host Name: ,Remote Port: 63506,Remote Host MAC: 84A93EA815EF,UDP,Inbound,Begin: 2020-11-12 07:57:33,End Time: 2020-11-12 07:57:33,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv6 LLMNR,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam1040267ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10615,7 +10615,7 @@ "LocalHostIpAddr": "ff02::1:3", "LocalPortNumber_int": "5355", "LocalPortNumber_string": "", - "LocalHostMacAddr": "3.333E+11", + "LocalHostMacAddr": "3.33E+11", "RemoteHostIpAddr": "50.20.10.20", "RemoteHostName_datetime [UTC]": "", "RemoteHostName_string": "", @@ -10647,7 +10647,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 61359,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:02:21,End Time: 2020-11-12 08:02:27,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3284927ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 61359,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:02:21,End Time: 2020-11-12 08:02:27,Occurrences: 4,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam3284927ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10710,7 +10710,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.49,Remote Host Name: sam581259.sample.abccompany.com,Remote Port: 52776,Remote Host MAC: EC8EB56E6EC4,UDP,Inbound,Begin: 2020-11-12 08:12:30,End Time: 2020-11-12 08:12:30,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5812597ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", + "SyslogMessage": "SERVER7,Local Host IP: 224.0.0.252,Local Port: 5355,Local Host MAC: 01005E0000FC,Remote Host IP: 10.58.232.49,Remote Host Name: sam581259.sample.abccompany.com,Remote Port: 52776,Remote Host MAC: EC8EB56E6EC4,UDP,Inbound,Begin: 2020-11-12 08:12:30,End Time: 2020-11-12 08:12:30,Occurrences: 1,Application: C:/Windows/System32/svchost.exe,Rule: Allow Ipv4 LLMNR from private IP addresses,Location: Default,User Name: NETWORK SERVICE,Domain Name: NT AUTHORITY,Action: Allowed,SHA-256: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4sam5812597ab6,MD-5: 8A0A29438052FAED8A2532DA50455756", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10773,7 +10773,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 3702,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57316,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:55:02,End Time: 2020-11-12 08:55:09,Occurrences: 12,Application: ,Rule: Allow Web Services Discovery from private IP addresses,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5: ", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 3702,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57316,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:55:02,End Time: 2020-11-12 08:55:09,Occurrences: 12,Application: ,Rule: Allow Web Services Discovery from private IP addresses,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5:", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10836,7 +10836,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 10:14:51 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 3702,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57316,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 09:02:20,End Time: 2020-11-12 09:02:27,Occurrences: 12,Application: ,Rule: Allow Web Services Discovery from private IP addresses,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5: ", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 3702,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57316,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 09:02:20,End Time: 2020-11-12 09:02:27,Occurrences: 12,Application: ,Rule: Allow Web Services Discovery from private IP addresses,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5:", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10899,7 +10899,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 239.255.255.250,Local Port: 3702,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57316,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:21:47,End Time: 2020-11-12 08:21:54,Occurrences: 12,Application: ,Rule: Allow Web Services Discovery from private IP addresses,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5: ", + "SyslogMessage": "SERVER7,Local Host IP: 239.255.255.250,Local Port: 3702,Local Host MAC: 01005E7FFFFA,Remote Host IP: 10.58.232.158,Remote Host Name: ,Remote Port: 57316,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 08:21:47,End Time: 2020-11-12 08:21:54,Occurrences: 12,Application: ,Rule: Allow Web Services Discovery from private IP addresses,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5:", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -10962,7 +10962,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 09:29:49 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 255.255.255.255,Local Port: 67,Local Host MAC: FFFFFFFFFFFF,Remote Host IP: 0.0.0.0,Remote Host Name: ,Remote Port: 68,Remote Host MAC: 002368A10CD6,UDP,Inbound,Begin: 2020-11-12 08:29:07,End Time: 2020-11-12 08:29:07,Occurrences: 1,Application: ,Rule: Allow BOOTP protocol,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5: ", + "SyslogMessage": "SERVER7,Local Host IP: 255.255.255.255,Local Port: 67,Local Host MAC: FFFFFFFFFFFF,Remote Host IP: 0.0.0.0,Remote Host Name: ,Remote Port: 68,Remote Host MAC: 002368A10CD6,UDP,Inbound,Begin: 2020-11-12 08:29:07,End Time: 2020-11-12 08:29:07,Occurrences: 1,Application: ,Rule: Allow BOOTP protocol,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5:", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -11025,7 +11025,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 11 17:00:24 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: 10.58.232.47,Local Port: 2,Local Host MAC: EC8EB56E55C0,Remote Host IP: 224.0.0.22,Remote Host Name: ,Remote Port: 0,Remote Host MAC: 01005E000016,IP,Outbound,Begin: 2020-11-11 14:27:38,End Time: 2020-11-11 14:27:38,Occurrences: 5,Application: ,Rule: Allow IGMP traffic,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5: ", + "SyslogMessage": "SERVER7,Local Host IP: 10.58.232.47,Local Port: 2,Local Host MAC: EC8EB56E55C0,Remote Host IP: 224.0.0.22,Remote Host Name: ,Remote Port: 0,Remote Host MAC: 01005E000016,IP,Outbound,Begin: 2020-11-11 14:27:38,End Time: 2020-11-11 14:27:38,Occurrences: 5,Application: ,Rule: Allow IGMP traffic,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Allowed,SHA-256: ,MD-5:", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "", @@ -11088,7 +11088,7 @@ "Facility": "local0" }, { - "SyslogMessage": "<50>Nov 12 08:44:48 SAMPLE0003 SymantecServer: SERVER7,Local Host IP: ff02::c,Local Port: 3702,Local Host MAC: 33330000000C,Remote Host IP: 56.54.12.2,Remote Host Name: ,Remote Port: 57317,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 07:49:55,End Time: 2020-11-12 07:50:02,Occurrences: 12,Application: ,Rule: Block Web Services Discovery,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Blocked,SHA-256: ,MD-5: ", + "SyslogMessage": "SERVER7,Local Host IP: ff02::c,Local Port: 3702,Local Host MAC: 33330000000C,Remote Host IP: 56.54.12.2,Remote Host Name: ,Remote Port: 57317,Remote Host MAC: 84A93E46969D,UDP,Inbound,Begin: 2020-11-12 07:49:55,End Time: 2020-11-12 07:50:02,Occurrences: 12,Application: ,Rule: Block Web Services Discovery,Location: Default,User Name: sampleuser8,Domain Name: SMPL,Action: Blocked,SHA-256: ,MD-5:", "ServerName": "SERVER7", "LogType": "Agent Traffic Logs", "SiteName": "",