Merge pull request #8776 from jayeshprajapaticrest/CarbonBlackProcess

ASIM Process Event schema parser with its sample and test data for VMware Carbon Black Cloud

ASIM/dev/ASimTester/ASimTester.csv

@@ -545,7 +545,7 @@ EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Ve
 EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne,
 EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost,
 EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|Carbon Black Cloud,
-EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne,
+EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Vision One,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One,
 EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF,
@@ -685,7 +685,7 @@ EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
 EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike,
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware,
 EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|VMware,
-EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne,
+EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne|VMware,
 EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr|Citrix|F5,
 EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne,
 EventVendor,string,Mandatory,RegistryEvent,Enumerated,SentinelOne|VMware,

Parsers/ASimProcessEvent/Parsers/ASimProcessCreateVMwareCarbonBlackCloud.yaml

@@ -0,0 +1,190 @@
+Parser:
+  Title: Process Create ASIM parser for VMware Carbon Black Cloud
+  Version: '0.1.0'
+  LastUpdated: Oct 25, 2023
+Product:
+  Name: VMware Carbon Black Cloud
+Normalization:
+  Schema: ProcessEvent
+  Version: '0.1.4'
+References:
+- Title: ASIM Process Schema
+  Link: https://aka.ms/ASimProcessEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: VMware Carbon Black Cloud documentation
+  Link: 
+    https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.0.0/
+    https://developer.carbonblack.com/reference/cb-threathunter/latest/event-search-fields/
+Description: |
+  This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Create normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
+ParserName: ASimProcessCreateVMwareCarbonBlackCloud
+EquivalentBuiltInParser: _ASim_ProcessEvent_CreateVMwareCarbonBlackCloud
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventFieldsLookup = datatable(
+      sensor_action_s: string,
+      DvcAction: string,
+      EventResult: string
+  )[
+      "ACTION_ALLOW", "Allow", "Success",
+      "ACTION_BLOCK", "Block", "Failure",
+      "ACTION_TERMINATE", "Terminate", "Failure",
+      "ACTION_BREAK", "Break", "Failure",
+      "ACTION_SUSPEND", "Suspend", "Failure",
+      "", "", "Success"
+  ];
+  let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)
+      [
+      "1", 10,
+      "2", 20,
+      "3", 30,
+      "4", 40,
+      "5", 50,
+      "6", 60,
+      "7", 70,
+      "8", 80,
+      "9", 90,
+      "10", 100
+  ];
+  let parser = (disabled: bool=false) {
+      let processdata = CarbonBlackEvents_CL
+          | where not(disabled)
+          | where eventType_s == "endpoint.event.procstart" and isnotempty(childproc_pid_d)
+          | parse process_hash_s with * '["' ActingProcessMD5: string '","' ActingProcessSHA256: string '"]'
+          | parse parent_hash_s with * '["' ParentProcessMD5: string  '","' ParentProcessSHA256: string '"]'
+          | parse childproc_hash_s with * '["' TargetProcessMD5: string '","' TargetProcessSHA256: string '"]'
+          | lookup EventFieldsLookup on sensor_action_s;
+      let processdatawiththreat = processdata
+          | where isnotempty(alert_id_g) and isnotempty(event_id_g)
+          | join kind=leftouter(CarbonBlackNotifications_CL
+              | where type_s == "THREAT"
+              | project
+                  threatInfo_incidentId_g,
+                  threatInfo_score_d,
+                  threatInfo_summary_s,
+                  threatInfo_time_d,
+                  threatInfo_threatCause_threatCategory_s,
+                  threatInfo_threatCause_causeEventId_g,
+                  ruleName_s,
+                  deviceInfo_deviceVersion_s,
+                  threatInfo_threatCause_originSourceType_s,
+                  threatInfo_threatCause_reputation_s,
+                  threatInfo_threatCause_reason_s)
+              on
+              $left.alert_id_g == $right.threatInfo_incidentId_g,
+              $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g
+          | join kind=leftouter (CarbonBlackNotifications_CL
+              | where type_s == "CB_ANALYTICS"
+              | project
+                  id_g,
+                  primary_event_id_g,
+                  deviceInfo_deviceVersion_s,
+                  threat_id_g,
+                  threatInfo_score_d,
+                  threatInfo_summary_s,
+                  threatInfo_threatCause_reason_s)
+              on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g
+          | extend 
+              ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),
+              ThreatCategory = threatInfo_threatCause_threatCategory_s,
+              ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),
+              RuleName = ruleName_s,
+              AdditionalFields_threat = bag_pack(
+                                "threatInfo_threatCause_reason",
+                                coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),
+                                "threatInfo_threatCause_reputation",
+                                threatInfo_threatCause_reputation_s,
+                                "threatInfo_threatCause_originSourceType",
+                                threatInfo_threatCause_originSourceType_s
+                            ),
+              ThreatId = threat_id_g,
+              ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),
+              DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)
+          | lookup ThreatConfidenceLookup on ThreatOriginalConfidence
+          | extend Rule = RuleName;
+      let processdatawithoutthreat = processdata
+          | where isempty(alert_id_g) or isempty(event_id_g);
+      union processdatawithoutthreat, processdatawiththreat
+      | extend
+          EventStartTime = todatetime(split(createTime_s, '+')[0]),
+          TargetProcessId = tostring(toint(childproc_pid_d)),
+          ActingProcessId = tostring(toint(process_pid_d)),
+          ParentProcessId = tostring(toint(parent_pid_d)),
+          AdditionalFields_Common = bag_pack(
+                      "org_key", org_key_s,
+                      "alert_id", alert_id_g,
+                      "parent_cmdline", parent_cmdline_s,
+                      "process_reputation", process_reputation_s,
+                      "childproc_reputation", childproc_reputation_s,
+                      "parent_reputation", parent_reputation_s,
+                      "process_guid", process_guid_s,
+                      "childproc_guid", childproc_guid_s,
+                      "parent_guid", parent_guid_s
+                  )
+      | invoke _ASIM_ResolveDvcFQDN('device_name_s')
+      | project-rename 
+          ActorUsername = process_username_s,
+          TargetProcessCommandLine = target_cmdline_s,
+          TargetProcessName = childproc_name_s,
+          TargetUsername = childproc_username_s,
+          DvcIpAddr = device_external_ip_s,
+          DvcScope = device_group_s,
+          ActingProcessCommandLine = process_cmdline_s,
+          ActingProcessName = process_path_s,
+          DvcId = device_id_s,
+          DvcOriginalAction = sensor_action_s,
+          DvcOs = device_os_s,
+          EventMessage = event_description_s,
+          EventOriginalType = action_s,
+          EventOriginalUid = event_id_g,
+          EventOwner = event_origin_s,
+          ParentProcessName = parent_path_s,
+          EventUid = _ItemId
+      | extend
+          EventCount = int(1),
+          EventProduct = "Carbon Black Cloud",
+          EventSchemaVersion = "0.1.4",
+          EventType = "ProcessCreated",
+          EventVendor = "VMware",
+          EventSchema = "ProcessEvent",
+          AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)
+      | extend 
+          Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),
+          EventEndTime = EventStartTime,
+          Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),
+          CommandLine = TargetProcessCommandLine,
+          Process = TargetProcessName,
+          User = TargetUsername,
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          ActorUserType = _ASIM_GetUserType(ActorUsername, ""),
+          HashType = case(
+                isnotempty(TargetProcessSHA256),
+                "TargetProcessSHA256",
+                isnotempty(TargetProcessMD5),
+                "TargetProcessMD5",
+                ""
+            ),
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          TargetUserType = _ASIM_GetUserType(TargetUsername, "")
+      | project-away
+          *_s,
+          *_d,
+          *_g,
+          *_b,
+          _ResourceId,
+          Computer,
+          MG,
+          ManagementGroupName,
+          RawData,
+          SourceSystem,
+          TenantId,
+          AdditionalFields_*,
+          *_d1,
+          *_s1
+  };
+  parser(disabled=disabled)

Parsers/ASimProcessEvent/Parsers/ASimProcessEvent.yaml

@@ -30,6 +30,8 @@ Parsers:
   - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
   - _ASim_ProcessEvent_MD4IoT
   - _ASim_ProcessEvent_CreateSentinelOne
+  - _ASim_ProcessEvent_CreateVMwareCarbonBlackCloud
+  - _ASim_ProcessEvent_TerminateVMwareCarbonBlackCloud
 
 ParserQuery: |
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
@@ -46,4 +48,6 @@ ParserQuery: |
     ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),
     ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
     ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),
-    ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))
+    ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),
+    ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),
+    ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))

Parsers/ASimProcessEvent/Parsers/ASimProcessEventCreate.yaml

@@ -25,6 +25,7 @@ Parsers:
   - _ASim_ProcessEvent_CreateMicrosoftWindowsEvents
   - _ASim_ProcessEvent_MD4IoT
   - _ASim_ProcessEvent_CreateSentinelOne
+  - _ASim_ProcessEvent_CreateVMwareCarbonBlackCloud
 
 ParserQuery: |
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
@@ -36,5 +37,6 @@ ParserQuery: |
     ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),
     ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),
     ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),
+    ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),
     ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),
-    ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) ))
+    ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))

Parsers/ASimProcessEvent/Parsers/ASimProcessEventTerminate.yaml

@@ -24,6 +24,7 @@ Parsers:
   - _ASim_ProcessEvent_TerminateLinuxSysmon
   - _ASim_ProcessEvent_TerminateMicrosoftWindowsEvents
   - _ASim_ProcessEvent_MD4IoT
+  - _ASim_ProcessEvent_TerminateVMwareCarbonBlackCloud
 ParserQuery: |
     let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
     let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); 
@@ -34,5 +35,6 @@ ParserQuery: |
     ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),
     ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),
     ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),
-    ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) ))
+    ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),
+    ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))
 

Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateVMwareCarbonBlackCloud.yaml

@@ -0,0 +1,112 @@
+Parser:
+  Title: Process Terminate ASIM parser for VMware Carbon Black Cloud
+  Version: '0.1.0'
+  LastUpdated: Oct 03, 2023
+Product:
+  Name: VMware Carbon Black Cloud
+Normalization:
+  Schema: ProcessEvent
+  Version: '0.1.4'
+References:
+- Title: ASIM Process Schema
+  Link: https://aka.ms/ASimProcessEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: VMware Carbon Black Cloud documentation
+  Link: 
+    https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.0.0/
+    https://developer.carbonblack.com/reference/cb-threathunter/latest/event-search-fields/
+Description: |
+  This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Terminate normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
+ParserName: ASimProcessTerminateVMwareCarbonBlackCloud
+EquivalentBuiltInParser: ASim_ProcessEvent_TerminateVMwareCarbonBlackCloud
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventFieldsLookup = datatable(
+    sensor_action_s: string,
+    DvcAction: string,
+    EventResult: string
+  )[
+      "ACTION_ALLOW", "Allow", "Success",
+      "ACTION_BLOCK", "Block", "Failure",
+      "ACTION_TERMINATE", "Terminate", "Failure",
+      "ACTION_BREAK", "Break", "Failure",
+      "ACTION_SUSPEND", "Suspend", "Failure",
+      "", "", "Success"
+  ];
+  let parser = (disabled: bool=false) {
+      CarbonBlackEvents_CL
+      | where not(disabled)
+      | where eventType_s == "endpoint.event.procend" and isnotempty(process_pid_d)
+      | parse process_hash_s with * '["' TargetProcessMD5: string '","' TargetProcessSHA256: string '"]'
+      | parse parent_hash_s with * '["' ActingProcessMD5: string  '","' ActingProcessSHA256: string '"]'
+      | lookup EventFieldsLookup on sensor_action_s
+      | extend
+          EventStartTime = todatetime(split(createTime_s, '+')[0]),
+          TargetProcessId = tostring(toint(process_pid_d)),
+          ActingProcessId = tostring(toint(parent_pid_d)),
+          ActorUsername = process_username_s,
+          TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),
+          AdditionalFields = bag_pack(
+                      "org_key", org_key_s,
+                      "alert_id", alert_id_g,
+                      "process_reputation", process_reputation_s,
+                      "parent_reputation", parent_reputation_s,
+                      "parent_guid", parent_guid_s,
+                      "process_guid", process_guid_s
+                  )
+      | invoke _ASIM_ResolveDvcFQDN('device_name_s')
+      | project-rename 
+          TargetProcessName = process_path_s,
+          DvcIpAddr = device_external_ip_s,
+          DvcScope = device_group_s,
+          ActingProcessCommandLine = parent_cmdline_s,
+          DvcId = device_id_s,
+          DvcOriginalAction = sensor_action_s,
+          DvcOs = device_os_s,
+          EventOriginalType = action_s,
+          EventOriginalUid = event_id_g,
+          EventOwner = event_origin_s,
+          ActingProcessName = parent_path_s,
+          EventUid = _ItemId
+      | extend
+          EventCount = int(1),
+          EventProduct = "Carbon Black Cloud",
+          EventSchemaVersion = "0.1.4",
+          EventType = "ProcessTerminated",
+          EventVendor = "VMware",
+          EventSchema = "ProcessEvent"
+      | extend 
+          Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),
+          EventEndTime = EventStartTime,
+          Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),
+          CommandLine = TargetProcessCommandLine,
+          Process = TargetProcessName,
+          User = ActorUsername,
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          ActorUserType = _ASIM_GetUserType(ActorUsername, ""),
+          HashType = case(
+                isnotempty(TargetProcessSHA256),
+                "TargetProcessSHA256",
+                isnotempty(TargetProcessMD5),
+                "TargetProcessMD5",
+                ""
+            )
+      | project-away
+          *_s,
+          *_d,
+          *_g,
+          *_b,
+          _ResourceId,
+          Computer,
+          MG,
+          ManagementGroupName,
+          RawData,
+          SourceSystem,
+          TenantId
+  };
+  parser(disabled=disabled)

Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml

@@ -67,7 +67,8 @@ ParserQuery: |
     vimProcessCreateLinuxSysmon            (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon'   in (DisabledParsers) ))),
     vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents'   in (DisabledParsers) ))),
     vimProcessCreateMD4IoT                  (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT'   in (DisabledParsers) ))),
-    vimProcessCreateSentinelOne            (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne'   in (DisabledParsers) )))
+    vimProcessCreateSentinelOne            (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne'   in (DisabledParsers) ))),
+    vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud'   in (DisabledParsers) )))
   };
   Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)
 
@@ -81,4 +82,4 @@ Parsers:
   - _Im_ProcessCreate_MicrosoftWindowsEvents
   - _Im_ProcessCreate_MD4IoT
   - _Im_ProcessCreate_SentinelOne
-
+  - _Im_ProcessCreate_VMwareCarbonBlackCloud

Parsers/ASimProcessEvent/Parsers/imProcessEvent.yaml

@@ -73,6 +73,9 @@ Parsers:
   - _Im_ProcessTerminate_MicrosoftWindowsEvents
   - _Im_ProcessCreate_MD4IoT
   - _Im_ProcessTerminate_MD4IoT
+  - _Im_ProcessCreate_SentinelOne
+  - _Im_ProcessCreate_VMwareCarbonBlackCloud
+  - _Im_ProcessTerminate_VMwareCarbonBlackCloud
 
 ParserQuery: |
   let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){
@@ -89,7 +92,10 @@ ParserQuery: |
     vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon'   in (DisabledParsers) ))),
     vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents'   in (DisabledParsers) ))),
     vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents'   in (DisabledParsers) ))),
+    vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne'   in (DisabledParsers) ))),
     vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT'   in (DisabledParsers) ))),
-    vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT'   in (DisabledParsers) )))
+    vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT'   in (DisabledParsers) ))),
+    vimProcessCreateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud'   in (DisabledParsers) ))),
+    vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud'   in (DisabledParsers) )))
       };
   Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)

Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml

@@ -63,7 +63,8 @@ ParserQuery: |
     vimProcessTerminateMicrosoftSecurityEvents        (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents'   in (DisabledParsers) ))),
     vimProcessTerminateMicrosoftWindowsEvents  (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents'   in (DisabledParsers) ))),
     vimProcessTerminateLinuxSysmon            (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon'   in (DisabledParsers) ))),
-    vimProcessTerminateMD4IoT                  (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT'   in (DisabledParsers) )))
+    vimProcessTerminateMD4IoT                  (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT'   in (DisabledParsers) ))),
+    vimProcessTerminateVMwareCarbonBlackCloud    (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud'   in (DisabledParsers) )))
   };
   Generic(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)
 
@@ -75,3 +76,4 @@ Parsers:
   - _Im_ProcessTerminate_LinuxSysmon            
   - _Im_ProcessTerminate_MicrosoftWindowsEvents
   - _Im_ProcessTerminate_MD4IoT
+  - _Im_ProcessTerminate_VMwareCarbonBlackCloud

Parsers/ASimProcessEvent/Parsers/vimProcessCreateVMwareCarbonBlackCloud.yaml

@@ -0,0 +1,271 @@
+Parser:
+  Title: Process Create ASIM parser for VMware Carbon Black Cloud
+  Version: '0.1.0'
+  LastUpdated: Oct 25, 2023
+Product:
+  Name: VMware Carbon Black Cloud
+Normalization:
+  Schema: ProcessEvent
+  Version: '0.1.4'
+References:
+- Title: ASIM Process Schema
+  Link: https://aka.ms/ASimProcessEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: VMware Carbon Black Cloud documentation
+  Link: 
+    https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.0.0/
+    https://developer.carbonblack.com/reference/cb-threathunter/latest/event-search-fields/
+Description: |
+  This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Create normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
+ParserName: vimProcessCreateVMwareCarbonBlackCloud
+EquivalentBuiltInParser: _Im_ProcessCreate_VMwareCarbonBlackCloud
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: commandline_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_all
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_any_ip_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: actingprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: parentprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+  - Name: dvcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: dvchostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hashes_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventFieldsLookup = datatable(
+      sensor_action_s: string,
+      DvcAction: string,
+      EventResult: string
+  )[
+      "ACTION_ALLOW", "Allow", "Success",
+      "ACTION_BLOCK", "Block", "Failure",
+      "ACTION_TERMINATE", "Terminate", "Failure",
+      "ACTION_BREAK", "Break", "Failure",
+      "ACTION_SUSPEND", "Suspend", "Failure",
+      "", "", "Success"
+  ];
+  let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)
+      [
+      "1", 10,
+      "2", 20,
+      "3", 30,
+      "4", 40,
+      "5", 50,
+      "6", 60,
+      "7", 70,
+      "8", 80,
+      "9", 90,
+      "10", 100
+  ];
+  let parser = (
+      starttime: datetime=datetime(null),
+      endtime: datetime=datetime(null),
+      commandline_has_any: dynamic=dynamic([]),
+      commandline_has_all: dynamic=dynamic([]),
+      commandline_has_any_ip_prefix: dynamic=dynamic([]),
+      actingprocess_has_any: dynamic=dynamic([]),
+      targetprocess_has_any: dynamic=dynamic([]),
+      parentprocess_has_any: dynamic=dynamic([]),
+      targetusername_has: string='*',
+      dvcipaddr_has_any_prefix: dynamic=dynamic([]),
+      dvchostname_has_any: dynamic=dynamic([]),
+      eventtype: string='*',
+      hashes_has_any: dynamic=dynamic([]),
+      disabled: bool=false) {
+      let processdata = CarbonBlackEvents_CL
+          | where not(disabled)
+          | where (isnull(starttime) or TimeGenerated >= starttime)
+              and (isnull(endtime) or TimeGenerated <= endtime)
+              and eventType_s == "endpoint.event.procstart" and isnotempty(childproc_pid_d)
+              and (eventtype == '*' or eventtype == 'ProcessCreated')
+              and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix))
+              and (targetusername_has == '*' or childproc_username_s has targetusername_has)  
+              and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all)) 
+              and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any)) 
+              and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix)) 
+              and (array_length(actingprocess_has_any) == 0 or process_path_s has_any (actingprocess_has_any)) 
+              and (array_length(targetprocess_has_any) == 0 or childproc_name_s has_any (targetprocess_has_any)) 
+              and (array_length(parentprocess_has_any) == 0 or parent_path_s has_any (parentprocess_has_any))
+              and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))
+              and array_length(hashes_has_any) == 0 or childproc_hash_s has_any (hashes_has_any)
+          | parse process_hash_s with * '["' ActingProcessMD5: string '","' ActingProcessSHA256: string '"]'
+          | parse parent_hash_s with * '["' ParentProcessMD5: string  '","' ParentProcessSHA256: string '"]'
+          | parse childproc_hash_s with * '["' TargetProcessMD5: string '","' TargetProcessSHA256: string '"]'
+          | lookup EventFieldsLookup on sensor_action_s;  
+      let processdatawiththreat = processdata
+          | where isnotempty(alert_id_g) and isnotempty(event_id_g)
+          | join kind=leftouter(CarbonBlackNotifications_CL
+              | where type_s == "THREAT"
+              | project
+                  threatInfo_incidentId_g,
+                  threatInfo_score_d,
+                  threatInfo_summary_s,
+                  threatInfo_time_d,
+                  threatInfo_threatCause_threatCategory_s,
+                  threatInfo_threatCause_causeEventId_g,
+                  ruleName_s,
+                  deviceInfo_deviceVersion_s,
+                  threatInfo_threatCause_originSourceType_s,
+                  threatInfo_threatCause_reputation_s,
+                  threatInfo_threatCause_reason_s)
+              on
+              $left.alert_id_g == $right.threatInfo_incidentId_g,
+              $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g
+          | join kind=leftouter (CarbonBlackNotifications_CL
+              | where type_s == "CB_ANALYTICS"
+              | project
+                  id_g,
+                  primary_event_id_g,
+                  deviceInfo_deviceVersion_s,
+                  threat_id_g,
+                  threatInfo_score_d,
+                  threatInfo_summary_s,
+                  threatInfo_threatCause_reason_s)
+              on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g
+          | extend 
+              ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),
+              ThreatCategory = threatInfo_threatCause_threatCategory_s,
+              ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),
+              RuleName = ruleName_s,
+              AdditionalFields_threat = bag_pack(
+                                "threatInfo_threatCause_reason",
+                                coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),
+                                "threatInfo_threatCause_reputation",
+                                threatInfo_threatCause_reputation_s,
+                                "threatInfo_threatCause_originSourceType",
+                                threatInfo_threatCause_originSourceType_s
+                            ),
+              ThreatId = threat_id_g,
+              ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),
+              DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)
+          | lookup ThreatConfidenceLookup on ThreatOriginalConfidence
+          | extend Rule = RuleName;
+      let processdatawithoutthreat = processdata
+          | where isempty(alert_id_g) or isempty(event_id_g);
+      union processdatawithoutthreat, processdatawiththreat
+      | extend
+          EventStartTime = todatetime(split(createTime_s, '+')[0]),
+          TargetProcessId = tostring(toint(childproc_pid_d)),
+          ActingProcessId = tostring(toint(process_pid_d)),
+          ParentProcessId = tostring(toint(parent_pid_d)),
+          AdditionalFields_Common = bag_pack(
+                        "org_key", org_key_s,
+                        "alert_id", alert_id_g,
+                        "parent_cmdline", parent_cmdline_s,
+                        "process_reputation", process_reputation_s,
+                        "childproc_reputation", childproc_reputation_s,
+                        "parent_reputation", parent_reputation_s,
+                        "process_guid", process_guid_s,
+                        "childproc_guid", childproc_guid_s,
+                        "parent_guid", parent_guid_s
+                    )
+      | invoke _ASIM_ResolveDvcFQDN('device_name_s')
+      | project-rename 
+          ActorUsername = process_username_s,
+          TargetProcessCommandLine = target_cmdline_s,
+          TargetProcessName = childproc_name_s,
+          TargetUsername = childproc_username_s,
+          DvcIpAddr = device_external_ip_s,
+          DvcScope = device_group_s,
+          ActingProcessCommandLine = process_cmdline_s,
+          ActingProcessName = process_path_s,
+          DvcId = device_id_s,
+          DvcOriginalAction = sensor_action_s,
+          DvcOs = device_os_s,
+          EventMessage = event_description_s,
+          EventOriginalType = action_s,
+          EventOriginalUid = event_id_g,
+          EventOwner = event_origin_s,
+          ParentProcessName = parent_path_s,
+          EventUid = _ItemId
+      | extend
+          EventCount = int(1),
+          EventProduct = "Carbon Black Cloud",
+          EventSchemaVersion = "0.1.4",
+          EventType = "ProcessCreated",
+          EventVendor = "VMware",
+          EventSchema = "ProcessEvent",
+          AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)
+      | extend 
+          Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),
+          EventEndTime = EventStartTime,
+          Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),
+          CommandLine = TargetProcessCommandLine,
+          Process = TargetProcessName,
+          User = TargetUsername,
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          ActorUserType = _ASIM_GetUserType(ActorUsername, ""),
+          HashType = case(
+                isnotempty(TargetProcessSHA256),
+                "TargetProcessSHA256",
+                isnotempty(TargetProcessMD5),
+                "TargetProcessMD5",
+                ""
+            ),
+          TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
+          TargetUserType = _ASIM_GetUserType(TargetUsername, "")
+      | project-away
+          *_s,
+          *_d,
+          *_g,
+          *_b,
+          _ResourceId,
+          Computer,
+          MG,
+          ManagementGroupName,
+          RawData,
+          SourceSystem,
+          TenantId,
+          AdditionalFields_*,
+          *_d1,
+          *_s1
+  };
+  parser(
+      starttime=starttime, 
+      endtime=endtime, 
+      commandline_has_any=commandline_has_any,
+      commandline_has_all=commandline_has_all,
+      commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,
+      actingprocess_has_any=actingprocess_has_any,
+      targetprocess_has_any=targetprocess_has_any,
+      parentprocess_has_any=parentprocess_has_any,
+      targetusername_has=targetusername_has,
+      dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,
+      dvchostname_has_any=dvchostname_has_any,
+      eventtype=eventtype,
+      hashes_has_any=hashes_has_any,
+      disabled=disabled
+  )

Parsers/ASimProcessEvent/Parsers/vimProcessTerminateVMwareCarbonBlackCloud.yaml

@@ -0,0 +1,187 @@
+Parser:
+  Title: Process Terminate ASIM parser for VMware Carbon Black Cloud
+  Version: '0.1.0'
+  LastUpdated: Oct 03, 2023
+Product:
+  Name: VMware Carbon Black Cloud
+Normalization:
+  Schema: ProcessEvent
+  Version: '0.1.4'
+References:
+- Title: ASIM Process Schema
+  Link: https://aka.ms/ASimProcessEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: VMware Carbon Black Cloud documentation
+  Link: 
+    https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.0.0/
+    https://developer.carbonblack.com/reference/cb-threathunter/latest/event-search-fields/
+Description: |
+  This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Terminate normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
+ParserName: vimProcessTerminateVMwareCarbonBlackCloud
+EquivalentBuiltInParser: Im_ProcessTerminate_VMwareCarbonBlackCloud
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: commandline_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_all
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_any_ip_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: actingprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: parentprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: actorusername_has
+    Type: string
+    Default: '*'
+  - Name: dvcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: dvchostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype
+    Type: string
+    Default: '*'
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventFieldsLookup = datatable(
+    sensor_action_s: string,
+    DvcAction: string,
+    EventResult: string
+  )[
+      "ACTION_ALLOW", "Allow", "Success",
+      "ACTION_BLOCK", "Block", "Failure",
+      "ACTION_TERMINATE", "Terminate", "Failure",
+      "ACTION_BREAK", "Break", "Failure",
+      "ACTION_SUSPEND", "Suspend", "Failure",
+      "", "", "Success"
+  ];
+  let parser = (
+      starttime: datetime=datetime(null),
+      endtime: datetime=datetime(null),
+      commandline_has_any: dynamic=dynamic([]),
+      commandline_has_all: dynamic=dynamic([]),
+      commandline_has_any_ip_prefix: dynamic=dynamic([]),
+      actingprocess_has_any: dynamic=dynamic([]),
+      targetprocess_has_any: dynamic=dynamic([]),
+      parentprocess_has_any: dynamic=dynamic([]),
+      actorusername_has: string='*',
+      dvcipaddr_has_any_prefix: dynamic=dynamic([]),
+      dvchostname_has_any: dynamic=dynamic([]),
+      eventtype: string='*',
+      disabled: bool=false) {
+      CarbonBlackEvents_CL
+      | where not(disabled)
+      | where (isnull(starttime) or TimeGenerated >= starttime)
+          and (isnull(endtime) or TimeGenerated <= endtime)
+          and (eventType_s == "endpoint.event.procend" and isnotempty(process_pid_d))
+          and (eventtype == '*' or eventtype == 'ProcessTerminated')
+          and array_length(parentprocess_has_any) == 0
+          and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix)) 
+          and (actorusername_has == '*' or process_username_s has actorusername_has)  
+          and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all) or process_cmdline_s has_all (commandline_has_all))
+          and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any) or process_cmdline_s has_any (commandline_has_any)) 
+          and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix) or has_any_ipv4_prefix(process_cmdline_s, commandline_has_any_ip_prefix)) 
+          and (array_length(actingprocess_has_any) == 0 or parent_path_s has_any (actingprocess_has_any)) 
+          and (array_length(targetprocess_has_any) == 0 or process_path_s has_any (targetprocess_has_any)) 
+          and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))
+      | parse process_hash_s with * '["' TargetProcessMD5: string '","' TargetProcessSHA256: string '"]'
+      | parse parent_hash_s with * '["' ActingProcessMD5: string  '","' ActingProcessSHA256: string '"]'
+      | lookup EventFieldsLookup on sensor_action_s
+      | extend
+          EventStartTime = todatetime(split(createTime_s, '+')[0]),
+          TargetProcessId = tostring(toint(process_pid_d)),
+          ActingProcessId = tostring(toint(parent_pid_d)),
+          ActorUsername = process_username_s,
+          TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),
+          AdditionalFields = bag_pack(
+                      "org_key", org_key_s,
+                      "alert_id", alert_id_g,
+                      "process_reputation", process_reputation_s,
+                      "parent_reputation", parent_reputation_s,
+                      "parent_guid", parent_guid_s,
+                      "process_guid", process_guid_s
+                  )
+      | invoke _ASIM_ResolveDvcFQDN('device_name_s')
+      | project-rename 
+          TargetProcessName = process_path_s,
+          DvcIpAddr = device_external_ip_s,
+          DvcScope = device_group_s,
+          ActingProcessCommandLine = parent_cmdline_s,
+          DvcId = device_id_s,
+          DvcOriginalAction = sensor_action_s,
+          DvcOs = device_os_s,
+          EventOriginalType = action_s,
+          EventOriginalUid = event_id_g,
+          EventOwner = event_origin_s,
+          ActingProcessName = parent_path_s,
+          EventUid = _ItemId
+      | extend
+          EventCount = int(1),
+          EventProduct = "Carbon Black Cloud",
+          EventSchemaVersion = "0.1.4",
+          EventType = "ProcessTerminated",
+          EventVendor = "VMware",
+          EventSchema = "ProcessEvent"
+      | extend 
+          Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),
+          EventEndTime = EventStartTime,
+          Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),
+          CommandLine = TargetProcessCommandLine,
+          Process = TargetProcessName,
+          User = ActorUsername,
+          DvcIdType = iff(isnotempty(DvcId), "Other", ""),
+          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
+          ActorUserType = _ASIM_GetUserType(ActorUsername, ""),
+          HashType = case(
+                isnotempty(TargetProcessSHA256),
+                "TargetProcessSHA256",
+                isnotempty(TargetProcessMD5),
+                "TargetProcessMD5",
+                ""
+            )
+      | project-away
+          *_s,
+          *_d,
+          *_g,
+          *_b,
+          _ResourceId,
+          Computer,
+          MG,
+          ManagementGroupName,
+          RawData,
+          SourceSystem,
+          TenantId
+  };
+  parser(
+      starttime=starttime, 
+      endtime=endtime, 
+      commandline_has_any=commandline_has_any,
+      commandline_has_all=commandline_has_all,
+      commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,
+      actingprocess_has_any=actingprocess_has_any,
+      targetprocess_has_any=targetprocess_has_any,
+      parentprocess_has_any=parentprocess_has_any,
+      actorusername_has=actorusername_has,
+      dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,
+      dvchostname_has_any=dvchostname_has_any,
+      eventtype=eventtype,
+      disabled=disabled
+  )

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_ASimProcessCreate_DataTest.csv

@@ -0,0 +1,25 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 2579889 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Carbon Black Cloud""] (Schema:ProcessEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 2579889 records (100.0%) for field [EventVendor] of type [Enumerated]: [""VMware""] (Schema:ProcessEvent)"
+"(0) Error: 16 invalid value(s) (up to 10 listed) in 207597 records (8.05%) for field [DvcFQDN] of type [FQDN]: [""LEXICORP\\Desktop-CB"",""SKOVILLE\\jalapeno"",""SKOVILLE\\pequin"",""RTEST\\CB-RC-03"",""RTEST\\CB-RC-02"",""EIP\\WW-20002"",""SKOVILLE\\ranchero"",""SKOVILLE\\chilliseed"",""RTEST\\bvpthrashbox001"",""UKCXC\\UKRD1SEVIC-01""] (Schema:ProcessEvent)"
+"(0) Error: 20 invalid value(s) (up to 10 listed) in 421476 records (16.34%) for field [Dvc] of type [Hostname]: [""LEXICORP\\Desktop-CB"",""SKOVILLE\\jalapeno"",""SKOVILLE\\pequin"",""ip-172-31-87-51.ec2.internal"",""RTEST\\CB-RC-03"",""RTEST\\CB-RC-02"",""qe-admins-Mac.local"",""EIP\\WW-20002"",""SKOVILLE\\ranchero"",""SKOVILLE\\chilliseed""] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 167059 records (6.48%)  in mandatory field [TargetProcessName] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 192167 records (7.45%)  in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 891626 records (34.56%)  in mandatory field [ActorUsername] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 1071093 records (41.52%)  in recommended field [ParentProcessId] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 1622583 records (62.89%)  in optional field [ParentProcessName] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 175103 records (6.79%)  in optional field [ActingProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 203916 records (7.9%)  in optional field [ActingProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2059154 records (79.82%)  in optional field [ParentProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 207927 records (8.06%)  in optional field [TargetProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2137681 records (82.86%)  in optional field [ParentProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2158413 records (83.66%)  in optional field [DvcFQDN] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2158413 records (83.66%)  in recommended field [DvcDomain] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2473731 records (95.89%)  in optional field [DvcScope] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2499624 records (96.89%)  in optional field [EventMessage] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2499624 records (96.89%)  in optional field [EventOriginalUid] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2579106 records (99.97%)  in optional field [DvcOsVersion] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 311186 records (12.06%)  in optional field [TargetProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 823 records (0.03%)  in optional field [EventOwner] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 891626 records (34.56%)  in optional field [ActorUserType] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 893018 records (34.61%)  in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_ASimProcessCreate_SchemaTest.csv

@@ -0,0 +1,88 @@
+Result
+"(1) Warning: Missing recommended field [ActorUserId]"
+"(1) Warning: Missing recommended field [TargetProcessCreationTime]"
+"(1) Warning: Missing recommended field [TargetUserId]"
+"(2) Info: Missing optional field [ActingProcessCreationTime]"
+"(2) Info: Missing optional field [ActingProcessFileCompany]"
+"(2) Info: Missing optional field [ActingProcessFileDescription]"
+"(2) Info: Missing optional field [ActingProcessFileInternalName]"
+"(2) Info: Missing optional field [ActingProcessFileOriginalName]"
+"(2) Info: Missing optional field [ActingProcessFileProduct]"
+"(2) Info: Missing optional field [ActingProcessFileSize]"
+"(2) Info: Missing optional field [ActingProcessFileVersion]"
+"(2) Info: Missing optional field [ActingProcessFilename]"
+"(2) Info: Missing optional field [ActingProcessGuid]"
+"(2) Info: Missing optional field [ActingProcessIMPHASH]"
+"(2) Info: Missing optional field [ActingProcessInjectedAddress]"
+"(2) Info: Missing optional field [ActingProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ActingProcessIsHidden]"
+"(2) Info: Missing optional field [ActingProcessSHA1]"
+"(2) Info: Missing optional field [ActingProcessSHA512]"
+"(2) Info: Missing optional field [ActingProcessTokenElevation]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserAadId]"
+"(2) Info: Missing optional field [ActorUserSid]"
+"(2) Info: Missing optional field [ActorUserUpn]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSeverity]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventResultDetails]"
+"(2) Info: Missing optional field [EventSeverity]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [ParentProcessCreationTime]"
+"(2) Info: Missing optional field [ParentProcessFileCompany]"
+"(2) Info: Missing optional field [ParentProcessFileDescription]"
+"(2) Info: Missing optional field [ParentProcessFileProduct]"
+"(2) Info: Missing optional field [ParentProcessFileVersion]"
+"(2) Info: Missing optional field [ParentProcessGuid]"
+"(2) Info: Missing optional field [ParentProcessIMPHASH]"
+"(2) Info: Missing optional field [ParentProcessInjectedAddress]"
+"(2) Info: Missing optional field [ParentProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ParentProcessIsHidden]"
+"(2) Info: Missing optional field [ParentProcessSHA1]"
+"(2) Info: Missing optional field [ParentProcessSHA512]"
+"(2) Info: Missing optional field [ParentProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetOriginalUserType]"
+"(2) Info: Missing optional field [TargetProcessCurrentDirectory]"
+"(2) Info: Missing optional field [TargetProcessFileCompany]"
+"(2) Info: Missing optional field [TargetProcessFileDescription]"
+"(2) Info: Missing optional field [TargetProcessFileInternalName]"
+"(2) Info: Missing optional field [TargetProcessFileOriginalName]"
+"(2) Info: Missing optional field [TargetProcessFileProduct]"
+"(2) Info: Missing optional field [TargetProcessFileSize]"
+"(2) Info: Missing optional field [TargetProcessFileVersion]"
+"(2) Info: Missing optional field [TargetProcessFilename]"
+"(2) Info: Missing optional field [TargetProcessGuid]"
+"(2) Info: Missing optional field [TargetProcessIMPHASH]"
+"(2) Info: Missing optional field [TargetProcessInjectedAddress]"
+"(2) Info: Missing optional field [TargetProcessIntegrityLevel]"
+"(2) Info: Missing optional field [TargetProcessIsHidden]"
+"(2) Info: Missing optional field [TargetProcessSHA1]"
+"(2) Info: Missing optional field [TargetProcessSHA512]"
+"(2) Info: Missing optional field [TargetProcessStatusCode]"
+"(2) Info: Missing optional field [TargetProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetScopeId]"
+"(2) Info: Missing optional field [TargetScope]"
+"(2) Info: Missing optional field [TargetUserAadId]"
+"(2) Info: Missing optional field [TargetUserSessionGuid]"
+"(2) Info: Missing optional field [TargetUserSessionId]"
+"(2) Info: Missing optional field [TargetUserSid]"
+"(2) Info: Missing optional field [TargetUserUpn]"
+"(2) Info: extra unnormalized column [RuleName]"
+"(2) Info: extra unnormalized column [Rule]"
+"(2) Info: extra unnormalized column [ThreatCategory]"
+"(2) Info: extra unnormalized column [ThreatConfidence]"
+"(2) Info: extra unnormalized column [ThreatDescription]"
+"(2) Info: extra unnormalized column [ThreatFirstReportedTime]"
+"(2) Info: extra unnormalized column [ThreatId]"
+"(2) Info: extra unnormalized column [ThreatOriginalConfidence]"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_ASimProcessTerminate_DataTest.csv

@@ -0,0 +1,15 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 394648 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Carbon Black Cloud""] (Schema:ProcessEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 394648 records (100.0%) for field [EventVendor] of type [Enumerated]: [""VMware""] (Schema:ProcessEvent)"
+"(0) Error: 15 invalid value(s) (up to 10 listed) in 230672 records (58.45%) for field [DvcFQDN] of type [FQDN]: [""RTEST\\Oleg-TB2-Win10E"",""SKOVILLE\\ranchero"",""SKOVILLE\\pequin"",""EIP\\WW-20001"",""EIP\\WW-20003"",""RTEST\\CB-RC-02"",""RTEST\\bvpthrashbox001"",""UKCXC\\UKRD1SEVIC-01"",""SKOVILLE\\jalapeno"",""SKOVILLE\\chilliseed""] (Schema:ProcessEvent)"
+"(0) Error: 17 invalid value(s) (up to 10 listed) in 255819 records (64.82%) for field [Dvc] of type [Hostname]: [""RTEST\\Oleg-TB2-Win10E"",""SKOVILLE\\ranchero"",""SKOVILLE\\pequin"",""EIP\\WW-20001"",""EIP\\WW-20003"",""RTEST\\CB-RC-02"",""qe-admins-Mac.local"",""RTEST\\bvpthrashbox001"",""UKCXC\\UKRD1SEVIC-01"",""SKOVILLE\\jalapeno""] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 30 records (0.01%)  in mandatory field [ActingProcessId] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 138829 records (35.18%)  in optional field [DvcFQDN] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 138829 records (35.18%)  in recommended field [DvcDomain] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 25147 records (6.37%)  in optional field [TargetProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 25154 records (6.37%)  in optional field [ActingProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 289371 records (73.32%)  in optional field [DvcScope] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 37 records (0.01%)  in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 37 records (0.01%)  in optional field [ActingProcessName] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 37 records (0.01%)  in optional field [ActingProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 394648 records (100.0%)  in optional field [EventOriginalUid] (Schema:ProcessEvent)"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_ASimProcessTerminate_SchemaTest.csv

@@ -0,0 +1,89 @@
+Result
+"(0) Error: Missing field [TargetUsernameType] is mandatory when mandatory column [TargetUsername] exists"
+"(0) Error: Missing mandatory field [TargetUsername]"
+"(1) Warning: Missing recommended field [ActorUserId]"
+"(1) Warning: Missing recommended field [ParentProcessId]"
+"(1) Warning: Missing recommended field [TargetProcessCreationTime]"
+"(1) Warning: Missing recommended field [TargetUserId]"
+"(2) Info: Missing optional field [ActingProcessCreationTime]"
+"(2) Info: Missing optional field [ActingProcessFileCompany]"
+"(2) Info: Missing optional field [ActingProcessFileDescription]"
+"(2) Info: Missing optional field [ActingProcessFileInternalName]"
+"(2) Info: Missing optional field [ActingProcessFileOriginalName]"
+"(2) Info: Missing optional field [ActingProcessFileProduct]"
+"(2) Info: Missing optional field [ActingProcessFileSize]"
+"(2) Info: Missing optional field [ActingProcessFileVersion]"
+"(2) Info: Missing optional field [ActingProcessFilename]"
+"(2) Info: Missing optional field [ActingProcessGuid]"
+"(2) Info: Missing optional field [ActingProcessIMPHASH]"
+"(2) Info: Missing optional field [ActingProcessInjectedAddress]"
+"(2) Info: Missing optional field [ActingProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ActingProcessIsHidden]"
+"(2) Info: Missing optional field [ActingProcessSHA1]"
+"(2) Info: Missing optional field [ActingProcessSHA512]"
+"(2) Info: Missing optional field [ActingProcessTokenElevation]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserAadId]"
+"(2) Info: Missing optional field [ActorUserSid]"
+"(2) Info: Missing optional field [ActorUserUpn]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventMessage]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSeverity]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventResultDetails]"
+"(2) Info: Missing optional field [EventSeverity]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [ParentProcessCreationTime]"
+"(2) Info: Missing optional field [ParentProcessFileCompany]"
+"(2) Info: Missing optional field [ParentProcessFileDescription]"
+"(2) Info: Missing optional field [ParentProcessFileProduct]"
+"(2) Info: Missing optional field [ParentProcessFileVersion]"
+"(2) Info: Missing optional field [ParentProcessGuid]"
+"(2) Info: Missing optional field [ParentProcessIMPHASH]"
+"(2) Info: Missing optional field [ParentProcessInjectedAddress]"
+"(2) Info: Missing optional field [ParentProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ParentProcessIsHidden]"
+"(2) Info: Missing optional field [ParentProcessMD5]"
+"(2) Info: Missing optional field [ParentProcessName]"
+"(2) Info: Missing optional field [ParentProcessSHA1]"
+"(2) Info: Missing optional field [ParentProcessSHA256]"
+"(2) Info: Missing optional field [ParentProcessSHA512]"
+"(2) Info: Missing optional field [ParentProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetOriginalUserType]"
+"(2) Info: Missing optional field [TargetProcessCurrentDirectory]"
+"(2) Info: Missing optional field [TargetProcessFileCompany]"
+"(2) Info: Missing optional field [TargetProcessFileDescription]"
+"(2) Info: Missing optional field [TargetProcessFileInternalName]"
+"(2) Info: Missing optional field [TargetProcessFileOriginalName]"
+"(2) Info: Missing optional field [TargetProcessFileProduct]"
+"(2) Info: Missing optional field [TargetProcessFileSize]"
+"(2) Info: Missing optional field [TargetProcessFileVersion]"
+"(2) Info: Missing optional field [TargetProcessFilename]"
+"(2) Info: Missing optional field [TargetProcessGuid]"
+"(2) Info: Missing optional field [TargetProcessIMPHASH]"
+"(2) Info: Missing optional field [TargetProcessInjectedAddress]"
+"(2) Info: Missing optional field [TargetProcessIntegrityLevel]"
+"(2) Info: Missing optional field [TargetProcessIsHidden]"
+"(2) Info: Missing optional field [TargetProcessSHA1]"
+"(2) Info: Missing optional field [TargetProcessSHA512]"
+"(2) Info: Missing optional field [TargetProcessStatusCode]"
+"(2) Info: Missing optional field [TargetProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetScopeId]"
+"(2) Info: Missing optional field [TargetScope]"
+"(2) Info: Missing optional field [TargetUserAadId]"
+"(2) Info: Missing optional field [TargetUserSessionGuid]"
+"(2) Info: Missing optional field [TargetUserSessionId]"
+"(2) Info: Missing optional field [TargetUserSid]"
+"(2) Info: Missing optional field [TargetUserType]"
+"(2) Info: Missing optional field [TargetUserUpn]"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_vimProcessCreate_DataTest.csv

@@ -0,0 +1,25 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 2579889 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Carbon Black Cloud""] (Schema:ProcessEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 2579889 records (100.0%) for field [EventVendor] of type [Enumerated]: [""VMware""] (Schema:ProcessEvent)"
+"(0) Error: 16 invalid value(s) (up to 10 listed) in 207597 records (8.05%) for field [DvcFQDN] of type [FQDN]: [""LEXICORP\\Desktop-CB"",""SKOVILLE\\jalapeno"",""SKOVILLE\\pequin"",""RTEST\\CB-RC-03"",""RTEST\\CB-RC-02"",""EIP\\WW-20002"",""SKOVILLE\\ranchero"",""SKOVILLE\\chilliseed"",""RTEST\\bvpthrashbox001"",""UKCXC\\UKRD1SEVIC-01""] (Schema:ProcessEvent)"
+"(0) Error: 20 invalid value(s) (up to 10 listed) in 421476 records (16.34%) for field [Dvc] of type [Hostname]: [""LEXICORP\\Desktop-CB"",""SKOVILLE\\jalapeno"",""SKOVILLE\\pequin"",""ip-172-31-87-51.ec2.internal"",""RTEST\\CB-RC-03"",""RTEST\\CB-RC-02"",""qe-admins-Mac.local"",""EIP\\WW-20002"",""SKOVILLE\\ranchero"",""SKOVILLE\\chilliseed""] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 167059 records (6.48%)  in mandatory field [TargetProcessName] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 192167 records (7.45%)  in mandatory field [TargetProcessCommandLine] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 891626 records (34.56%)  in mandatory field [ActorUsername] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 1071093 records (41.52%)  in recommended field [ParentProcessId] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 1622583 records (62.89%)  in optional field [ParentProcessName] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 175103 records (6.79%)  in optional field [ActingProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 203916 records (7.9%)  in optional field [ActingProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2059154 records (79.82%)  in optional field [ParentProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 207927 records (8.06%)  in optional field [TargetProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2137681 records (82.86%)  in optional field [ParentProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2158413 records (83.66%)  in optional field [DvcFQDN] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2158413 records (83.66%)  in recommended field [DvcDomain] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2473731 records (95.89%)  in optional field [DvcScope] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2499624 records (96.89%)  in optional field [EventMessage] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2499624 records (96.89%)  in optional field [EventOriginalUid] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 2579106 records (99.97%)  in optional field [DvcOsVersion] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 311186 records (12.06%)  in optional field [TargetProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 823 records (0.03%)  in optional field [EventOwner] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 891626 records (34.56%)  in optional field [ActorUserType] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 893018 records (34.61%)  in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_vimProcessCreate_SchemaTest.csv

@@ -0,0 +1,88 @@
+Result
+"(1) Warning: Missing recommended field [ActorUserId]"
+"(1) Warning: Missing recommended field [TargetProcessCreationTime]"
+"(1) Warning: Missing recommended field [TargetUserId]"
+"(2) Info: Missing optional field [ActingProcessCreationTime]"
+"(2) Info: Missing optional field [ActingProcessFileCompany]"
+"(2) Info: Missing optional field [ActingProcessFileDescription]"
+"(2) Info: Missing optional field [ActingProcessFileInternalName]"
+"(2) Info: Missing optional field [ActingProcessFileOriginalName]"
+"(2) Info: Missing optional field [ActingProcessFileProduct]"
+"(2) Info: Missing optional field [ActingProcessFileSize]"
+"(2) Info: Missing optional field [ActingProcessFileVersion]"
+"(2) Info: Missing optional field [ActingProcessFilename]"
+"(2) Info: Missing optional field [ActingProcessGuid]"
+"(2) Info: Missing optional field [ActingProcessIMPHASH]"
+"(2) Info: Missing optional field [ActingProcessInjectedAddress]"
+"(2) Info: Missing optional field [ActingProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ActingProcessIsHidden]"
+"(2) Info: Missing optional field [ActingProcessSHA1]"
+"(2) Info: Missing optional field [ActingProcessSHA512]"
+"(2) Info: Missing optional field [ActingProcessTokenElevation]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserAadId]"
+"(2) Info: Missing optional field [ActorUserSid]"
+"(2) Info: Missing optional field [ActorUserUpn]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSeverity]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventResultDetails]"
+"(2) Info: Missing optional field [EventSeverity]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [ParentProcessCreationTime]"
+"(2) Info: Missing optional field [ParentProcessFileCompany]"
+"(2) Info: Missing optional field [ParentProcessFileDescription]"
+"(2) Info: Missing optional field [ParentProcessFileProduct]"
+"(2) Info: Missing optional field [ParentProcessFileVersion]"
+"(2) Info: Missing optional field [ParentProcessGuid]"
+"(2) Info: Missing optional field [ParentProcessIMPHASH]"
+"(2) Info: Missing optional field [ParentProcessInjectedAddress]"
+"(2) Info: Missing optional field [ParentProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ParentProcessIsHidden]"
+"(2) Info: Missing optional field [ParentProcessSHA1]"
+"(2) Info: Missing optional field [ParentProcessSHA512]"
+"(2) Info: Missing optional field [ParentProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetOriginalUserType]"
+"(2) Info: Missing optional field [TargetProcessCurrentDirectory]"
+"(2) Info: Missing optional field [TargetProcessFileCompany]"
+"(2) Info: Missing optional field [TargetProcessFileDescription]"
+"(2) Info: Missing optional field [TargetProcessFileInternalName]"
+"(2) Info: Missing optional field [TargetProcessFileOriginalName]"
+"(2) Info: Missing optional field [TargetProcessFileProduct]"
+"(2) Info: Missing optional field [TargetProcessFileSize]"
+"(2) Info: Missing optional field [TargetProcessFileVersion]"
+"(2) Info: Missing optional field [TargetProcessFilename]"
+"(2) Info: Missing optional field [TargetProcessGuid]"
+"(2) Info: Missing optional field [TargetProcessIMPHASH]"
+"(2) Info: Missing optional field [TargetProcessInjectedAddress]"
+"(2) Info: Missing optional field [TargetProcessIntegrityLevel]"
+"(2) Info: Missing optional field [TargetProcessIsHidden]"
+"(2) Info: Missing optional field [TargetProcessSHA1]"
+"(2) Info: Missing optional field [TargetProcessSHA512]"
+"(2) Info: Missing optional field [TargetProcessStatusCode]"
+"(2) Info: Missing optional field [TargetProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetScopeId]"
+"(2) Info: Missing optional field [TargetScope]"
+"(2) Info: Missing optional field [TargetUserAadId]"
+"(2) Info: Missing optional field [TargetUserSessionGuid]"
+"(2) Info: Missing optional field [TargetUserSessionId]"
+"(2) Info: Missing optional field [TargetUserSid]"
+"(2) Info: Missing optional field [TargetUserUpn]"
+"(2) Info: extra unnormalized column [RuleName]"
+"(2) Info: extra unnormalized column [Rule]"
+"(2) Info: extra unnormalized column [ThreatCategory]"
+"(2) Info: extra unnormalized column [ThreatConfidence]"
+"(2) Info: extra unnormalized column [ThreatDescription]"
+"(2) Info: extra unnormalized column [ThreatFirstReportedTime]"
+"(2) Info: extra unnormalized column [ThreatId]"
+"(2) Info: extra unnormalized column [ThreatOriginalConfidence]"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_vimProcessTerminate_DataTest.csv

@@ -0,0 +1,15 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 394648 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Carbon Black Cloud""] (Schema:ProcessEvent)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 394648 records (100.0%) for field [EventVendor] of type [Enumerated]: [""VMware""] (Schema:ProcessEvent)"
+"(0) Error: 15 invalid value(s) (up to 10 listed) in 230672 records (58.45%) for field [DvcFQDN] of type [FQDN]: [""RTEST\\Oleg-TB2-Win10E"",""SKOVILLE\\ranchero"",""SKOVILLE\\pequin"",""EIP\\WW-20001"",""EIP\\WW-20003"",""RTEST\\CB-RC-02"",""RTEST\\bvpthrashbox001"",""UKCXC\\UKRD1SEVIC-01"",""SKOVILLE\\jalapeno"",""SKOVILLE\\chilliseed""] (Schema:ProcessEvent)"
+"(0) Error: 17 invalid value(s) (up to 10 listed) in 255819 records (64.82%) for field [Dvc] of type [Hostname]: [""RTEST\\Oleg-TB2-Win10E"",""SKOVILLE\\ranchero"",""SKOVILLE\\pequin"",""EIP\\WW-20001"",""EIP\\WW-20003"",""RTEST\\CB-RC-02"",""qe-admins-Mac.local"",""RTEST\\bvpthrashbox001"",""UKCXC\\UKRD1SEVIC-01"",""SKOVILLE\\jalapeno""] (Schema:ProcessEvent)"
+"(1) Warning: Empty value in 30 records (0.01%)  in mandatory field [ActingProcessId] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 138829 records (35.18%)  in optional field [DvcFQDN] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 138829 records (35.18%)  in recommended field [DvcDomain] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 25147 records (6.37%)  in optional field [TargetProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 25154 records (6.37%)  in optional field [ActingProcessMD5] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 289371 records (73.32%)  in optional field [DvcScope] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 37 records (0.01%)  in optional field [ActingProcessCommandLine] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 37 records (0.01%)  in optional field [ActingProcessName] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 37 records (0.01%)  in optional field [ActingProcessSHA256] (Schema:ProcessEvent)"
+"(2) Info: Empty value in 394648 records (100.0%)  in optional field [EventOriginalUid] (Schema:ProcessEvent)"

Parsers/ASimProcessEvent/test/VMware_CarbonBlackCloud_vimProcessTerminate_SchemaTest.csv

@@ -0,0 +1,89 @@
+Result
+"(0) Error: Missing field [TargetUsernameType] is mandatory when mandatory column [TargetUsername] exists"
+"(0) Error: Missing mandatory field [TargetUsername]"
+"(1) Warning: Missing recommended field [ActorUserId]"
+"(1) Warning: Missing recommended field [ParentProcessId]"
+"(1) Warning: Missing recommended field [TargetProcessCreationTime]"
+"(1) Warning: Missing recommended field [TargetUserId]"
+"(2) Info: Missing optional field [ActingProcessCreationTime]"
+"(2) Info: Missing optional field [ActingProcessFileCompany]"
+"(2) Info: Missing optional field [ActingProcessFileDescription]"
+"(2) Info: Missing optional field [ActingProcessFileInternalName]"
+"(2) Info: Missing optional field [ActingProcessFileOriginalName]"
+"(2) Info: Missing optional field [ActingProcessFileProduct]"
+"(2) Info: Missing optional field [ActingProcessFileSize]"
+"(2) Info: Missing optional field [ActingProcessFileVersion]"
+"(2) Info: Missing optional field [ActingProcessFilename]"
+"(2) Info: Missing optional field [ActingProcessGuid]"
+"(2) Info: Missing optional field [ActingProcessIMPHASH]"
+"(2) Info: Missing optional field [ActingProcessInjectedAddress]"
+"(2) Info: Missing optional field [ActingProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ActingProcessIsHidden]"
+"(2) Info: Missing optional field [ActingProcessSHA1]"
+"(2) Info: Missing optional field [ActingProcessSHA512]"
+"(2) Info: Missing optional field [ActingProcessTokenElevation]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserAadId]"
+"(2) Info: Missing optional field [ActorUserSid]"
+"(2) Info: Missing optional field [ActorUserUpn]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOsVersion]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventMessage]"
+"(2) Info: Missing optional field [EventOriginalResultDetails]"
+"(2) Info: Missing optional field [EventOriginalSeverity]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventProductVersion]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventResultDetails]"
+"(2) Info: Missing optional field [EventSeverity]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [ParentProcessCreationTime]"
+"(2) Info: Missing optional field [ParentProcessFileCompany]"
+"(2) Info: Missing optional field [ParentProcessFileDescription]"
+"(2) Info: Missing optional field [ParentProcessFileProduct]"
+"(2) Info: Missing optional field [ParentProcessFileVersion]"
+"(2) Info: Missing optional field [ParentProcessGuid]"
+"(2) Info: Missing optional field [ParentProcessIMPHASH]"
+"(2) Info: Missing optional field [ParentProcessInjectedAddress]"
+"(2) Info: Missing optional field [ParentProcessIntegrityLevel]"
+"(2) Info: Missing optional field [ParentProcessIsHidden]"
+"(2) Info: Missing optional field [ParentProcessMD5]"
+"(2) Info: Missing optional field [ParentProcessName]"
+"(2) Info: Missing optional field [ParentProcessSHA1]"
+"(2) Info: Missing optional field [ParentProcessSHA256]"
+"(2) Info: Missing optional field [ParentProcessSHA512]"
+"(2) Info: Missing optional field [ParentProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetOriginalUserType]"
+"(2) Info: Missing optional field [TargetProcessCurrentDirectory]"
+"(2) Info: Missing optional field [TargetProcessFileCompany]"
+"(2) Info: Missing optional field [TargetProcessFileDescription]"
+"(2) Info: Missing optional field [TargetProcessFileInternalName]"
+"(2) Info: Missing optional field [TargetProcessFileOriginalName]"
+"(2) Info: Missing optional field [TargetProcessFileProduct]"
+"(2) Info: Missing optional field [TargetProcessFileSize]"
+"(2) Info: Missing optional field [TargetProcessFileVersion]"
+"(2) Info: Missing optional field [TargetProcessFilename]"
+"(2) Info: Missing optional field [TargetProcessGuid]"
+"(2) Info: Missing optional field [TargetProcessIMPHASH]"
+"(2) Info: Missing optional field [TargetProcessInjectedAddress]"
+"(2) Info: Missing optional field [TargetProcessIntegrityLevel]"
+"(2) Info: Missing optional field [TargetProcessIsHidden]"
+"(2) Info: Missing optional field [TargetProcessSHA1]"
+"(2) Info: Missing optional field [TargetProcessSHA512]"
+"(2) Info: Missing optional field [TargetProcessStatusCode]"
+"(2) Info: Missing optional field [TargetProcessTokenElevation]"
+"(2) Info: Missing optional field [TargetScopeId]"
+"(2) Info: Missing optional field [TargetScope]"
+"(2) Info: Missing optional field [TargetUserAadId]"
+"(2) Info: Missing optional field [TargetUserSessionGuid]"
+"(2) Info: Missing optional field [TargetUserSessionId]"
+"(2) Info: Missing optional field [TargetUserSid]"
+"(2) Info: Missing optional field [TargetUserType]"
+"(2) Info: Missing optional field [TargetUserUpn]"

Sample Data/ASIM/VMware_CarbonBlackCloud_ASimProcessCreateThreat_IngestedLogs.csv

@@ -0,0 +1,9 @@
+TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [UTC]",Computer,RawData,"threatHunterInfo_md5_s","threatHunterInfo_iocId_s","deviceInfo_uemId_g","threat_id_s","threatHunterInfo_threatId_s","rule_id_g","attack_technique_s","rule_category_id_g","ioc_id_g","childproc_name_s","blocked_sha256_s","primary_event_id_g","blocked_name_s","childproc_effective_reputation_s","ttps_s","childproc_username_s","childproc_guid_s","blocked_effective_reputation_s","childproc_cmdline_s","attack_tactic_s","childproc_sha256_s","first_event_timestamp_t [UTC]","parent_reputation_s","run_state_s","mdr_alert_b","detection_timestamp_t [UTC]","parent_pid_d","threatHunterInfo_policyId_s","device_internal_ip_s","reason_s","alert_url_s","id_g","process_cmdline_s","process_username_s","process_guid_s","parent_sha256_s","report_tags_s","report_id_s","ml_classification_final_verdict_s","threatHunterInfo_processPath_d","device_policy_s","device_os_s","ml_classification_global_prevalence_s","primary_event_id_s","process_pid_d","determination_value_s","determination_change_timestamp_t [UTC]","ioc_id_s","process_issuer_s",Severity,"process_sha256_s","process_reputation_s","parent_md5_g","report_name_s","reason_code_s","backend_timestamp_t [UTC]","report_link_s","alert_notes_present_b","parent_cmdline_s","parent_guid_s","device_target_value_s","ioc_hit_s","device_external_ip_s","device_policy_id_d","device_os_version_s","policy_applied_s","parent_effective_reputation_s","process_name_s","version_s","device_location_s","report_description_s","threat_id_g","is_updated_b","parent_username_s","device_name_s","org_key_s","watchlists_s","workflow_status_s","workflow_change_timestamp_t [UTC]","workflow_changed_by_type_s","workflow_changed_by_s","workflow_closure_reason_s","process_effective_reputation_s","parent_name_s","process_publisher_s","mdr_alert_notes_present_b","process_md5_g","device_id_d","ml_classification_org_prevalence_s","sensor_action_s","device_username_s","backend_update_timestamp_t [UTC]","last_event_timestamp_t [UTC]","threatInfo_incidentId_g","threatInfo_score_d","threatInfo_summary_s","threatInfo_time_d","threatInfo_indicators_s","threatInfo_threatCause_reason_s","threatInfo_threatCause_reputation_s","threatInfo_threatCause_actor_s","threatInfo_threatCause_actorName_s","threatInfo_threatCause_actorProcessPPid_s","threatInfo_threatCause_threatCategory_s","threatInfo_threatCause_originSourceType_s","threatInfo_threatCause_causeEventId_g","threatInfo_threatCause_processGuid_s","threatInfo_threatCause_parentGuid_s","threatHunterInfo_incidentId_g","threatHunterInfo_score_d","threatHunterInfo_summary_s","threatHunterInfo_time_d","threatHunterInfo_indicators_s","threatHunterInfo_watchLists_s","threatHunterInfo_iocId_g","threatHunterInfo_count_d","threatHunterInfo_dismissed_b","threatHunterInfo_documentGuid_s","threatHunterInfo_firstActivityTime_d","threatHunterInfo_md5_g","threatHunterInfo_policyId_d","threatHunterInfo_processGuid_s","threatHunterInfo_processPath_s","threatHunterInfo_reportName_s","threatHunterInfo_reportId_s","threatHunterInfo_reputation_s","threatHunterInfo_responseAlarmId_g","threatHunterInfo_responseSeverity_d","threatHunterInfo_runState_s","threatHunterInfo_sha256_s","threatHunterInfo_targetPriority_s","threatHunterInfo_threatCause_reason_s","threatHunterInfo_threatCause_actorProcessPPid_s","threatHunterInfo_threatCause_parentGuid_s","threatHunterInfo_threatCause_causeEventId_s","threatHunterInfo_threatCause_reputation_s","threatHunterInfo_threatCause_actor_s","threatHunterInfo_threatCause_actorName_s","threatHunterInfo_threatCause_threatCategory_s","threatHunterInfo_threatCause_originSourceType_s","threatHunterInfo_threatCause_processGuid_s","threatHunterInfo_threatId_g","threatHunterInfo_lastUpdatedTime_d","threatHunterInfo_orgId_d","url_s","type_s","eventDescription_s","deviceInfo_internalIpAddress_s","deviceInfo_externalIpAddress_s","deviceInfo_targetPriorityCode_d","deviceInfo_groupName_s","deviceInfo_deviceId_d","deviceInfo_deviceName_s","deviceInfo_deviceType_s","deviceInfo_deviceVersion_s","deviceInfo_email_s","deviceInfo_targetPriorityType_s","deviceInfo_uemId_s","ruleName_s","eventTime_d",Type,"_ResourceId"
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/4/2023, 11:44:43.315 AM",,,,,,,,,,,,"c:\windows\system32\cmd.exe",bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527,"1b40aacb-32bb-11ee-b784-17ffc8c6bc2d","c:\windows\system32\cmd.exe","TRUSTED_WHITE_LIST","[""MITRE_T1059_001_POWERSHELL"",""RUN_CMD_SHELL"",""POLICY_DENY"",""MITRE_T1059_003_WIN_CMD_SHELL"",""FILELESS"",""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER""]","KOGNOS-W19-CB-3\Administrator","7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6","TRUSTED_WHITE_LIST","""cmd.exe"" /c """"",TA0002,bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527,"8/4/2023, 11:09:44.031 AM","TRUSTED_WHITE_LIST",RAN,false,"8/4/2023, 11:09:45.809 AM",2476,"7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526","10.0.14.120","The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.","https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3A825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47","825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47","""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup ""","KOGNOS-W19-CB-3\Administrator","7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526",731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b,,,,3,default,WINDOWS,,,164,NONE,"8/4/2023, 11:10:24.234 AM",,,3,de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c,"TRUSTED_WHITE_LIST",,,"T_POL_TERM_CHILD :  (cmd.exe)","8/4/2023, 11:10:24.234 AM",,false,,"7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232",MEDIUM,,"34.234.170.45",6525,"Windows Server 2019 x64",APPLIED,"TRUSTED_WHITE_LIST","c:\windows\system32\windowspowershell\v1.0\powershell.exe","2.0.0",OFFSITE,,"edfaac43-87bd-ad2d-4ce7-53ebee052208",true,"KOGNOS-W19-CB-3\Administrator","Kognos-W19-CB-3",7DESJ9GN,,OPEN,"8/4/2023, 11:10:24.234 AM",SYSTEM,"ALERT_CREATION","NO_REASON","TRUSTED_WHITE_LIST","c:\windows\system32\openssh\sshd.exe",,false,"7353f60b-1739-074e-b17c-5f4dddefe239",6948863,,TERMINATE,"rahul.gopi@devo.com","8/4/2023, 11:36:49.501 AM","8/4/2023, 11:36:08.865 AM",,3,"The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",,,"T_POL_TERM_CHILD :  (cmd.exe)",,,,,,,,,,,,"T_POL_TERM_CHILD :  (cmd.exe)",,,,,,,,,,,,,,,,"825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47",3,RAN,,,"T_POL_TERM_CHILD :  (cmd.exe)",,,,,,,,,,"edfaac43-87bd-ad2d-4ce7-53ebee052208",,,"https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3A825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47","CB_ANALYTICS",,"10.0.14.120","34.234.170.45",,,6948863,"Kognos-W19-CB-3",WINDOWS,"Windows Server 2019 x64","rahul.gopi@devo.com",,,,,"CarbonBlackNotifications_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/4/2023, 11:59:55.051 AM",,,,,,,,,,,,"c:\windows\system32\cmd.exe",bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527,"f346ae59-32bc-11ee-b784-17ffc8c6bc2d","c:\windows\system32\cmd.exe","TRUSTED_WHITE_LIST","[""MITRE_T1059_001_POWERSHELL"",""MITRE_T1059_003_WIN_CMD_SHELL"",""RUN_CMD_SHELL"",""POLICY_DENY"",""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""FILELESS""]","KOGNOS-W19-CB-3\Administrator","7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a","TRUSTED_WHITE_LIST","""cmd.exe"" /c """"",TA0002,bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527,"8/4/2023, 11:43:46.645 AM","TRUSTED_WHITE_LIST",RAN,false,"8/4/2023, 11:43:48.369 AM",1380,"7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9","10.0.14.120","The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.","https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3Abcb284e7-c3a9-aff7-ae9e-30adaef1d88b","bcb284e7-c3a9-aff7-ae9e-30adaef1d88b","""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup ""","KOGNOS-W19-CB-3\Administrator","7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9",731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b,,,,3,default,WINDOWS,,,3080,NONE,"8/4/2023, 11:44:27.593 AM",,,3,de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c,"TRUSTED_WHITE_LIST",,,"T_POL_TERM_CHILD :  (cmd.exe)","8/4/2023, 11:44:27.593 AM",,false,,"7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066",MEDIUM,,"34.234.170.45",6525,"Windows Server 2019 x64",APPLIED,"TRUSTED_WHITE_LIST","c:\windows\system32\windowspowershell\v1.0\powershell.exe","2.0.0",OFFSITE,,"edfaac43-87bd-ad2d-4ce7-53ebee052208",true,"KOGNOS-W19-CB-3\Administrator","Kognos-W19-CB-3",7DESJ9GN,,OPEN,"8/4/2023, 11:44:27.593 AM",SYSTEM,"ALERT_CREATION","NO_REASON","TRUSTED_WHITE_LIST","c:\windows\system32\openssh\sshd.exe",,false,"7353f60b-1739-074e-b17c-5f4dddefe239",6948863,,TERMINATE,"rahul.gopi@devo.com","8/4/2023, 11:49:58.190 AM","8/4/2023, 11:49:21.074 AM",,3,"The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",,,"T_POL_TERM_CHILD :  (cmd.exe)",,,,,,,,,,,,"T_POL_TERM_CHILD :  (cmd.exe)",,,,,,,,,,,,,,,,"bcb284e7-c3a9-aff7-ae9e-30adaef1d88b",3,RAN,,,"T_POL_TERM_CHILD :  (cmd.exe)",,,,,,,,,,"edfaac43-87bd-ad2d-4ce7-53ebee052208",,,"https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3Abcb284e7-c3a9-aff7-ae9e-30adaef1d88b","CB_ANALYTICS",,"10.0.14.120","34.234.170.45",,,6948863,"Kognos-W19-CB-3",WINDOWS,"Windows Server 2019 x64","rahul.gopi@devo.com",,,,,"CarbonBlackNotifications_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/18/2023, 1:13:18.287 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"e5c49aab-f8f3-9654-9ca8-7d316cb70e25",3,"The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",1692364144818,"[{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""RUN_CMD_SHELL"",""indicatorName"":""RUN_CMD_SHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""POLICY_DENY"",""indicatorName"":""POLICY_DENY"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_001_POWERSHELL"",""indicatorName"":""MITRE_T1059_001_POWERSHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_003_WIN_CMD_SHELL"",""indicatorName"":""MITRE_T1059_003_WIN_CMD_SHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""FILELESS"",""indicatorName"":""FILELESS"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""indicatorName"":""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""}]","T_POL_TERM_CHILD :  (cmd.exe)","TRUSTED_WHITE_LIST",de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c,"c:\windows\system32\windowspowershell\v1.0\powershell.exe","7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f","NON_MALWARE",UNKNOWN,"425ae323-3dc8-11ee-90cf-c173f1d31796","7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f","7DESJ9GN-006a07ff-00000a6c-00000000-1d9d1d5023d13e1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://defense.conferdeploy.net/cb/investigate/events?query=alert_id:e5c49aab-f8f3-9654-9ca8-7d316cb70e25%20AND%20device_id:6948863&searchWindow=ALL&orgKey=7DESJ9GN",THREAT,"[Crest_Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/6948863/incident/e5c49aab-f8f3-9654-9ca8-7d316cb70e25] [The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.] [Incident id: e5c49aab-f8f3-9654-9ca8-7d316cb70e25] [Threat score: 3] [Group: default] [Email: rahul.gopi@devo.com] [Name: Kognos-W19-CB-3] [Type and OS: WINDOWS Windows Server 2019 x64] [Severity: Threat]
+","10.0.14.120","34.234.170.45",0,default,6948863,"Kognos-W19-CB-3",WINDOWS,"Windows Server 2019 x64","rahul.gopi@devo.com",MEDIUM,,"Crest_Notification",1692364080601,"CarbonBlackNotifications_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/18/2023, 12:37:02.022 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"3eab44ee-312f-9752-c27d-7314c38041a0",3,"The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",1692362145020,"[{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_001_POWERSHELL"",""indicatorName"":""MITRE_T1059_001_POWERSHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""FILELESS"",""indicatorName"":""FILELESS"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_003_WIN_CMD_SHELL"",""indicatorName"":""MITRE_T1059_003_WIN_CMD_SHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""RUN_CMD_SHELL"",""indicatorName"":""RUN_CMD_SHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""POLICY_DENY"",""indicatorName"":""POLICY_DENY"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""indicatorName"":""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""}]","T_POL_TERM_CHILD :  (cmd.exe)","TRUSTED_WHITE_LIST",de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c,"c:\windows\system32\windowspowershell\v1.0\powershell.exe","7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075","NON_MALWARE",UNKNOWN,"9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365","7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075","7DESJ9GN-006a07ff-000005a4-00000000-1d9d1d059e3aa95",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://defense.conferdeploy.net/cb/investigate/events?query=alert_id:3eab44ee-312f-9752-c27d-7314c38041a0%20AND%20device_id:6948863&searchWindow=ALL&orgKey=7DESJ9GN",THREAT,"[Crest_Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/6948863/incident/3eab44ee-312f-9752-c27d-7314c38041a0] [The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.] [Incident id: 3eab44ee-312f-9752-c27d-7314c38041a0] [Threat score: 3] [Group: default] [Email: rahul.gopi@devo.com] [Name: Kognos-W19-CB-3] [Type and OS: WINDOWS Windows Server 2019 x64] [Severity: Threat]
+","10.0.14.120","34.234.170.45",0,default,6948863,"Kognos-W19-CB-3",WINDOWS,"Windows Server 2019 x64","rahul.gopi@devo.com",MEDIUM,,"Crest_Notification",1692362084112,"CarbonBlackNotifications_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/18/2023, 12:03:36.603 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"7486167a-3641-2b92-88ce-f70c4d8e5626",3,"The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",1692360042171,"[{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""indicatorName"":""MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_003_WIN_CMD_SHELL"",""indicatorName"":""MITRE_T1059_003_WIN_CMD_SHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""RUN_CMD_SHELL"",""indicatorName"":""RUN_CMD_SHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""POLICY_DENY"",""indicatorName"":""POLICY_DENY"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""MITRE_T1059_001_POWERSHELL"",""indicatorName"":""MITRE_T1059_001_POWERSHELL"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""},{""mApplicationName"":""powershell.exe"",""mSha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"",""mIndicatorName"":""FILELESS"",""indicatorName"":""FILELESS"",""applicationName"":""powershell.exe"",""sha256Hash"":""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""}]","T_POL_TERM_CHILD :  (cmd.exe)","TRUSTED_WHITE_LIST",de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c,"c:\windows\system32\windowspowershell\v1.0\powershell.exe","7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34","NON_MALWARE",UNKNOWN,"b0a8ff4c-3dbe-11ee-8296-09214fa5925c","7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34","7DESJ9GN-006a07ff-00000878-00000000-1d9d1cb70704326",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://defense.conferdeploy.net/cb/investigate/events?query=alert_id:7486167a-3641-2b92-88ce-f70c4d8e5626%20AND%20device_id:6948863&searchWindow=ALL&orgKey=7DESJ9GN",THREAT,"[Crest_Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/6948863/incident/7486167a-3641-2b92-88ce-f70c4d8e5626] [The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.] [Incident id: 7486167a-3641-2b92-88ce-f70c4d8e5626] [Threat score: 3] [Group: default] [Email: rahul.gopi@devo.com] [Name: Kognos-W19-CB-3] [Type and OS: WINDOWS Windows Server 2019 x64] [Severity: Threat]
+","10.0.14.120","34.234.170.45",0,default,6948863,"Kognos-W19-CB-3",WINDOWS,"Windows Server 2019 x64","rahul.gopi@devo.com",MEDIUM,,"Crest_Notification",1692359970578,"CarbonBlackNotifications_CL",

Sample Data/ASIM/VMware_CarbonBlackCloud_ASimProcessCreateThreat_RawLogs.json

@@ -0,0 +1,812 @@
+[
+ {
+   "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
+   "SourceSystem": "RestAPI",
+   "MG": "",
+   "ManagementGroupName": "",
+   "TimeGenerated": "8/4/2023, 11:44:43.315 AM",
+   "Computer": "",
+   "RawData": "",
+   "rule_id": "",
+   "attack_technique": "",
+   "rule_category_id": "",
+   "childproc_name": "c:\\windows\\system32\\cmd.exe",
+   "blocked_sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527",
+   "primary_event_id": "1b40aacb-32bb-11ee-b784-17ffc8c6bc2d",
+   "blocked_name": "c:\\windows\\system32\\cmd.exe",
+   "childproc_effective_reputation": "TRUSTED_WHITE_LIST",
+   "ttps": "[\"MITRE_T1059_001_POWERSHELL\",\"RUN_CMD_SHELL\",\"POLICY_DENY\",\"MITRE_T1059_003_WIN_CMD_SHELL\",\"FILELESS\",\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\"]",
+   "childproc_username": "KOGNOS-W19-CB-3\\Administrator",
+   "childproc_guid": "7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6",
+   "blocked_effective_reputation": "TRUSTED_WHITE_LIST",
+   "childproc_cmdline": "\"cmd.exe\" /c \"\"",
+   "attack_tactic": "TA0002",
+   "childproc_sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527",
+   "first_event_timestamp": "8/4/2023, 11:09:44.031 AM",
+   "parent_reputation": "TRUSTED_WHITE_LIST",
+   "run_state": "RAN",
+   "mdr_alert_b": false,
+   "detection_timestamp": "8/4/2023, 11:09:45.809 AM",
+   "parent_pid": 2476,
+   "threatHunterInfo_policyId": "7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526",
+   "device_internal_ip": "10.0.14.120",
+   "reason": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "alert_url": "https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3A825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47",
+   "id": "825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47",
+   "process_cmdline": "\"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\" -c \"cd c:\\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup \"",
+   "process_username": "KOGNOS-W19-CB-3\\Administrator",
+   "process_guid": "7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526",
+   "parent_sha256": "731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b",
+   "report_tags": "",
+   "report_id": "",
+   "ml_classification_final_verdict": "",
+   "threatHunterInfo_processPath": 3,
+   "device_policy": "default",
+   "device_os": "WINDOWS",
+   "ml_classification_global_prevalence": "",
+   "process_pid": 164,
+   "determination_value": "NONE",
+   "determination_change_timestamp": "8/4/2023, 11:10:24.234 AM",
+   "ioc_id": "3d3ad319-5db5-4ba8-b36c-0a0275a1ed46",
+   "process_issuer": "",
+   "Severity": 3,
+   "process_sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+   "process_reputation": "TRUSTED_WHITE_LIST",
+   "parent_md5": "",
+   "report_name": "",
+   "reason_code": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "backend_timestamp": "8/4/2023, 11:10:24.234 AM",
+   "report_link": "",
+   "alert_notes_present_b": false,
+   "parent_cmdline": "",
+   "parent_guid": "7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232",
+   "device_target_value": "MEDIUM",
+   "ioc_hit": "",
+   "device_external_ip": "34.234.170.45",
+   "device_policy_id": 6525,
+   "device_os_version": "Windows Server 2019 x64",
+   "policy_applied": "APPLIED",
+   "parent_effective_reputation": "TRUSTED_WHITE_LIST",
+   "process_name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+   "version": "2.0.0",
+   "device_location": "OFFSITE",
+   "report_description": "",
+   "threat_id": "edfaac43-87bd-ad2d-4ce7-53ebee052208",
+   "is_updated_b": true,
+   "parent_username": "KOGNOS-W19-CB-3\\Administrator",
+   "device_name": "Kognos-W19-CB-3",
+   "org_key": "7DESJ9GN",
+   "watchlists": "",
+   "workflow_status": "OPEN",
+   "workflow_change_timestamp": "8/4/2023, 11:10:24.234 AM",
+   "workflow_changed_by_type": "SYSTEM",
+   "workflow_changed_by": "ALERT_CREATION",
+   "workflow_closure_reason": "NO_REASON",
+   "process_effective_reputation": "TRUSTED_WHITE_LIST",
+   "parent_name": "c:\\windows\\system32\\openssh\\sshd.exe",
+   "process_publisher": "",
+   "mdr_alert_notes_present_b": false,
+   "process_md5": "7353f60b-1739-074e-b17c-5f4dddefe239",
+   "device_id": "6948863",
+   "ml_classification_org_prevalence": "",
+   "sensor_action": "TERMINATE",
+   "device_username": "sanitized@sanitized.com",
+   "backend_update_timestamp": "8/4/2023, 11:36:49.501 AM",
+   "last_event_timestamp": "8/4/2023, 11:36:08.865 AM",
+   "threatInfo_incidentId": "",
+   "threatInfo_score": 3,
+   "threatInfo_summary": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "threatInfo_time": null,
+   "threatInfo_indicators": "",
+   "threatInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatInfo_threatCause_reputation": "",
+   "threatInfo_threatCause_actor": "",
+   "threatInfo_threatCause_actorName": "",
+   "threatInfo_threatCause_actorProcessPPid": "",
+   "threatInfo_threatCause_threatCategory": "",
+   "threatInfo_threatCause_originSourceType": "",
+   "threatInfo_threatCause_causeEventId": "",
+   "threatInfo_threatCause_processGuid": "",
+   "threatInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_incidentId": "",
+   "threatHunterInfo_score": "",
+   "threatHunterInfo_summary": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatHunterInfo_time": "",
+   "threatHunterInfo_indicators": "",
+   "threatHunterInfo_watchLists": "",
+   "threatHunterInfo_iocId": "039c0eb1-8ad4-4a65-ab93-c1feab2e0847-0",
+   "threatHunterInfo_count": "",
+   "threatHunterInfo_dismissed_b": "",
+   "threatHunterInfo_documentGuid": "",
+   "threatHunterInfo_firstActivityTime": "",
+   "threatHunterInfo_md5": "d1080521-e617-4e45-94e0-7a145c62c90a",
+   "threatHunterInfo_processGuid": "",
+   "threatHunterInfo_reportName": "",
+   "threatHunterInfo_reportId": "",
+   "threatHunterInfo_reputation": "",
+   "threatHunterInfo_responseAlarmId": "825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47",
+   "threatHunterInfo_responseSeverity": 3,
+   "threatHunterInfo_runState": "RAN",
+   "threatHunterInfo_sha256": "",
+   "threatHunterInfo_targetPriority": "",
+   "threatHunterInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatHunterInfo_threatCause_actorProcessPPid": "",
+   "threatHunterInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_threatCause_causeEventId": "",
+   "threatHunterInfo_threatCause_reputation": "",
+   "threatHunterInfo_threatCause_actor": "",
+   "threatHunterInfo_threatCause_actorName": "",
+   "threatHunterInfo_threatCause_threatCategory": "",
+   "threatHunterInfo_threatCause_originSourceType": "",
+   "threatHunterInfo_threatCause_processGuid": "",
+   "threatHunterInfo_threatId": "edfaac43-87bd-ad2d-4ce7-53ebee052208",
+   "threatHunterInfo_lastUpdatedTime": "",
+   "threatHunterInfo_orgId": "",
+   "url": "https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3A825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47",
+   "type": "CB_ANALYTICS",
+   "eventDescription": "",
+   "deviceInfo_internalIpAddress": "10.0.14.120",
+   "deviceInfo_externalIpAddress": "34.234.170.45",
+   "deviceInfo_targetPriorityCode": null,
+   "deviceInfo_groupName": "",
+   "deviceInfo_deviceId": "6948863",
+   "deviceInfo_deviceName": "Kognos-W19-CB-3",
+   "deviceInfo_deviceType": "WINDOWS",
+   "deviceInfo_deviceVersion": "Windows Server 2019 x64",
+   "deviceInfo_email": "sanitized@sanitized.com",
+   "deviceInfo_targetPriorityType": "",
+   "deviceInfo_uemId": "24a87111-e272-0148-9ce2-45335c576103",
+   "ruleName": "",
+   "eventTime": null,
+   "Type": "CarbonBlackNotifications_CL",
+   "_ResourceId": ""
+ },
+ {
+   "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
+   "SourceSystem": "RestAPI",
+   "MG": "",
+   "ManagementGroupName": "",
+   "TimeGenerated": "8/4/2023, 11:59:55.051 AM",
+   "Computer": "",
+   "RawData": "",
+   "rule_id": "",
+   "attack_technique": "",
+   "rule_category_id": "",
+   "childproc_name": "c:\\windows\\system32\\cmd.exe",
+   "blocked_sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527",
+   "primary_event_id": "f346ae59-32bc-11ee-b784-17ffc8c6bc2d",
+   "blocked_name": "c:\\windows\\system32\\cmd.exe",
+   "childproc_effective_reputation": "TRUSTED_WHITE_LIST",
+   "ttps": "[\"MITRE_T1059_001_POWERSHELL\",\"MITRE_T1059_003_WIN_CMD_SHELL\",\"RUN_CMD_SHELL\",\"POLICY_DENY\",\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"FILELESS\"]",
+   "childproc_username": "KOGNOS-W19-CB-3\\Administrator",
+   "childproc_guid": "7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a",
+   "blocked_effective_reputation": "TRUSTED_WHITE_LIST",
+   "childproc_cmdline": "\"cmd.exe\" /c \"\"",
+   "attack_tactic": "TA0002",
+   "childproc_sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527",
+   "first_event_timestamp": "8/4/2023, 11:43:46.645 AM",
+   "parent_reputation": "TRUSTED_WHITE_LIST",
+   "run_state": "RAN",
+   "mdr_alert_b": false,
+   "detection_timestamp": "8/4/2023, 11:43:48.369 AM",
+   "parent_pid": 1380,
+   "threatHunterInfo_policyId": "7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9",
+   "device_internal_ip": "10.0.14.120",
+   "reason": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "alert_url": "https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3Abcb284e7-c3a9-aff7-ae9e-30adaef1d88b",
+   "id": "bcb284e7-c3a9-aff7-ae9e-30adaef1d88b",
+   "process_cmdline": "\"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\" -c \"cd c:\\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup \"",
+   "process_username": "KOGNOS-W19-CB-3\\Administrator",
+   "process_guid": "7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9",
+   "parent_sha256": "731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b",
+   "report_tags": "",
+   "report_id": "",
+   "ml_classification_final_verdict": "",
+   "threatHunterInfo_processPath": 3,
+   "device_policy": "default",
+   "device_os": "WINDOWS",
+   "ml_classification_global_prevalence": "",
+   "process_pid": 3080,
+   "determination_value": "NONE",
+   "determination_change_timestamp": "8/4/2023, 11:44:27.593 AM",
+   "ioc_id": "",
+   "process_issuer": "",
+   "Severity": 3,
+   "process_sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+   "process_reputation": "TRUSTED_WHITE_LIST",
+   "parent_md5": "",
+   "report_name": "",
+   "reason_code": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "backend_timestamp": "8/4/2023, 11:44:27.593 AM",
+   "report_link": "",
+   "alert_notes_present_b": false,
+   "parent_cmdline": "",
+   "parent_guid": "7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066",
+   "device_target_value": "MEDIUM",
+   "ioc_hit": "",
+   "device_external_ip": "34.234.170.45",
+   "device_policy_id": 6525,
+   "device_os_version": "Windows Server 2019 x64",
+   "policy_applied": "APPLIED",
+   "parent_effective_reputation": "TRUSTED_WHITE_LIST",
+   "process_name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+   "version": "2.0.0",
+   "device_location": "OFFSITE",
+   "report_description": "",
+   "threat_id": "edfaac43-87bd-ad2d-4ce7-53ebee052208",
+   "is_updated_b": true,
+   "parent_username": "KOGNOS-W19-CB-3\\Administrator",
+   "device_name": "Kognos-W19-CB-3",
+   "org_key": "7DESJ9GN",
+   "watchlists": "",
+   "workflow_status": "OPEN",
+   "workflow_change_timestamp": "8/4/2023, 11:44:27.593 AM",
+   "workflow_changed_by_type": "SYSTEM",
+   "workflow_changed_by": "ALERT_CREATION",
+   "workflow_closure_reason": "NO_REASON",
+   "process_effective_reputation": "TRUSTED_WHITE_LIST",
+   "parent_name": "c:\\windows\\system32\\openssh\\sshd.exe",
+   "process_publisher": "",
+   "mdr_alert_notes_present_b": false,
+   "process_md5": "7353f60b-1739-074e-b17c-5f4dddefe239",
+   "device_id": "6948863",
+   "ml_classification_org_prevalence": "",
+   "sensor_action": "TERMINATE",
+   "device_username": "sanitized@sanitized.com",
+   "backend_update_timestamp": "8/4/2023, 11:49:58.190 AM",
+   "last_event_timestamp": "8/4/2023, 11:49:21.074 AM",
+   "threatInfo_incidentId": "",
+   "threatInfo_score": 3,
+   "threatInfo_summary": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "threatInfo_time": null,
+   "threatInfo_indicators": "",
+   "threatInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatInfo_threatCause_reputation": "",
+   "threatInfo_threatCause_actor": "",
+   "threatInfo_threatCause_actorName": "",
+   "threatInfo_threatCause_actorProcessPPid": "",
+   "threatInfo_threatCause_threatCategory": "",
+   "threatInfo_threatCause_originSourceType": "",
+   "threatInfo_threatCause_causeEventId": "",
+   "threatInfo_threatCause_processGuid": "",
+   "threatInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_incidentId": "",
+   "threatHunterInfo_score": "",
+   "threatHunterInfo_summary": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatHunterInfo_time": "",
+   "threatHunterInfo_indicators": "",
+   "threatHunterInfo_watchLists": "",
+   "threatHunterInfo_iocId": "",
+   "threatHunterInfo_count": "",
+   "threatHunterInfo_dismissed_b": "",
+   "threatHunterInfo_documentGuid": "",
+   "threatHunterInfo_firstActivityTime": "",
+   "threatHunterInfo_md5": "",
+   "threatHunterInfo_processGuid": "",
+   "threatHunterInfo_reportName": "",
+   "threatHunterInfo_reportId": "",
+   "threatHunterInfo_reputation": "",
+   "threatHunterInfo_responseAlarmId": "bcb284e7-c3a9-aff7-ae9e-30adaef1d88b",
+   "threatHunterInfo_responseSeverity": 3,
+   "threatHunterInfo_runState": "RAN",
+   "threatHunterInfo_sha256": "",
+   "threatHunterInfo_targetPriority": "",
+   "threatHunterInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatHunterInfo_threatCause_actorProcessPPid": "",
+   "threatHunterInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_threatCause_causeEventId": "",
+   "threatHunterInfo_threatCause_reputation": "",
+   "threatHunterInfo_threatCause_actor": "",
+   "threatHunterInfo_threatCause_actorName": "",
+   "threatHunterInfo_threatCause_threatCategory": "",
+   "threatHunterInfo_threatCause_originSourceType": "",
+   "threatHunterInfo_threatCause_processGuid": "",
+   "threatHunterInfo_threatId": "edfaac43-87bd-ad2d-4ce7-53ebee052208",
+   "threatHunterInfo_lastUpdatedTime": "",
+   "threatHunterInfo_orgId": "",
+   "url": "https://defense.conferdeploy.net/alerts?orgKey=7DESJ9GN&s%5Bc%5D%5Bquery_string%5D=id%3Abcb284e7-c3a9-aff7-ae9e-30adaef1d88b",
+   "type": "CB_ANALYTICS",
+   "eventDescription": "",
+   "deviceInfo_internalIpAddress": "10.0.14.120",
+   "deviceInfo_externalIpAddress": "34.234.170.45",
+   "deviceInfo_targetPriorityCode": null,
+   "deviceInfo_groupName": "",
+   "deviceInfo_deviceId": "6948863",
+   "deviceInfo_deviceName": "Kognos-W19-CB-3",
+   "deviceInfo_deviceType": "WINDOWS",
+   "deviceInfo_deviceVersion": "Windows Server 2019 x64",
+   "deviceInfo_email": "sanitized@sanitized.com",
+   "deviceInfo_targetPriorityType": "",
+   "deviceInfo_uemId": "",
+   "ruleName": "",
+   "eventTime": null,
+   "Type": "CarbonBlackNotifications_CL",
+   "_ResourceId": ""
+ },
+ {
+   "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
+   "SourceSystem": "RestAPI",
+   "MG": "",
+   "ManagementGroupName": "",
+   "TimeGenerated": "8/18/2023, 1:13:18.287 PM",
+   "Computer": "",
+   "RawData": "",
+   "rule_id": "",
+   "attack_technique": "",
+   "rule_category_id": "",
+   "childproc_name": "",
+   "blocked_sha256": "",
+   "blocked_name": "",
+   "childproc_effective_reputation": "",
+   "ttps": "",
+   "childproc_username": "",
+   "childproc_guid": "",
+   "blocked_effective_reputation": "",
+   "childproc_cmdline": "",
+   "attack_tactic": "",
+   "childproc_sha256": "",
+   "first_event_timestamp": "",
+   "parent_reputation": "",
+   "run_state": "",
+   "mdr_alert_b": null,
+   "detection_timestamp": "",
+   "parent_pid": null,
+   "device_internal_ip": "",
+   "reason": "",
+   "alert_url": "",
+   "id": "",
+   "process_cmdline": "",
+   "process_username": "",
+   "process_guid": "",
+   "parent_sha256": "",
+   "report_tags": "",
+   "report_id": "",
+   "ml_classification_final_verdict": "",
+   "device_policy": "",
+   "device_os": "",
+   "ml_classification_global_prevalence": "",
+   "primary_event_id": "",
+   "process_pid": null,
+   "determination_value": "",
+   "determination_change_timestamp": "",
+   "ioc_id": "",
+   "process_issuer": "",
+   "Severity": null,
+   "process_sha256": "",
+   "process_reputation": "",
+   "parent_md5": "",
+   "report_name": "",
+   "reason_code": "",
+   "backend_timestamp": "",
+   "report_link": "",
+   "alert_notes_present_b": null,
+   "parent_cmdline": "",
+   "parent_guid": "",
+   "device_target_value": "",
+   "ioc_hit": "",
+   "device_external_ip": "",
+   "device_policy_id": null,
+   "device_os_version": "",
+   "policy_applied": "",
+   "parent_effective_reputation": "",
+   "process_name": "",
+   "version": "",
+   "device_location": "",
+   "report_description": "",
+   "threat_id": "",
+   "is_updated_b": null,
+   "parent_username": "",
+   "device_name": "",
+   "org_key": "",
+   "watchlists": "",
+   "workflow_status": "",
+   "workflow_change_timestamp": "",
+   "workflow_changed_by_type": "",
+   "workflow_changed_by": "",
+   "workflow_closure_reason": "",
+   "process_effective_reputation": "",
+   "parent_name": "",
+   "process_publisher": "",
+   "mdr_alert_notes_present_b": null,
+   "process_md5": "",
+   "device_id": null,
+   "ml_classification_org_prevalence": "",
+   "sensor_action": "",
+   "device_username": "",
+   "backend_update_timestamp": "",
+   "last_event_timestamp": "",
+   "threatInfo_incidentId": "e5c49aab-f8f3-9654-9ca8-7d316cb70e25",
+   "threatInfo_score": 3,
+   "threatInfo_summary": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "threatInfo_time": 1692364144818,
+   "threatInfo_indicators": "[{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"RUN_CMD_SHELL\",\"indicatorName\":\"RUN_CMD_SHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"POLICY_DENY\",\"indicatorName\":\"POLICY_DENY\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_001_POWERSHELL\",\"indicatorName\":\"MITRE_T1059_001_POWERSHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_003_WIN_CMD_SHELL\",\"indicatorName\":\"MITRE_T1059_003_WIN_CMD_SHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"FILELESS\",\"indicatorName\":\"FILELESS\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"indicatorName\":\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"}]",
+   "threatInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatInfo_threatCause_reputation": "TRUSTED_WHITE_LIST",
+   "threatInfo_threatCause_actor": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+   "threatInfo_threatCause_actorName": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+   "threatInfo_threatCause_actorProcessPPid": "7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f",
+   "threatInfo_threatCause_threatCategory": "NON_MALWARE",
+   "threatInfo_threatCause_originSourceType": "UNKNOWN",
+   "threatInfo_threatCause_causeEventId": "425ae323-3dc8-11ee-90cf-c173f1d31796",
+   "threatInfo_threatCause_processGuid": "7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f",
+   "threatInfo_threatCause_parentGuid": "7DESJ9GN-006a07ff-00000a6c-00000000-1d9d1d5023d13e1",
+   "threatHunterInfo_incidentId": "",
+   "threatHunterInfo_score": "",
+   "threatHunterInfo_summary": "",
+   "threatHunterInfo_time": "",
+   "threatHunterInfo_indicators": "",
+   "threatHunterInfo_watchLists": "",
+   "threatHunterInfo_iocId": "",
+   "threatHunterInfo_count": "",
+   "threatHunterInfo_dismissed_b": "",
+   "threatHunterInfo_documentGuid": "",
+   "threatHunterInfo_firstActivityTime": "",
+   "threatHunterInfo_md5": "",
+   "threatHunterInfo_policyId": 1234,
+   "threatHunterInfo_processGuid": "",
+   "threatHunterInfo_processPath": "",
+   "threatHunterInfo_reportName": "",
+   "threatHunterInfo_reportId": "",
+   "threatHunterInfo_reputation": "",
+   "threatHunterInfo_responseAlarmId": "",
+   "threatHunterInfo_responseSeverity": null,
+   "threatHunterInfo_runState": "",
+   "threatHunterInfo_sha256": "",
+   "threatHunterInfo_targetPriority": "",
+   "threatHunterInfo_threatCause_reason": "",
+   "threatHunterInfo_threatCause_actorProcessPPid": "",
+   "threatHunterInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_threatCause_causeEventId": "",
+   "threatHunterInfo_threatCause_reputation": "",
+   "threatHunterInfo_threatCause_actor": "",
+   "threatHunterInfo_threatCause_actorName": "",
+   "threatHunterInfo_threatCause_threatCategory": "",
+   "threatHunterInfo_threatCause_originSourceType": "",
+   "threatHunterInfo_threatCause_processGuid": "",
+   "threatHunterInfo_threatId": "",
+   "threatHunterInfo_lastUpdatedTime": "",
+   "threatHunterInfo_orgId": "",
+   "url": "https://defense.conferdeploy.net/cb/investigate/events?query=alert_id:e5c49aab-f8f3-9654-9ca8-7d316cb70e25%20AND%20device_id:6948863&searchWindow=ALL&orgKey=7DESJ9GN",
+   "type": "THREAT",
+   "eventDescription": "[Crest_Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/6948863/incident/e5c49aab-f8f3-9654-9ca8-7d316cb70e25] [The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.] [Incident id: e5c49aab-f8f3-9654-9ca8-7d316cb70e25] [Threat score: 3] [Group: default] [Email: sanitized@sanitized.com] [Name: Kognos-W19-CB-3] [Type and OS: WINDOWS Windows Server 2019 x64] [Severity: Threat]\n",
+   "deviceInfo_internalIpAddress": "10.0.14.120",
+   "deviceInfo_externalIpAddress": "34.234.170.45",
+   "deviceInfo_targetPriorityCode": 0,
+   "deviceInfo_groupName": "default",
+   "deviceInfo_deviceId": "6948863",
+   "deviceInfo_deviceName": "Kognos-W19-CB-3",
+   "deviceInfo_deviceType": "WINDOWS",
+   "deviceInfo_deviceVersion": "Windows Server 2019 x64",
+   "deviceInfo_email": "sanitized@sanitized.com",
+   "deviceInfo_targetPriorityType": "MEDIUM",
+   "deviceInfo_uemId": "",
+   "ruleName": "Crest_Notification",
+   "eventTime": 1692364080601,
+   "Type": "CarbonBlackNotifications_CL",
+   "_ResourceId": ""
+ },
+ {
+   "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
+   "SourceSystem": "RestAPI",
+   "MG": "",
+   "ManagementGroupName": "",
+   "TimeGenerated": "8/18/2023, 12:37:02.022 PM",
+   "Computer": "",
+   "RawData": "",
+   "rule_id": "",
+   "attack_technique": "",
+   "rule_category_id": "",
+   "childproc_name": "",
+   "blocked_sha256": "",
+   "blocked_name": "",
+   "childproc_effective_reputation": "",
+   "ttps": "",
+   "childproc_username": "",
+   "childproc_guid": "",
+   "blocked_effective_reputation": "",
+   "childproc_cmdline": "",
+   "attack_tactic": "",
+   "childproc_sha256": "",
+   "first_event_timestamp": "",
+   "parent_reputation": "",
+   "run_state": "",
+   "mdr_alert_b": null,
+   "detection_timestamp": "",
+   "parent_pid": null,
+   "device_internal_ip": "",
+   "reason": "",
+   "alert_url": "",
+   "id": "",
+   "process_cmdline": "",
+   "process_username": "",
+   "process_guid": "",
+   "parent_sha256": "",
+   "report_tags": "",
+   "report_id": "",
+   "ml_classification_final_verdict": "",
+   "device_policy": "",
+   "device_os": "",
+   "ml_classification_global_prevalence": "",
+   "primary_event_id": "",
+   "process_pid": null,
+   "determination_value": "",
+   "determination_change_timestamp": "",
+   "ioc_id": "",
+   "process_issuer": "",
+   "Severity": null,
+   "process_sha256": "",
+   "process_reputation": "",
+   "parent_md5": "",
+   "report_name": "",
+   "reason_code": "",
+   "backend_timestamp": "",
+   "report_link": "",
+   "alert_notes_present_b": null,
+   "parent_cmdline": "",
+   "parent_guid": "",
+   "device_target_value": "",
+   "ioc_hit": "",
+   "device_external_ip": "",
+   "device_policy_id": null,
+   "device_os_version": "",
+   "policy_applied": "",
+   "parent_effective_reputation": "",
+   "process_name": "",
+   "version": "",
+   "device_location": "",
+   "report_description": "",
+   "threat_id": "",
+   "is_updated_b": null,
+   "parent_username": "",
+   "device_name": "",
+   "org_key": "",
+   "watchlists": "",
+   "workflow_status": "",
+   "workflow_change_timestamp": "",
+   "workflow_changed_by_type": "",
+   "workflow_changed_by": "",
+   "workflow_closure_reason": "",
+   "process_effective_reputation": "",
+   "parent_name": "",
+   "process_publisher": "",
+   "mdr_alert_notes_present_b": null,
+   "process_md5": "",
+   "device_id": null,
+   "ml_classification_org_prevalence": "",
+   "sensor_action": "",
+   "device_username": "",
+   "backend_update_timestamp": "",
+   "last_event_timestamp": "",
+   "threatInfo_incidentId": "3eab44ee-312f-9752-c27d-7314c38041a0",
+   "threatInfo_score": 3,
+   "threatInfo_summary": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "threatInfo_time": 1692362145020,
+   "threatInfo_indicators": "[{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_001_POWERSHELL\",\"indicatorName\":\"MITRE_T1059_001_POWERSHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"FILELESS\",\"indicatorName\":\"FILELESS\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_003_WIN_CMD_SHELL\",\"indicatorName\":\"MITRE_T1059_003_WIN_CMD_SHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"RUN_CMD_SHELL\",\"indicatorName\":\"RUN_CMD_SHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"POLICY_DENY\",\"indicatorName\":\"POLICY_DENY\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"indicatorName\":\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"}]",
+   "threatInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatInfo_threatCause_reputation": "TRUSTED_WHITE_LIST",
+   "threatInfo_threatCause_actor": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+   "threatInfo_threatCause_actorName": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+   "threatInfo_threatCause_actorProcessPPid": "7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075",
+   "threatInfo_threatCause_threatCategory": "NON_MALWARE",
+   "threatInfo_threatCause_originSourceType": "UNKNOWN",
+   "threatInfo_threatCause_causeEventId": "9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365",
+   "threatInfo_threatCause_processGuid": "7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075",
+   "threatInfo_threatCause_parentGuid": "7DESJ9GN-006a07ff-000005a4-00000000-1d9d1d059e3aa95",
+   "threatHunterInfo_incidentId": "",
+   "threatHunterInfo_score": "",
+   "threatHunterInfo_summary": "",
+   "threatHunterInfo_time": "",
+   "threatHunterInfo_indicators": "",
+   "threatHunterInfo_watchLists": "",
+   "threatHunterInfo_iocId": "",
+   "threatHunterInfo_count": "",
+   "threatHunterInfo_dismissed_b": "",
+   "threatHunterInfo_documentGuid": "",
+   "threatHunterInfo_firstActivityTime": "",
+   "threatHunterInfo_md5": "",
+   "threatHunterInfo_policyId": "",
+   "threatHunterInfo_processGuid": "",
+   "threatHunterInfo_processPath": "",
+   "threatHunterInfo_reportName": "",
+   "threatHunterInfo_reportId": "",
+   "threatHunterInfo_reputation": "",
+   "threatHunterInfo_responseAlarmId": "",
+   "threatHunterInfo_responseSeverity": null,
+   "threatHunterInfo_runState": "",
+   "threatHunterInfo_sha256": "",
+   "threatHunterInfo_targetPriority": "",
+   "threatHunterInfo_threatCause_reason": "",
+   "threatHunterInfo_threatCause_actorProcessPPid": "",
+   "threatHunterInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_threatCause_causeEventId": "",
+   "threatHunterInfo_threatCause_reputation": "",
+   "threatHunterInfo_threatCause_actor": "",
+   "threatHunterInfo_threatCause_actorName": "",
+   "threatHunterInfo_threatCause_threatCategory": "",
+   "threatHunterInfo_threatCause_originSourceType": "",
+   "threatHunterInfo_threatCause_processGuid": "",
+   "threatHunterInfo_threatId": "",
+   "threatHunterInfo_lastUpdatedTime": "",
+   "threatHunterInfo_orgId": "",
+   "url": "https://defense.conferdeploy.net/cb/investigate/events?query=alert_id:3eab44ee-312f-9752-c27d-7314c38041a0%20AND%20device_id:6948863&searchWindow=ALL&orgKey=7DESJ9GN",
+   "type": "THREAT",
+   "eventDescription": "[Crest_Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/6948863/incident/3eab44ee-312f-9752-c27d-7314c38041a0] [The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.] [Incident id: 3eab44ee-312f-9752-c27d-7314c38041a0] [Threat score: 3] [Group: default] [Email: sanitized@sanitized.com] [Name: Kognos-W19-CB-3] [Type and OS: WINDOWS Windows Server 2019 x64] [Severity: Threat]\n",
+   "deviceInfo_internalIpAddress": "10.0.14.120",
+   "deviceInfo_externalIpAddress": "34.234.170.45",
+   "deviceInfo_targetPriorityCode": 0,
+   "deviceInfo_groupName": "default",
+   "deviceInfo_deviceId": "6948863",
+   "deviceInfo_deviceName": "Kognos-W19-CB-3",
+   "deviceInfo_deviceType": "WINDOWS",
+   "deviceInfo_deviceVersion": "Windows Server 2019 x64",
+   "deviceInfo_email": "sanitized@sanitized.com",
+   "deviceInfo_targetPriorityType": "MEDIUM",
+   "deviceInfo_uemId": "",
+   "ruleName": "Crest_Notification",
+   "eventTime": 1692362084112,
+   "Type": "CarbonBlackNotifications_CL",
+   "_ResourceId": ""
+ },
+ {
+   "TenantId": "1a0e2567-2e58-4989-ad18-206108185325",
+   "SourceSystem": "RestAPI",
+   "MG": "",
+   "ManagementGroupName": "",
+   "TimeGenerated": "8/18/2023, 12:03:36.603 PM",
+   "Computer": "",
+   "RawData": "",
+   "rule_id": "",
+   "attack_technique": "",
+   "rule_category_id": "",
+   "childproc_name": "",
+   "blocked_sha256": "",
+   "blocked_name": "",
+   "childproc_effective_reputation": "",
+   "ttps": "",
+   "childproc_username": "",
+   "childproc_guid": "",
+   "blocked_effective_reputation": "",
+   "childproc_cmdline": "",
+   "attack_tactic": "",
+   "childproc_sha256": "",
+   "first_event_timestamp": "",
+   "parent_reputation": "",
+   "run_state": "",
+   "mdr_alert_b": null,
+   "detection_timestamp": "",
+   "parent_pid": null,
+   "device_internal_ip": "",
+   "reason": "",
+   "alert_url": "",
+   "id": "",
+   "process_cmdline": "",
+   "process_username": "",
+   "process_guid": "",
+   "parent_sha256": "",
+   "report_tags": "",
+   "report_id": "",
+   "ml_classification_final_verdict": "",
+   "device_policy": "",
+   "device_os": "",
+   "ml_classification_global_prevalence": "",
+   "primary_event_id": "",
+   "process_pid": null,
+   "determination_value": "",
+   "determination_change_timestamp": "",
+   "ioc_id": "",
+   "process_issuer": "",
+   "Severity": null,
+   "process_sha256": "",
+   "process_reputation": "",
+   "parent_md5": "",
+   "report_name": "",
+   "reason_code": "",
+   "backend_timestamp": "",
+   "report_link": "",
+   "alert_notes_present_b": null,
+   "parent_cmdline": "",
+   "parent_guid": "",
+   "device_target_value": "",
+   "ioc_hit": "",
+   "device_external_ip": "",
+   "device_policy_id": null,
+   "device_os_version": "",
+   "policy_applied": "",
+   "parent_effective_reputation": "",
+   "process_name": "",
+   "version": "",
+   "device_location": "",
+   "report_description": "",
+   "threat_id": "",
+   "is_updated_b": null,
+   "parent_username": "",
+   "device_name": "",
+   "org_key": "",
+   "watchlists": "",
+   "workflow_status": "",
+   "workflow_change_timestamp": "",
+   "workflow_changed_by_type": "",
+   "workflow_changed_by": "",
+   "workflow_closure_reason": "",
+   "process_effective_reputation": "",
+   "parent_name": "",
+   "process_publisher": "",
+   "mdr_alert_notes_present_b": null,
+   "process_md5": "",
+   "device_id": null,
+   "ml_classification_org_prevalence": "",
+   "sensor_action": "",
+   "device_username": "",
+   "backend_update_timestamp": "",
+   "last_event_timestamp": "",
+   "threatInfo_incidentId": "7486167a-3641-2b92-88ce-f70c4d8e5626",
+   "threatInfo_score": 3,
+   "threatInfo_summary": "The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.",
+   "threatInfo_time": 1692360042171,
+   "threatInfo_indicators": "[{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"indicatorName\":\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_003_WIN_CMD_SHELL\",\"indicatorName\":\"MITRE_T1059_003_WIN_CMD_SHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"RUN_CMD_SHELL\",\"indicatorName\":\"RUN_CMD_SHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"POLICY_DENY\",\"indicatorName\":\"POLICY_DENY\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"MITRE_T1059_001_POWERSHELL\",\"indicatorName\":\"MITRE_T1059_001_POWERSHELL\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"},{\"mApplicationName\":\"powershell.exe\",\"mSha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"mIndicatorName\":\"FILELESS\",\"indicatorName\":\"FILELESS\",\"applicationName\":\"powershell.exe\",\"sha256Hash\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\"}]",
+   "threatInfo_threatCause_reason": "T_POL_TERM_CHILD :  (cmd.exe)",
+   "threatInfo_threatCause_reputation": "TRUSTED_WHITE_LIST",
+   "threatInfo_threatCause_actor": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
+   "threatInfo_threatCause_actorName": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
+   "threatInfo_threatCause_actorProcessPPid": "7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34",
+   "threatInfo_threatCause_threatCategory": "NON_MALWARE",
+   "threatInfo_threatCause_originSourceType": "UNKNOWN",
+   "threatInfo_threatCause_causeEventId": "b0a8ff4c-3dbe-11ee-8296-09214fa5925c",
+   "threatInfo_threatCause_processGuid": "7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34",
+   "threatInfo_threatCause_parentGuid": "7DESJ9GN-006a07ff-00000878-00000000-1d9d1cb70704326",
+   "threatHunterInfo_incidentId": "",
+   "threatHunterInfo_score": "",
+   "threatHunterInfo_summary": "",
+   "threatHunterInfo_time": "",
+   "threatHunterInfo_indicators": "",
+   "threatHunterInfo_watchLists": "",
+   "threatHunterInfo_iocId": "",
+   "threatHunterInfo_count": "",
+   "threatHunterInfo_dismissed_b": "",
+   "threatHunterInfo_documentGuid": "",
+   "threatHunterInfo_firstActivityTime": "",
+   "threatHunterInfo_md5": "",
+   "threatHunterInfo_policyId": "",
+   "threatHunterInfo_processGuid": "",
+   "threatHunterInfo_processPath": "",
+   "threatHunterInfo_reportName": "",
+   "threatHunterInfo_reportId": "",
+   "threatHunterInfo_reputation": "",
+   "threatHunterInfo_responseAlarmId": "",
+   "threatHunterInfo_responseSeverity": null,
+   "threatHunterInfo_runState": "",
+   "threatHunterInfo_sha256": "",
+   "threatHunterInfo_targetPriority": "",
+   "threatHunterInfo_threatCause_reason": "",
+   "threatHunterInfo_threatCause_actorProcessPPid": "",
+   "threatHunterInfo_threatCause_parentGuid": "",
+   "threatHunterInfo_threatCause_causeEventId": "",
+   "threatHunterInfo_threatCause_reputation": "",
+   "threatHunterInfo_threatCause_actor": "",
+   "threatHunterInfo_threatCause_actorName": "",
+   "threatHunterInfo_threatCause_threatCategory": "",
+   "threatHunterInfo_threatCause_originSourceType": "",
+   "threatHunterInfo_threatCause_processGuid": "",
+   "threatHunterInfo_threatId": "",
+   "threatHunterInfo_lastUpdatedTime": "",
+   "threatHunterInfo_orgId": "",
+   "url": "https://defense.conferdeploy.net/cb/investigate/events?query=alert_id:7486167a-3641-2b92-88ce-f70c4d8e5626%20AND%20device_id:6948863&searchWindow=ALL&orgKey=7DESJ9GN",
+   "type": "THREAT",
+   "eventDescription": "[Crest_Notification] [Carbon Black has detected a threat against your company.] [https://defense.conferdeploy.net#device/6948863/incident/7486167a-3641-2b92-88ce-f70c4d8e5626] [The application powershell.exe invoked another application (cmd.exe) on behalf of sshd.exe. A Deny Policy Action was applied.] [Incident id: 7486167a-3641-2b92-88ce-f70c4d8e5626] [Threat score: 3] [Group: default] [Email: sanitized@sanitized.com] [Name: Kognos-W19-CB-3] [Type and OS: WINDOWS Windows Server 2019 x64] [Severity: Threat]\n",
+   "deviceInfo_internalIpAddress": "10.0.14.120",
+   "deviceInfo_externalIpAddress": "34.234.170.45",
+   "deviceInfo_targetPriorityCode": 0,
+   "deviceInfo_groupName": "default",
+   "deviceInfo_deviceId": "6948863",
+   "deviceInfo_deviceName": "Kognos-W19-CB-3",
+   "deviceInfo_deviceType": "WINDOWS",
+   "deviceInfo_deviceVersion": "Windows Server 2019 x64",
+   "deviceInfo_email": "sanitized@sanitized.com",
+   "deviceInfo_targetPriorityType": "MEDIUM",
+   "deviceInfo_uemId": "",
+   "ruleName": "Crest_Notification",
+   "eventTime": 1692359970578,
+   "Type": "CarbonBlackNotifications_CL",
+   "_ResourceId": ""
+ }
+]

Sample Data/ASIM/VMware_CarbonBlackCloud_ASimProcessCreate_IngestedLogs.csv

@@ -0,0 +1,178 @@
+TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,modload_md5_s,fileless_scriptload_hash_s,fileless_scriptload_cmdline_length_d,fileless_scriptload_cmdline_s,scriptload_hash_s,scriptload_content_length_d,scriptload_content_s,incidentId_g,alert_id_g,securityEventCode_g,process_fork_pid_d,scriptload_effective_reputation_s,scriptload_publisher_s,scriptload_count_d,scriptload_reputation_s,scriptload_name_s,childproc_publisher_s,crossproc_name_s,crossproc_hash_s,crossproc_guid_s,crossproc_action_s,crossproc_publisher_s,crossproc_target_b,crossproc_reputation_s,process_publisher_s,filemod_name_s,filemod_hash_s,netconn_community_id_s,modload_md5_g,modload_publisher_s,modload_hash_s,modload_effective_reputation_s,modload_name_s,modload_sha256_s,modload_count_d,process_duration_d,crossproc_api_s,regmod_name_s,target_cmdline_s,childproc_username_s,childproc_pid_d,childproc_name_s,childproc_reputation_s,childproc_guid_s,childproc_hash_s,processDetails_targetCommandLine_s,local_ip_s,parent_reputation_s,netconn_inbound_b,createTime_s,eventTime_s,process_username_s,processDetails_parentName_s,type_s,device_name_s,process_path_s,event_origin_s,longDescription_s,parent_cmdline_s,processDetails_fullUserName_s,parent_pid_d,parent_path_s,backend_timestamp_s,device_external_ip_s,device_os_s,processDetails_parentPid_d,deviceDetails_deviceIpAddress_s,parent_hash_s,local_port_d,deviceDetails_msmGroupName_s,deviceDetails_deviceName_s,device_group_s,sensor_action_s,org_key_s,action_s,remote_ip_s,processDetails_processId_d,event_description_s,process_terminated_b,processDetails_commandLine_s,event_id_g,device_timestamp_s,deviceDetails_deviceType_s,process_cmdline_s,deviceDetails_deviceId_s,shortDescription_s,process_hash_s,process_guid_s,device_id_s,netconn_protocol_s,schema_d,eventType_s,remote_port_d,processDetails_parentCommandLine_s,eventId_g,process_reputation_s,netFlow_peerFqdn_s,netconn_domain_s,deviceDetails_deviceIpV4Address_s,process_pid_d,parent_guid_s,netFlow_peerIpAddress_s,Type,_ResourceId
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/lib/systemd/systemd-journald,root,461,/usr/lib/systemd/systemd-journald,REP_NOT_LISTED,7DESJ9GN-00440d6d-000001cd-00000000-1d8f5e02137547a,"[""c3c5582bc04ce0c43a23d5eba512ead3"",""e4071a71156080050afd67052c8724623742c3e10d8338460a7fbf7a6a1bceca""]",/usr/lib/systemd/systemd-journald,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862063 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862063 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/lvmetad -f,root,490,/usr/sbin/lvmetad,REP_NOT_LISTED,7DESJ9GN-00440d6d-000001ea-00000000-1d8f5e02137547b,"[""17bb112a2c9df3ae92fcabe0cd0d91ae"",""c972f15943dd115a8803221921c045c4ef90a64aa081a1c0a3392f63e77453c8""]",/usr/sbin/lvmetad -f,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862073 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862073 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/lib/systemd/systemd-udevd,root,501,/usr/lib/systemd/systemd-udevd,REP_NOT_LISTED,7DESJ9GN-00440d6d-000001f5-00000000-1d8f5e02137547c,"[""bbc7ab50df9f5130a1255828207eccee"",""b0748bf23ca812450827f1438e4c9f344f46aab3917b961d9f1db62de6ada4a0""]",/usr/lib/systemd/systemd-udevd,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.286208 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.286208 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/sbin/auditd,root,628,/usr/sbin/auditd,REP_WHITE,7DESJ9GN-00440d6d-00000274-00000000-1d8f5e02137547e,"[""fd1d4ab71650a77ae6df973bad437cf6"",""fb728051d437f42c7846bb0b72fb6452c8968d8c62313f69a503b7732732dab2""]",/sbin/auditd,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862088 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862088 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/sbin/audispd,root,630,/usr/sbin/audispd,REP_WHITE,7DESJ9GN-00440d6d-00000276-00000000-1d8f5e02137547f,"[""71250197e9f6fabc6a547f4610947e63"",""be55103ad833ae87ada7cd9a83282cbc9606e577fd4d36794e3cf60122021f2c""]",/sbin/audispd,,REP_NOT_LISTED,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862099 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/sbin/auditd,EDR,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,628,,false,/sbin/auditd,,2023-08-09 03:53:12.2862099 +0000 UTC,LINUX,/sbin/auditd,4459885,,"[""fd1d4ab71650a77ae6df973bad437cf6"",""fb728051d437f42c7846bb0b72fb6452c8968d8c62313f69a503b7732732dab2""]",7DESJ9GN-00440d6d-00000274-00000000-1d8f5e02137547e,4459885,,1,endpoint.event.procstart,,/sbin/auditd,,REP_WHITE,,,10.20.30.40,628,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/sedispatch,root,639,/usr/sbin/sedispatch,REP_ADAPTIVE,7DESJ9GN-00440d6d-0000027f-00000000-1d8f5e021375480,"[""28235caac2ea3edd9b3e93dbbfaeb986"",""b89ea9e9f82b8c2185749a552d1759210c120ff48b4f247211c5e9473eb89da9""]",/usr/sbin/sedispatch,,REP_WHITE,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862105 +0000 UTC,root,/usr/sbin/auditd,endpoint.event.procstart,centos7-trn-cb1,/usr/sbin/audispd,EDR,,/sbin/auditd,root,628,/usr/sbin/auditd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,628,10.20.30.40,"[""fd1d4ab71650a77ae6df973bad437cf6"",""fb728051d437f42c7846bb0b72fb6452c8968d8c62313f69a503b7732732dab2""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,630,,false,/sbin/audispd,,2023-08-09 03:53:12.2862105 +0000 UTC,LINUX,/sbin/audispd,4459885,,"[""71250197e9f6fabc6a547f4610947e63"",""be55103ad833ae87ada7cd9a83282cbc9606e577fd4d36794e3cf60122021f2c""]",7DESJ9GN-00440d6d-00000276-00000000-1d8f5e02137547f,4459885,,1,endpoint.event.procstart,,/sbin/audispd,,REP_WHITE,,,10.20.30.40,630,7DESJ9GN-00440d6d-00000274-00000000-1d8f5e02137547e,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/bin/lsmd -d,libstoragemgmt,652,/usr/bin/lsmd,REP_ADAPTIVE,7DESJ9GN-00440d6d-0000028c-00000000-1d8f5e021375481,"[""7c58333236698c53e027280596d5211a"",""e06b15074d0b7e133d56863f41feae15bc9dea2609dcfec13fc8dff6b4c87b98""]",/usr/bin/lsmd -d,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862113 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862113 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/irqbalance --foreground,root,656,/usr/sbin/irqbalance,REP_WHITE,7DESJ9GN-00440d6d-00000290-00000000-1d8f5e021375482,"[""75c36189f2d096a5bae7b1c2af78f90f"",""ed2dda73ecac8dda44391c920f11723f6a68dbd5c2920e160ddc0755f2b19050""]",/usr/sbin/irqbalance --foreground,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862127 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862127 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/smartd -n -q never,root,659,/usr/sbin/smartd,REP_ADAPTIVE,7DESJ9GN-00440d6d-00000293-00000000-1d8f5e021375483,"[""efcd70d892309b48a6c04044eb83b76b"",""dd2a1658cfd0074bdcdb81744d4b5590d46c3a1ecef4cd489f1ee620b1a2a2d9""]",/usr/sbin/smartd -n -q never,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862137 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862137 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/sbin/rngd -f,root,670,/usr/sbin/rngd,REP_COMMON,7DESJ9GN-00440d6d-0000029e-00000000-1d8f5e021375484,"[""233eb07fa9e5d0b6112de48c589e49e7"",""258a3e4e36c1864fffde994156d408966b3ec5dc2342a560f0440c2635f608b3""]",/sbin/rngd -f,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862148 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862148 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation,dbus,671,/usr/bin/dbus-daemon,REP_WHITE,7DESJ9GN-00440d6d-0000029f-00000000-1d8f5e021375485,"[""8bc8fb0895f8767798f9edc1b10fbf5b"",""9121034143a65803c710e43b40bdb8075aa55bf5b7720e9d088cfeb753e907f6""]",/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862158 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862158 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/chronyd,chrony,676,/usr/sbin/chronyd,REP_WHITE,7DESJ9GN-00440d6d-000002a4-00000000-1d8f5e021375486,"[""919aa879e59e4cc4ad2638d2d6271eb9"",""5fc9a67facabbe3abc2970db5d3ace95f591cf0d307b83c76a62873410dc652a""]",/usr/sbin/chronyd,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862169 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862169 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/abrtd -d -s,root,689,/usr/sbin/abrtd,REP_NOT_LISTED,7DESJ9GN-00440d6d-000002b1-00000000-1d8f5e021375487,"[""3c103cb963876f90fbade5a9d2c8bd3f"",""508ada446d40382f5ecf18491dedebd8b7c806af6922f9565cb7a14205e4eb58""]",/usr/sbin/abrtd -d -s,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862178 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862178 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/bin/abrt-watch-log -F Backtrace /var/log/Xorg.0.log -- /usr/bin/abrt-dump-xorg -xD,root,691,/usr/bin/abrt-watch-log,REP_NOT_LISTED,7DESJ9GN-00440d6d-000002b3-00000000-1d8f5e021375488,"[""cc9f0f046e9137a3eeb0cb2546906f1b"",""0f6b8d4fabfe1df45c0e931dd526453343132ab36dd2314f2c320be13aeb0ed3""]",/usr/bin/abrt-watch-log -F Backtrace /var/log/Xorg.0.log -- /usr/bin/abrt-dump-xorg -xD,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862194 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862194 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at list_del corruption list_add corruption do_IRQ: stack overflow: ear stack overflow (cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! page_mapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Kernel panic - not syncing: Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD,root,692,/usr/bin/abrt-watch-log,REP_NOT_LISTED,7DESJ9GN-00440d6d-000002b4-00000000-1d8f5e021375489,"[""cc9f0f046e9137a3eeb0cb2546906f1b"",""0f6b8d4fabfe1df45c0e931dd526453343132ab36dd2314f2c320be13aeb0ed3""]",/usr/bin/abrt-watch-log -F BUG: WARNING: at WARNING: CPU: INFO: possible recursive locking detected ernel BUG at list_del corruption list_add corruption do_IRQ: stack overflow: ear stack overflow (cur: eneral protection fault nable to handle kernel ouble fault: RTNL: assertion failed eek! page_mapcount(page) went negative! adness at NETDEV WATCHDOG ysctl table check failed : nobody cared IRQ handler type mismatch Kernel panic - not syncing: Machine Check Exception: Machine check events logged divide error: bounds: coprocessor segment overrun: invalid TSS: segment not present: invalid opcode: alignment check: stack segment: fpu exception: simd exception: iret exception: /var/log/messages -- /usr/bin/abrt-dump-oops -xtD,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862203 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862203 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/bin/bash /usr/sbin/ksmtuned,root,704,/usr/bin/bash,REP_ADAPTIVE,7DESJ9GN-00440d6d-000002c0-00000000-1d8f5e02137548a,"[""708c8760385810080c4d17fa84d325ca"",""a5f3d6f51fe87d0a01b4d4a1907952bdaf31b5f0887f5b2253a83f9f0180c2ce""]",/bin/bash /usr/sbin/ksmtuned,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862212 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862212 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/gssproxy -D,root,688,/usr/sbin/gssproxy,REP_NOT_LISTED,7DESJ9GN-00440d6d-000002b0-00000000-1d8f5e02137548c,"[""fcda4591f0d4a115b3874b08c51d72d8"",""066694ba1b402f9a65aa13f3837bd3a1de20bd791d0bf7d60de20401d7da6e9b""]",/usr/sbin/gssproxy -D,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.286222 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.286222 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/sshd -D,root,948,/usr/sbin/sshd,REP_NOT_LISTED,7DESJ9GN-00440d6d-000003b4-00000000-1d8f5e02137548d,"[""686cd72b4339da33bfb6fe8fb94a301f"",""2c6bf828ee0b4e78c49a71affd3d33b7916700cf7a288cd1a55fc4e701e50d68""]",/usr/sbin/sshd -D,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862228 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862228 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/opt/carbonblack/psc/bin/cbagentd --foreground,root,950,/opt/carbonblack/psc/bin/cbagentd,REP_NOT_LISTED,7DESJ9GN-00440d6d-000003b6-00000000-1d8f5e02137548e,"[""370aa96645476d0239f5f26d602ad415"",""61446c07210dd31c1224186fccaef8820ec48ab573a872533a350120e8ed29a1""]",/opt/carbonblack/psc/bin/cbagentd --foreground,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862236 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862236 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:30.273 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/usr/sbin/cupsd -f,root,953,/usr/sbin/cupsd,REP_NOT_LISTED,7DESJ9GN-00440d6d-000003b9-00000000-1d8f5e021375492,"[""a394e5e1ba2dd58d31b1d52fe9627b42"",""d9c6b8b9f54a00fc3726c25c7c0795cc5d3e9ca4da61b5b33aebaa69534592ea""]",/usr/sbin/cupsd -f,,REP_RESOLVING,,2023-08-09 03:56:15 +0000 UTC,2023-08-09 03:53:12.2862242 +0000 UTC,root,/usr/lib/systemd/systemd,endpoint.event.procstart,centos7-trn-cb1,/usr/lib/systemd/systemd,EDR,,,root,1,/usr/lib/systemd/systemd,2023-08-09 03:56:15 +0000 UTC,10.20.30.40,LINUX,1,10.20.30.40,"["""",""""]",,,centos7-trn-cb1,,ACTION_ALLOW,7DESJ9GN,ACTION_PROCESS_DISCOVERED,,1,,false,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,2023-08-09 03:53:12.2862242 +0000 UTC,LINUX,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,4459885,,"[""2666533c8580cf6e47d0c34c144836f6"",""8535bf6fd3478955e9d7e5944ec6c611c10c02d146d2502a40d5d70f8e02c7b4""]",7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375479,4459885,,1,endpoint.event.procstart,,/usr/lib/systemd/systemd --switched-root --system --deserialize 22,,REP_NOT_LISTED,,,10.20.30.40,1,7DESJ9GN-00440d6d-00000001-00000000-1d8f5e021375478,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:09.946 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,logger -p cron.notice -t run-parts(/etc/cron.hourly)[8265] starting 0anacron,root,8268,/usr/bin/logger,REP_NOT_LISTED,7DESJ9GN-00576f16-0000204c-00000000-1d9ca761c963ce0,"["""",""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149""]",logger -p cron.notice -t run-parts(/etc/cron.hourly)[8265] starting 0anacron,,,,2023-08-09 04:01:19 +0000 UTC,2023-08-09 04:01:01.87 +0000 UTC,root,,endpoint.event.procstart,ip-172-31-87-51.ec2.internal,/usr/bin/run-parts,NGAV,"The application ""<share><link hash=""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8"">/usr/bin/run-parts</link></share>"" invoked the application ""<share><link hash=""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149"">/usr/bin/logger</link></share>"". ",,root,0,,2023-08-09 04:01:19 +0000 UTC,3.87.15.173,LINUX,0,3.87.15.173,,,,ip-172-31-87-51.ec2.internal,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,8265,"The application ""<share><link hash=""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8"">/usr/bin/run-parts</link></share>"" invoked the application ""<share><link hash=""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149"">/usr/bin/logger</link></share>"". ",false,run-parts /etc/cron.hourly,5e371cea-3669-11ee-90da-6f980c1abb4c,2023-08-09 04:01:01.87 +0000 UTC,LINUX,run-parts /etc/cron.hourly,5730070,"The application ""<share><link hash=""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8"">/usr/bin/run-parts</link></share>"" invoked the application ""<share><link hash=""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149"">/usr/bin/logger</link></share>"". ","[""caf460fcd592f1d872416e81e3ad3f52"",""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8""]",7DESJ9GN-00576f16-00002049-00000000-1d9ca761c937dc0,5730070,,1,endpoint.event.procstart,,run-parts /etc/cron.hourly,5e371cea-3669-11ee-90da-6f980c1abb4c,REP_WHITE,,,3.87.15.173,8265,,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:09.852 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,logger -p cron.notice -t run-parts(/etc/cron.hourly)[8265] starting 0anacron,root,8268,/usr/bin/logger,REP_NOT_LISTED,7DESJ9GN-00576f16-0000204c-00000000-1d9ca761c963ce0,"["""",""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149""]",logger -p cron.notice -t run-parts(/etc/cron.hourly)[8265] starting 0anacron,,,,2023-08-09 04:01:19 +0000 UTC,2023-08-09 04:01:01.87 +0000 UTC,root,,endpoint.event.procstart,ip-172-31-87-51.ec2.internal,/usr/bin/run-parts,NGAV,"The application ""<share><link hash=""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8"">/usr/bin/run-parts</link></share>"" invoked the application ""<share><link hash=""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149"">/usr/bin/logger</link></share>"". ",,root,0,,2023-08-09 04:01:19 +0000 UTC,3.87.15.173,LINUX,0,3.87.15.173,,,,ip-172-31-87-51.ec2.internal,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,8265,"The application ""<share><link hash=""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8"">/usr/bin/run-parts</link></share>"" invoked the application ""<share><link hash=""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149"">/usr/bin/logger</link></share>"". ",false,run-parts /etc/cron.hourly,5e371cea-3669-11ee-90da-6f980c1abb4c,2023-08-09 04:01:01.87 +0000 UTC,LINUX,run-parts /etc/cron.hourly,5730070,"The application ""<share><link hash=""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8"">/usr/bin/run-parts</link></share>"" invoked the application ""<share><link hash=""caa8cfe6f75f3fa5b2e45ee6ae99602cbb8dd49a2349b0bc68b017a06ac8f149"">/usr/bin/logger</link></share>"". ","[""caf460fcd592f1d872416e81e3ad3f52"",""817ba56e548a53957b5709ce7186441cbca73b7b98fbc28ec25474dfd09c94e8""]",7DESJ9GN-00576f16-00002049-00000000-1d9ca761c937dc0,5730070,,1,endpoint.event.procstart,,run-parts /etc/cron.hourly,5e371cea-3669-11ee-90da-6f980c1abb4c,REP_WHITE,,,3.87.15.173,8265,,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:01.849 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,NT AUTHORITY\NETWORK SERVICE,7604,c:\windows\system32\wbem\wmiprvse.exe,REP_WHITE,7DESJ9GN-0057f8fd-00001db4-00000000-1d9ca75aad94566,"[""60ff40cfd7fb8fe41ee4fe9ae5fe1c51"",""2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3""]",C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,,REP_WHITE,,2023-08-09 03:59:41 +0000 UTC,2023-08-09 03:57:51.061319 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,carbonblack,c:\windows\system32\svchost.exe,EDR,,C:\Windows\system32\services.exe,NT AUTHORITY\SYSTEM,624,c:\windows\system32\services.exe,2023-08-09 03:59:41 +0000 UTC,163.116.136.254,WINDOWS,624,163.116.136.254,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,carbonblack,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,784,,false,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,2023-08-09 03:57:51.061319 +0000 UTC,WINDOWS,C:\Windows\system32\svchost.exe -k DcomLaunch -p,5765373,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-0057f8fd-00000310-00000000-1d9c88821a0d73b,5765373,,1,endpoint.event.procstart,,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,REP_WHITE,,,163.116.136.254,784,7DESJ9GN-0057f8fd-00000270-00000000-1d9c8880e61c0f5,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:01.849 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,"""C:\Users\vagrant\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",CARBONBLACK\vagrant,9084,c:\users\vagrant\appdata\local\microsoft\onedrive\23.147.0716.0001\filecoauth.exe,REP_WHITE,7DESJ9GN-0057f8fd-0000237c-00000000-1d9ca75bc5d6d13,"[""bb15c6bf740ebf82cf1110ef2abd458f"",""3316299c8b1caecb748ed2b299951c0f9bd018ed30a343e7f141598bdaa7e91f""]","""C:\Users\vagrant\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",,REP_WHITE,,2023-08-09 03:59:41 +0000 UTC,2023-08-09 03:58:20.4501452 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,carbonblack,c:\windows\system32\svchost.exe,EDR,,C:\Windows\system32\services.exe,NT AUTHORITY\SYSTEM,624,c:\windows\system32\services.exe,2023-08-09 03:59:41 +0000 UTC,163.116.136.254,WINDOWS,624,163.116.136.254,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,carbonblack,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,784,,false,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,2023-08-09 03:58:20.4501452 +0000 UTC,WINDOWS,C:\Windows\system32\svchost.exe -k DcomLaunch -p,5765373,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-0057f8fd-00000310-00000000-1d9c88821a0d73b,5765373,,1,endpoint.event.procstart,,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,REP_WHITE,,,163.116.136.254,784,7DESJ9GN-0057f8fd-00000270-00000000-1d9c8880e61c0f5,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:01.849 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""Get-wmiobject -class Win32_NetworkAdapterConfiguration | where-object {$_.MACAddress -eq \""06:1B:EF:F1:A3:E3\""} | Select-object @{Name=\""IPAddresses\"";Expression={$_.IPAddress}}, @{Name=\""DefaultIPGateway\"";Expression={$_.DefaultIPGateway}}, @{Name=\""MacAddress\"";Expression={$_.MACAddress}}, @{Name=\""DHCPServer\"";Expression={$_.DHCPServer}}, @{Name=\""DNSServers\"";Expression={$_.DNSServerSearchOrder}} ,@{Name=\""IPSubnet\"";Expression={$_.IPSubnet}} | ConvertTo-Json""",NT AUTHORITY\SYSTEM,5904,c:\windows\system32\windowspowershell\v1.0\powershell.exe,REP_WHITE,7DESJ9GN-00663166-00001710-00000000-1d9ca7564b6cf3b,"["""",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""Get-wmiobject -class Win32_NetworkAdapterConfiguration | where-object {$_.MACAddress -eq \""06:1B:EF:F1:A3:E3\""} | Select-object @{Name=\""IPAddresses\"";Expression={$_.IPAddress}}, @{Name=\""DefaultIPGateway\"";Expression={$_.DefaultIPGateway}}, @{Name=\""MacAddress\"";Expression={$_.MACAddress}}, @{Name=\""DHCPServer\"";Expression={$_.DHCPServer}}, @{Name=\""DNSServers\"";Expression={$_.DNSServerSearchOrder}} ,@{Name=\""IPSubnet\"";Expression={$_.IPSubnet}} | ConvertTo-Json""",,REP_WHITE,,2023-08-09 03:57:00 +0000 UTC,2023-08-09 03:55:53.389 +0000 UTC,NT AUTHORITY\SYSTEM,c:\program files\amazon\ssm\ssm-agent-worker.exe,endpoint.event.procstart,SKOVILLE\jalapeno,c:\program files\amazon\ssm\ssm-document-worker.exe,NGAV,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",,NT AUTHORITY\SYSTEM,3672,c:\program files\amazon\ssm\ssm-agent-worker.exe,2023-08-09 03:57:00 +0000 UTC,52.53.135.128,WINDOWS,3672,52.53.135.128,"["""",""d493b7af19205cdc18e12e6a0363b0f586e975cc9ddc2bf5b4a4935ad5d956d0""]",,,SKOVILLE\jalapeno,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,4100,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",false,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108646-3668-11ee-a58c-6d176e6eb0ad,2023-08-09 03:55:53.389 +0000 UTC,WINDOWS,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",6697318,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.","[""ad5d57216c5d8a30a963d18e7bcd860c"",""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe""]",7DESJ9GN-00663166-00001004-00000000-1d9ca755f518bc8,6697318,,1,endpoint.event.procstart,,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108646-3668-11ee-a58c-6d176e6eb0ad,REP_WHITE,,,52.53.135.128,4100,7DESJ9GN-00663166-00000e58-00000000-1d9bfd3f69e1a53,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:01.849 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv,NT AUTHORITY\SYSTEM,8696,c:\windows\system32\svchost.exe,REP_WHITE,7DESJ9GN-0057f8fd-000021f8-00000000-1d9ca75aa0876c9,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv,,REP_WHITE,,2023-08-09 03:59:41 +0000 UTC,2023-08-09 03:57:49.696055 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\wininit.exe,endpoint.event.procstart,carbonblack,c:\windows\system32\services.exe,EDR,,wininit.exe,NT AUTHORITY\SYSTEM,516,c:\windows\system32\wininit.exe,2023-08-09 03:59:41 +0000 UTC,163.116.136.254,WINDOWS,516,163.116.136.254,"[""d6e3b995e46d08046875e60eccff109b"",""9c620d2664464c54c9cdf4052c8f57b98e287fb372b309b1fb049700bd311897""]",,,carbonblack,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,624,,false,C:\Windows\system32\services.exe,,2023-08-09 03:57:49.696055 +0000 UTC,WINDOWS,C:\Windows\system32\services.exe,5765373,,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",7DESJ9GN-0057f8fd-00000270-00000000-1d9c8880e61c0f5,5765373,,1,endpoint.event.procstart,,C:\Windows\system32\services.exe,,REP_WHITE,,,163.116.136.254,624,7DESJ9GN-0057f8fd-00000204-00000000-1d9c8880e1ae3ae,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:11:01.497 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""
+$wmi_proc = Get-WmiObject -Class Win32_Processor
+if (@($wmi_proc)[0].NumberOfCores) #Modern OS
+{
+    $Sockets = @($wmi_proc).Count
+    $Cores = ($wmi_proc | Measure-Object -Property NumberOfCores -Sum).Sum
+    $CPUs = ($wmi_proc | Measure-Object -Property NumberOfLogicalProcessors -Sum).Sum
+
+}
+else #Legacy OS
+{
+    $Sockets = @($wmi_proc | Select-Object -Property SocketDesignation -Unique).Count
+    $Cores = @($wmi_proc).Count
+    $CPUs=$Cores
+}
+$CPUModel=@($wmi_proc)[0].Name
+$CPUSpeed=@($wmi_proc)[0].MaxClockSpeed
+if ($Cores -lt $CPUs) {
+    $Hyperthread=\""true\""
+} else {
+    $Hyperthread=\""false\""
+}
+Write-Host -nonewline @\""
+{\""CPUModel\"":\""$CPUModel\"",\""CPUSpeedMHz\"":\""$CPUSpeed\"",\""CPUs\"":\""$CPUs\"",\""CPUSockets\"":\""$Sockets\"",\""CPUCores\"":\""$Cores\"",\""CPUHyperThreadEnabled\"":\""$HyperThread\""}
+\""@ """,NT AUTHORITY\SYSTEM,6000,c:\windows\system32\windowspowershell\v1.0\powershell.exe,REP_WHITE,7DESJ9GN-00663166-00001770-00000000-1d9ca75686db850,"["""",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""
+$wmi_proc = Get-WmiObject -Class Win32_Processor
+if (@($wmi_proc)[0].NumberOfCores) #Modern OS
+{
+    $Sockets = @($wmi_proc).Count
+    $Cores = ($wmi_proc | Measure-Object -Property NumberOfCores -Sum).Sum
+    $CPUs = ($wmi_proc | Measure-Object -Property NumberOfLogicalProcessors -Sum).Sum
+
+}
+else #Legacy OS
+{
+    $Sockets = @($wmi_proc | Select-Object -Property SocketDesignation -Unique).Count
+    $Cores = @($wmi_proc).Count
+    $CPUs=$Cores
+}
+$CPUModel=@($wmi_proc)[0].Name
+$CPUSpeed=@($wmi_proc)[0].MaxClockSpeed
+if ($Cores -lt $CPUs) {
+    $Hyperthread=\""true\""
+} else {
+    $Hyperthread=\""false\""
+}
+Write-Host -nonewline @\""
+{\""CPUModel\"":\""$CPUModel\"",\""CPUSpeedMHz\"":\""$CPUSpeed\"",\""CPUs\"":\""$CPUs\"",\""CPUSockets\"":\""$Sockets\"",\""CPUCores\"":\""$Cores\"",\""CPUHyperThreadEnabled\"":\""$HyperThread\""}
+\""@ """,,REP_WHITE,,2023-08-09 03:57:01 +0000 UTC,2023-08-09 03:55:59.631 +0000 UTC,NT AUTHORITY\SYSTEM,c:\program files\amazon\ssm\ssm-agent-worker.exe,endpoint.event.procstart,SKOVILLE\jalapeno,c:\program files\amazon\ssm\ssm-document-worker.exe,NGAV,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",,NT AUTHORITY\SYSTEM,3672,c:\program files\amazon\ssm\ssm-agent-worker.exe,2023-08-09 03:57:01 +0000 UTC,52.53.135.128,WINDOWS,3672,52.53.135.128,"["""",""d493b7af19205cdc18e12e6a0363b0f586e975cc9ddc2bf5b4a4935ad5d956d0""]",,,SKOVILLE\jalapeno,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,4100,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",false,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108652-3668-11ee-a58c-6d176e6eb0ad,2023-08-09 03:55:59.631 +0000 UTC,WINDOWS,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",6697318,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.","[""ad5d57216c5d8a30a963d18e7bcd860c"",""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe""]",7DESJ9GN-00663166-00001004-00000000-1d9ca755f518bc8,6697318,,1,endpoint.event.procstart,,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108652-3668-11ee-a58c-6d176e6eb0ad,REP_WHITE,,,52.53.135.128,4100,7DESJ9GN-00663166-00000e58-00000000-1d9bfd3f69e1a53,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:53.892 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,NT AUTHORITY\NETWORK SERVICE,7604,c:\windows\system32\wbem\wmiprvse.exe,REP_WHITE,7DESJ9GN-0057f8fd-00001db4-00000000-1d9ca75aad94566,"[""60ff40cfd7fb8fe41ee4fe9ae5fe1c51"",""2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3""]",C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,,REP_WHITE,,2023-08-09 03:59:41 +0000 UTC,2023-08-09 03:57:51.061319 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,carbonblack,c:\windows\system32\svchost.exe,EDR,,C:\Windows\system32\services.exe,NT AUTHORITY\SYSTEM,624,c:\windows\system32\services.exe,2023-08-09 03:59:41 +0000 UTC,163.116.136.254,WINDOWS,624,163.116.136.254,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,carbonblack,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,784,,false,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,2023-08-09 03:57:51.061319 +0000 UTC,WINDOWS,C:\Windows\system32\svchost.exe -k DcomLaunch -p,5765373,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-0057f8fd-00000310-00000000-1d9c88821a0d73b,5765373,,1,endpoint.event.procstart,,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,REP_WHITE,,,163.116.136.254,784,7DESJ9GN-0057f8fd-00000270-00000000-1d9c8880e61c0f5,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:53.892 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv,NT AUTHORITY\SYSTEM,8696,c:\windows\system32\svchost.exe,REP_WHITE,7DESJ9GN-0057f8fd-000021f8-00000000-1d9ca75aa0876c9,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv,,REP_WHITE,,2023-08-09 03:59:41 +0000 UTC,2023-08-09 03:57:49.696055 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\wininit.exe,endpoint.event.procstart,carbonblack,c:\windows\system32\services.exe,EDR,,wininit.exe,NT AUTHORITY\SYSTEM,516,c:\windows\system32\wininit.exe,2023-08-09 03:59:41 +0000 UTC,163.116.136.254,WINDOWS,516,163.116.136.254,"[""d6e3b995e46d08046875e60eccff109b"",""9c620d2664464c54c9cdf4052c8f57b98e287fb372b309b1fb049700bd311897""]",,,carbonblack,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,624,,false,C:\Windows\system32\services.exe,,2023-08-09 03:57:49.696055 +0000 UTC,WINDOWS,C:\Windows\system32\services.exe,5765373,,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",7DESJ9GN-0057f8fd-00000270-00000000-1d9c8880e61c0f5,5765373,,1,endpoint.event.procstart,,C:\Windows\system32\services.exe,,REP_WHITE,,,163.116.136.254,624,7DESJ9GN-0057f8fd-00000204-00000000-1d9c8880e1ae3ae,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:53.892 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,"""C:\Users\vagrant\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",CARBONBLACK\vagrant,9084,c:\users\vagrant\appdata\local\microsoft\onedrive\23.147.0716.0001\filecoauth.exe,REP_WHITE,7DESJ9GN-0057f8fd-0000237c-00000000-1d9ca75bc5d6d13,"[""bb15c6bf740ebf82cf1110ef2abd458f"",""3316299c8b1caecb748ed2b299951c0f9bd018ed30a343e7f141598bdaa7e91f""]","""C:\Users\vagrant\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",,REP_WHITE,,2023-08-09 03:59:41 +0000 UTC,2023-08-09 03:58:20.4501452 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,carbonblack,c:\windows\system32\svchost.exe,EDR,,C:\Windows\system32\services.exe,NT AUTHORITY\SYSTEM,624,c:\windows\system32\services.exe,2023-08-09 03:59:41 +0000 UTC,163.116.136.254,WINDOWS,624,163.116.136.254,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,carbonblack,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,784,,false,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,2023-08-09 03:58:20.4501452 +0000 UTC,WINDOWS,C:\Windows\system32\svchost.exe -k DcomLaunch -p,5765373,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-0057f8fd-00000310-00000000-1d9c88821a0d73b,5765373,,1,endpoint.event.procstart,,C:\Windows\system32\svchost.exe -k DcomLaunch -p,,REP_WHITE,,,163.116.136.254,784,7DESJ9GN-0057f8fd-00000270-00000000-1d9c8880e61c0f5,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:53.892 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""Get-wmiobject -class Win32_NetworkAdapterConfiguration | where-object {$_.MACAddress -eq \""06:1B:EF:F1:A3:E3\""} | Select-object @{Name=\""IPAddresses\"";Expression={$_.IPAddress}}, @{Name=\""DefaultIPGateway\"";Expression={$_.DefaultIPGateway}}, @{Name=\""MacAddress\"";Expression={$_.MACAddress}}, @{Name=\""DHCPServer\"";Expression={$_.DHCPServer}}, @{Name=\""DNSServers\"";Expression={$_.DNSServerSearchOrder}} ,@{Name=\""IPSubnet\"";Expression={$_.IPSubnet}} | ConvertTo-Json""",NT AUTHORITY\SYSTEM,5904,c:\windows\system32\windowspowershell\v1.0\powershell.exe,REP_WHITE,7DESJ9GN-00663166-00001710-00000000-1d9ca7564b6cf3b,"["""",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""Get-wmiobject -class Win32_NetworkAdapterConfiguration | where-object {$_.MACAddress -eq \""06:1B:EF:F1:A3:E3\""} | Select-object @{Name=\""IPAddresses\"";Expression={$_.IPAddress}}, @{Name=\""DefaultIPGateway\"";Expression={$_.DefaultIPGateway}}, @{Name=\""MacAddress\"";Expression={$_.MACAddress}}, @{Name=\""DHCPServer\"";Expression={$_.DHCPServer}}, @{Name=\""DNSServers\"";Expression={$_.DNSServerSearchOrder}} ,@{Name=\""IPSubnet\"";Expression={$_.IPSubnet}} | ConvertTo-Json""",,REP_WHITE,,2023-08-09 03:57:00 +0000 UTC,2023-08-09 03:55:53.389 +0000 UTC,NT AUTHORITY\SYSTEM,c:\program files\amazon\ssm\ssm-agent-worker.exe,endpoint.event.procstart,SKOVILLE\jalapeno,c:\program files\amazon\ssm\ssm-document-worker.exe,NGAV,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",,NT AUTHORITY\SYSTEM,3672,c:\program files\amazon\ssm\ssm-agent-worker.exe,2023-08-09 03:57:00 +0000 UTC,52.53.135.128,WINDOWS,3672,52.53.135.128,"["""",""d493b7af19205cdc18e12e6a0363b0f586e975cc9ddc2bf5b4a4935ad5d956d0""]",,,SKOVILLE\jalapeno,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,4100,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",false,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108646-3668-11ee-a58c-6d176e6eb0ad,2023-08-09 03:55:53.389 +0000 UTC,WINDOWS,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",6697318,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.","[""ad5d57216c5d8a30a963d18e7bcd860c"",""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe""]",7DESJ9GN-00663166-00001004-00000000-1d9ca755f518bc8,6697318,,1,endpoint.event.procstart,,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108646-3668-11ee-a58c-6d176e6eb0ad,REP_WHITE,,,52.53.135.128,4100,7DESJ9GN-00663166-00000e58-00000000-1d9bfd3f69e1a53,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:53.594 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""
+$wmi_proc = Get-WmiObject -Class Win32_Processor
+if (@($wmi_proc)[0].NumberOfCores) #Modern OS
+{
+    $Sockets = @($wmi_proc).Count
+    $Cores = ($wmi_proc | Measure-Object -Property NumberOfCores -Sum).Sum
+    $CPUs = ($wmi_proc | Measure-Object -Property NumberOfLogicalProcessors -Sum).Sum
+
+}
+else #Legacy OS
+{
+    $Sockets = @($wmi_proc | Select-Object -Property SocketDesignation -Unique).Count
+    $Cores = @($wmi_proc).Count
+    $CPUs=$Cores
+}
+$CPUModel=@($wmi_proc)[0].Name
+$CPUSpeed=@($wmi_proc)[0].MaxClockSpeed
+if ($Cores -lt $CPUs) {
+    $Hyperthread=\""true\""
+} else {
+    $Hyperthread=\""false\""
+}
+Write-Host -nonewline @\""
+{\""CPUModel\"":\""$CPUModel\"",\""CPUSpeedMHz\"":\""$CPUSpeed\"",\""CPUs\"":\""$CPUs\"",\""CPUSockets\"":\""$Sockets\"",\""CPUCores\"":\""$Cores\"",\""CPUHyperThreadEnabled\"":\""$HyperThread\""}
+\""@ """,NT AUTHORITY\SYSTEM,6000,c:\windows\system32\windowspowershell\v1.0\powershell.exe,REP_WHITE,7DESJ9GN-00663166-00001770-00000000-1d9ca75686db850,"["""",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ""
+$wmi_proc = Get-WmiObject -Class Win32_Processor
+if (@($wmi_proc)[0].NumberOfCores) #Modern OS
+{
+    $Sockets = @($wmi_proc).Count
+    $Cores = ($wmi_proc | Measure-Object -Property NumberOfCores -Sum).Sum
+    $CPUs = ($wmi_proc | Measure-Object -Property NumberOfLogicalProcessors -Sum).Sum
+
+}
+else #Legacy OS
+{
+    $Sockets = @($wmi_proc | Select-Object -Property SocketDesignation -Unique).Count
+    $Cores = @($wmi_proc).Count
+    $CPUs=$Cores
+}
+$CPUModel=@($wmi_proc)[0].Name
+$CPUSpeed=@($wmi_proc)[0].MaxClockSpeed
+if ($Cores -lt $CPUs) {
+    $Hyperthread=\""true\""
+} else {
+    $Hyperthread=\""false\""
+}
+Write-Host -nonewline @\""
+{\""CPUModel\"":\""$CPUModel\"",\""CPUSpeedMHz\"":\""$CPUSpeed\"",\""CPUs\"":\""$CPUs\"",\""CPUSockets\"":\""$Sockets\"",\""CPUCores\"":\""$Cores\"",\""CPUHyperThreadEnabled\"":\""$HyperThread\""}
+\""@ """,,REP_WHITE,,2023-08-09 03:57:01 +0000 UTC,2023-08-09 03:55:59.631 +0000 UTC,NT AUTHORITY\SYSTEM,c:\program files\amazon\ssm\ssm-agent-worker.exe,endpoint.event.procstart,SKOVILLE\jalapeno,c:\program files\amazon\ssm\ssm-document-worker.exe,NGAV,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",,NT AUTHORITY\SYSTEM,3672,c:\program files\amazon\ssm\ssm-agent-worker.exe,2023-08-09 03:57:01 +0000 UTC,52.53.135.128,WINDOWS,3672,52.53.135.128,"["""",""d493b7af19205cdc18e12e6a0363b0f586e975cc9ddc2bf5b4a4935ad5d956d0""]",,,SKOVILLE\jalapeno,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,4100,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.",false,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108652-3668-11ee-a58c-6d176e6eb0ad,2023-08-09 03:55:59.631 +0000 UTC,WINDOWS,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",6697318,"The application ""<share><link hash=""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe"">C:\program files\amazon\ssm\ssm-document-worker.exe</link></share>"" invoked the application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"". The operation was successful.","[""ad5d57216c5d8a30a963d18e7bcd860c"",""7944f646b3f2b152887b29a6d92ab9312a0932e2b0bfeed2500b3a2a310afafe""]",7DESJ9GN-00663166-00001004-00000000-1d9ca755f518bc8,6697318,,1,endpoint.event.procstart,,"""C:\Program Files\Amazon\SSM\ssm-document-worker.exe"" 21bfe710-73de-44f2-8edc-f03f11ee0293.2023-08-09T03-55-44.282Z",c4108652-3668-11ee-a58c-6d176e6eb0ad,REP_WHITE,,,52.53.135.128,4100,7DESJ9GN-00663166-00000e58-00000000-1d9bfd3f69e1a53,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:41.873 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 254 -Pipe 39c -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,6012,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-0000177c-00000000-1d9ca758632cc31,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 254 -Pipe 39c -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.5623569 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.5623569 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:41.857 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2fc -Pipe 350 -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,5524,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-00001594-00000000-1d9ca75861e9537,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2fc -Pipe 350 -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.4217323 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.4217323 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:41.841 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 350 -Pipe 218 -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,5720,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-00001658-00000000-1d9ca75860bbdf5,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 350 -Pipe 218 -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.2967321 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.2967321 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:41.826 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 298 -Pipe 398 -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,2216,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-000008a8-00000000-1d9ca7585ef20cf,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 298 -Pipe 398 -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.1093746 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.1093746 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:38.093 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 254 -Pipe 39c -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,6012,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-0000177c-00000000-1d9ca758632cc31,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 254 -Pipe 39c -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.5623569 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.5623569 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:38.062 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2fc -Pipe 350 -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,5524,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-00001594-00000000-1d9ca75861e9537,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2fc -Pipe 350 -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.4217323 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.4217323 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:38.046 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 350 -Pipe 218 -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,5720,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-00001658-00000000-1d9ca75860bbdf5,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 350 -Pipe 218 -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.2967321 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.2967321 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 4:10:38.031 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Dynamic Code Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 298 -Pipe 398 -Comment ""NGen Worker Process""",NT AUTHORITY\SYSTEM,2216,c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe,REP_WHITE,7DESJ9GN-006a7b99-000008a8-00000000-1d9ca7585ef20cf,"[""412a3fb0c25743da59375c1e298933ea"",""da1087ba2641efd77d85e5838aeb6c333e80caa9f24c889fd2de2e0b58f8d1a5""]","C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 298 -Pipe 398 -Comment ""NGen Worker Process""",,REP_WHITE,,2023-08-09 03:57:10 +0000 UTC,2023-08-09 03:56:49.1093746 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,endpoint.event.procstart,RTEST\CB-RC-03,c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe,EDR,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe"" /RuntimeWide /Critical /StopEvent:980",NT AUTHORITY\SYSTEM,5968,c:\windows\microsoft.net\framework64\v4.0.30319\ngentask.exe,2023-08-09 03:57:10 +0000 UTC,184.23.216.90,WINDOWS,5968,184.23.216.90,"[""3142937610966b092ca8886c76a3b113"",""ff70c1b71440e34931eb8ef97236f3cb2bb2668c72e7a3338660ced5c0753af8""]",,,RTEST\CB-RC-03,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS,,5480,,false,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,2023-08-09 03:56:49.1093746 +0000 UTC,WINDOWS,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",6978457,,"[""b6c3fe33b436e5006514403824f17c66"",""a446d35f5e60bdae1a7117b71d90abb0fea424ee416b0e0ecd2c485dc5939a68""]",7DESJ9GN-006a7b99-00001568-00000000-1d9ca74c97a70cb,6978457,,1,endpoint.event.procstart,,"""C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"" ExecuteQueuedItems 2 /LegacyServiceBehavior",,REP_WHITE,,,184.23.216.90,5480,7DESJ9GN-006a7b99-00001750-00000000-1d9ca74c92d2610,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 3:50:29.131 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 5608 -s 732,NT AUTHORITY\SYSTEM,3012,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000bc4-00000000-1d9ca730d433edc,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 5608 -s 732,,REP_WHITE,,2023-08-09 03:41:26 +0000 UTC,2023-08-09 03:39:07.6984351 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,664,c:\windows\system32\services.exe,2023-08-09 03:41:26 +0000 UTC,19.16.25.5,WINDOWS,664,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1436,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-09 03:39:07.6984351 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-0000059c-00000000-1d9ca730b64dc3e,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,1436,7DESJ9GN-005bf668-00000298-00000000-1d9ca724ecfdc64,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/9/2023, 3:50:28.216 AM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 5608 -s 732,NT AUTHORITY\SYSTEM,3012,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000bc4-00000000-1d9ca730d433edc,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 5608 -s 732,,REP_WHITE,,2023-08-09 03:41:26 +0000 UTC,2023-08-09 03:39:07.6984351 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,664,c:\windows\system32\services.exe,2023-08-09 03:41:26 +0000 UTC,19.16.25.5,WINDOWS,664,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1436,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-09 03:39:07.6984351 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-0000059c-00000000-1d9ca730b64dc3e,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,1436,7DESJ9GN-005bf668-00000298-00000000-1d9ca724ecfdc64,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 4:52:20.977 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 6720 -s 728,NT AUTHORITY\SYSTEM,3732,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000e94-00000000-1d9ca16f8e4b9c3,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 6720 -s 728,,REP_WHITE,,2023-08-08 16:42:26 +0000 UTC,2023-08-08 16:39:59.8472513 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,692,c:\windows\system32\services.exe,2023-08-08 16:42:26 +0000 UTC,19.16.25.5,WINDOWS,692,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,5980,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 16:39:59.8472513 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-0000175c-00000000-1d9ca16f6d70486,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,5980,7DESJ9GN-005bf668-000002b4-00000000-1d9ca1639267999,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 4:52:19.747 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 6720 -s 728,NT AUTHORITY\SYSTEM,3732,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000e94-00000000-1d9ca16f8e4b9c3,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 6720 -s 728,,REP_WHITE,,2023-08-08 16:42:26 +0000 UTC,2023-08-08 16:39:59.8472513 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,692,c:\windows\system32\services.exe,2023-08-08 16:42:26 +0000 UTC,19.16.25.5,WINDOWS,692,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,5980,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 16:39:59.8472513 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-0000175c-00000000-1d9ca16f6d70486,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,5980,7DESJ9GN-005bf668-000002b4-00000000-1d9ca1639267999,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 3:48:34.405 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 1416 -s 728,NT AUTHORITY\SYSTEM,3504,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000db0-00000000-1d9ca0e84b4890a,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 1416 -s 728,,REP_WHITE,,2023-08-08 15:40:03 +0000 UTC,2023-08-08 15:39:28.9052201 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,700,c:\windows\system32\services.exe,2023-08-08 15:40:03 +0000 UTC,19.16.25.5,WINDOWS,700,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,5088,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 15:39:28.9052201 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-000013e0-00000000-1d9ca0e82f70115,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,5088,7DESJ9GN-005bf668-000002bc-00000000-1d9ca0dc59c78a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 3:48:33.875 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 1416 -s 728,NT AUTHORITY\SYSTEM,3504,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000db0-00000000-1d9ca0e84b4890a,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 1416 -s 728,,REP_WHITE,,2023-08-08 15:40:03 +0000 UTC,2023-08-08 15:39:28.9052201 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,700,c:\windows\system32\services.exe,2023-08-08 15:40:03 +0000 UTC,19.16.25.5,WINDOWS,700,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,5088,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 15:39:28.9052201 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-000013e0-00000000-1d9ca0e82f70115,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,5088,7DESJ9GN-005bf668-000002bc-00000000-1d9ca0dc59c78a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 2:51:54.165 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 456 -s 748,NT AUTHORITY\SYSTEM,3272,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000cc8-00000000-1d9ca062353da8c,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 456 -s 748,,REP_WHITE,,2023-08-08 14:41:58 +0000 UTC,2023-08-08 14:39:29.5991789 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,704,c:\windows\system32\services.exe,2023-08-08 14:41:58 +0000 UTC,19.16.25.5,WINDOWS,704,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,2844,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 14:39:29.5991789 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-00000b1c-00000000-1d9ca06217638b4,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,2844,7DESJ9GN-005bf668-000002c0-00000000-1d9ca056422904f,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 2:51:53.198 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 456 -s 748,NT AUTHORITY\SYSTEM,3272,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00000cc8-00000000-1d9ca062353da8c,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 456 -s 748,,REP_WHITE,,2023-08-08 14:41:58 +0000 UTC,2023-08-08 14:39:29.5991789 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,704,c:\windows\system32\services.exe,2023-08-08 14:41:58 +0000 UTC,19.16.25.5,WINDOWS,704,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,2844,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 14:39:29.5991789 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-00000b1c-00000000-1d9ca06217638b4,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,2844,7DESJ9GN-005bf668-000002c0-00000000-1d9ca056422904f,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 1:51:16.291 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 2224 -s 728,NT AUTHORITY\SYSTEM,4216,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00001078-00000000-1d9c9fdd31859fd,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 2224 -s 728,,REP_WHITE,,2023-08-08 13:40:32 +0000 UTC,2023-08-08 13:39:59.0258559 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,700,c:\windows\system32\services.exe,2023-08-08 13:40:32 +0000 UTC,19.16.25.5,WINDOWS,700,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1400,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 13:39:59.0258559 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-00000578-00000000-1d9c9fdd138ba6b,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,1400,7DESJ9GN-005bf668-000002bc-00000000-1d9c9fd12fc5e22,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 1:51:10.457 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 2224 -s 728,NT AUTHORITY\SYSTEM,4216,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-00001078-00000000-1d9c9fdd31859fd,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 2224 -s 728,,REP_WHITE,,2023-08-08 13:40:32 +0000 UTC,2023-08-08 13:39:59.0258559 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,700,c:\windows\system32\services.exe,2023-08-08 13:40:32 +0000 UTC,19.16.25.5,WINDOWS,700,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1400,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 13:39:59.0258559 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-00000578-00000000-1d9c9fdd138ba6b,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,1400,7DESJ9GN-005bf668-000002bc-00000000-1d9c9fd12fc5e22,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:47:56.014 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 3004 -s 736,NT AUTHORITY\SYSTEM,2124,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-0000084c-00000000-1d9c9f56481941c,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 3004 -s 736,,REP_WHITE,,2023-08-08 12:39:57 +0000 UTC,2023-08-08 12:39:37.478077 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,708,c:\windows\system32\services.exe,2023-08-08 12:39:57 +0000 UTC,19.16.25.5,WINDOWS,708,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,2396,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 12:39:37.478077 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-0000095c-00000000-1d9c9f5624973ff,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,2396,7DESJ9GN-005bf668-000002c4-00000000-1d9c9f4a3f5c9d0,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:47:50.863 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\WINDOWS\system32\WerFault.exe -u -p 3004 -s 736,NT AUTHORITY\SYSTEM,2124,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-005bf668-0000084c-00000000-1d9c9f56481941c,"[""edfdff7bacbd99ab0e81f41e42fe3967"",""a538526a8d692aefaff9613d42b709aa7cd6ef475522ced5419d4af616257eda""]",C:\WINDOWS\system32\WerFault.exe -u -p 3004 -s 736,,REP_WHITE,,2023-08-08 12:39:57 +0000 UTC,2023-08-08 12:39:37.478077 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Kognos-CB-1,c:\windows\system32\svchost.exe,EDR,,C:\WINDOWS\system32\services.exe,NT AUTHORITY\SYSTEM,708,c:\windows\system32\services.exe,2023-08-08 12:39:57 +0000 UTC,19.16.25.5,WINDOWS,708,19.16.25.5,"[""14b88ff4833012512278a5f3a5712bd2"",""e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d0cbef74d510c71317""]",,,Kognos-CB-1,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,2396,,false,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,2023-08-08 12:39:37.478077 +0000 UTC,WINDOWS,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,6026856,,"[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",7DESJ9GN-005bf668-0000095c-00000000-1d9c9f5624973ff,6026856,,1,endpoint.event.procstart,,C:\WINDOWS\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,19.16.25.5,2396,7DESJ9GN-005bf668-000002c4-00000000-1d9c9f4a3f5c9d0,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:43.744 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,C:\Windows\system32\MpSigStub.exe /stub 1.1.23080.1001 /payload 1.393.2585.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe WD /q,NT AUTHORITY\SYSTEM,1056,c:\windows\system32\mpsigstub.exe,REP_WHITE,7DESJ9GN-003be564-00000420-00000000-1d9c9f10422e016,"[""5598a4c4a5f166060bde5f6983522f44"",""896f1793ca8bda909a71217f41a93af5a06354c1ea9ea81c975d429224b28e19""]",C:\Windows\system32\MpSigStub.exe /stub 1.1.23080.1001 /payload 1.393.2585.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe WD /q,,REP_WHITE,,2023-08-08 12:10:12 +0000 UTC,2023-08-08 12:08:17.8016827 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\wuauclt.exe,endpoint.event.procstart,carbon-black-integration-endpoint,c:\windows\softwaredistribution\download\install\am_delta_patch_1.393.2579.0.exe,EDR,,"""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer",NT AUTHORITY\SYSTEM,4220,c:\windows\system32\wuauclt.exe,2023-08-08 12:10:12 +0000 UTC,35.224.136.145,WINDOWS,4220,35.224.136.145,"[""0952026aaf50923fc9b849e42efd7c14"",""8bab37cd6433e93a2579ea5a345b67bc4068144f496bd968453c202195f7c82f""]",,,carbon-black-integration-endpoint,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,4712,,false,"""C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe"" WD /q",,2023-08-08 12:08:17.8016827 +0000 UTC,WINDOWS,"""C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe"" WD /q",3925348,,"[""755f4050f86cbd31f998681f794b13de"",""465c23e16b480d9cb94593e4d94bcfe4dcee87ace34bfd27bf49ee15c9aa2330""]",7DESJ9GN-003be564-00001268-00000000-1d9c9f103f39e56,3925348,,1,endpoint.event.procstart,,"""C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe"" WD /q",,REP_NOT_LISTED,,,35.224.136.145,4712,7DESJ9GN-003be564-0000107c-00000000-1d9c9f1028454bd,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:40.888 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,,,,C:\Windows\system32\MpSigStub.exe /stub 1.1.23080.1001 /payload 1.393.2585.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe WD /q,NT AUTHORITY\SYSTEM,1056,c:\windows\system32\mpsigstub.exe,REP_WHITE,7DESJ9GN-003be564-00000420-00000000-1d9c9f10422e016,"[""5598a4c4a5f166060bde5f6983522f44"",""896f1793ca8bda909a71217f41a93af5a06354c1ea9ea81c975d429224b28e19""]",C:\Windows\system32\MpSigStub.exe /stub 1.1.23080.1001 /payload 1.393.2585.0 /MpWUStub /program C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe WD /q,,REP_WHITE,,2023-08-08 12:10:12 +0000 UTC,2023-08-08 12:08:17.8016827 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\wuauclt.exe,endpoint.event.procstart,carbon-black-integration-endpoint,c:\windows\softwaredistribution\download\install\am_delta_patch_1.393.2579.0.exe,EDR,,"""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer",NT AUTHORITY\SYSTEM,4220,c:\windows\system32\wuauclt.exe,2023-08-08 12:10:12 +0000 UTC,35.224.136.145,WINDOWS,4220,35.224.136.145,"[""0952026aaf50923fc9b849e42efd7c14"",""8bab37cd6433e93a2579ea5a345b67bc4068144f496bd968453c202195f7c82f""]",,,carbon-black-integration-endpoint,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,4712,,false,"""C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe"" WD /q",,2023-08-08 12:08:17.8016827 +0000 UTC,WINDOWS,"""C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe"" WD /q",3925348,,"[""755f4050f86cbd31f998681f794b13de"",""465c23e16b480d9cb94593e4d94bcfe4dcee87ace34bfd27bf49ee15c9aa2330""]",7DESJ9GN-003be564-00001268-00000000-1d9c9f103f39e56,3925348,,1,endpoint.event.procstart,,"""C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.393.2579.0.exe"" WD /q",,REP_NOT_LISTED,,,35.224.136.145,4712,7DESJ9GN-003be564-0000107c-00000000-1d9c9f1028454bd,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:37.013 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\windows\system32\WerFault.exe -u -p 6612 -s 1688,Dilen-PC\axoncorp-localadmin,2740,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-006e94fe-00000ab4-00000000-1d9c9f0e633a416,"[""3168553add563f56411e1b8a77b6854e"",""8f26d27813d6195d9163593875c3a4d2cca5ca702b5b5c3fd219e1e00eec67cf""]",C:\windows\system32\WerFault.exe -u -p 6612 -s 1688,,REP_WHITE,,2023-08-08 12:09:13 +0000 UTC,2023-08-08 12:07:27.5625857 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Dilen-PC,c:\windows\system32\svchost.exe,EDR,,C:\windows\system32\services.exe,NT AUTHORITY\SYSTEM,628,c:\windows\system32\services.exe,2023-08-08 12:09:13 +0000 UTC,1.2.3.4,WINDOWS,628,1.2.3.4,"[""fae441a6ec7fd8f55a404797a25c8910"",""70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4""]",,,Dilen-PC,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,6348,,false,C:\windows\System32\svchost.exe -k WerSvcGroup,,2023-08-08 12:07:27.5625857 +0000 UTC,WINDOWS,C:\windows\System32\svchost.exe -k WerSvcGroup,7247102,,"[""9520a99e77d6196d0d09833146424113"",""dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048""]",7DESJ9GN-006e94fe-000018cc-00000000-1d9c9f0e6014671,7247102,,1,endpoint.event.procstart,,C:\windows\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,1.2.3.4,6348,7DESJ9GN-006e94fe-00000274-00000000-1d9c9c94c3914a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:36.904 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,"""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2305.1222.0_x64__8wekyb3d8bbwe\WebViewHost.exe"" ",Dilen-PC\axoncorp-localadmin,6612,c:\program files\windowsapps\microsoft.microsoftofficehub_18.2305.1222.0_x64__8wekyb3d8bbwe\webviewhost.exe,REP_WHITE,7DESJ9GN-006e94fe-000019d4-00000000-1d9c9f0e3d69efa,"[""4cdc69b043fc10834d7735e2747a8078"",""37dec72d2555c3a8623f46932354035b873c469d10ca4572767363274f35b265""]","""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2305.1222.0_x64__8wekyb3d8bbwe\WebViewHost.exe"" ",,REP_WHITE,,2023-08-08 12:09:13 +0000 UTC,2023-08-08 12:07:23.6800688 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Dilen-PC,c:\windows\system32\svchost.exe,EDR,,C:\windows\system32\services.exe,NT AUTHORITY\SYSTEM,628,c:\windows\system32\services.exe,2023-08-08 12:09:13 +0000 UTC,1.2.3.4,WINDOWS,628,1.2.3.4,"[""fae441a6ec7fd8f55a404797a25c8910"",""70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4""]",,,Dilen-PC,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1320,,false,C:\windows\system32\svchost.exe -k netsvcs -p,,2023-08-08 12:07:23.6800688 +0000 UTC,WINDOWS,C:\windows\system32\svchost.exe -k netsvcs -p,7247102,,"[""9520a99e77d6196d0d09833146424113"",""dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048""]",7DESJ9GN-006e94fe-00000528-00000000-1d9c9c94cfdce39,7247102,,1,endpoint.event.procstart,,C:\windows\system32\svchost.exe -k netsvcs -p,,REP_WHITE,,,1.2.3.4,1320,7DESJ9GN-006e94fe-00000274-00000000-1d9c9c94c3914a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:36.904 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=WebViewHost.exe --webview-exe-version=18.2305.1222.0 --user-data-dir=""C:\Users\axoncorp-localadmin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --mojo-named-platform-channel-pipe=6612.7096.12993504643384835315",Dilen-PC\axoncorp-localadmin,6596,c:\program files (x86)\microsoft\edgewebview\application\115.0.1901.188\msedgewebview2.exe,REP_WHITE,7DESJ9GN-006e94fe-000019c4-00000000-1d9c9f0e44b2c85,"[""17b527521f722cb0bfde9f3b485ab133"",""1b9db9b40085dcb36392fd7007eb29c3cde11473e5092b31ebd704ee07957f8f""]","""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=WebViewHost.exe --webview-exe-version=18.2305.1222.0 --user-data-dir=""C:\Users\axoncorp-localadmin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --mojo-named-platform-channel-pipe=6612.7096.12993504643384835315",,REP_WHITE,,2023-08-08 12:09:13 +0000 UTC,2023-08-08 12:07:24.3677148 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Dilen-PC,c:\windows\system32\svchost.exe,EDR,,C:\windows\system32\services.exe,NT AUTHORITY\SYSTEM,628,c:\windows\system32\services.exe,2023-08-08 12:09:13 +0000 UTC,1.2.3.4,WINDOWS,628,1.2.3.4,"[""fae441a6ec7fd8f55a404797a25c8910"",""70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4""]",,,Dilen-PC,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1320,,false,C:\windows\system32\svchost.exe -k netsvcs -p,,2023-08-08 12:07:24.3677148 +0000 UTC,WINDOWS,C:\windows\system32\svchost.exe -k netsvcs -p,7247102,,"[""9520a99e77d6196d0d09833146424113"",""dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048""]",7DESJ9GN-006e94fe-00000528-00000000-1d9c9c94cfdce39,7247102,,1,endpoint.event.procstart,,C:\windows\system32\svchost.exe -k netsvcs -p,,REP_WHITE,,,1.2.3.4,1320,7DESJ9GN-006e94fe-00000274-00000000-1d9c9c94c3914a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:34.077 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,C:\windows\system32\WerFault.exe -u -p 6612 -s 1688,Dilen-PC\axoncorp-localadmin,2740,c:\windows\system32\werfault.exe,REP_WHITE,7DESJ9GN-006e94fe-00000ab4-00000000-1d9c9f0e633a416,"[""3168553add563f56411e1b8a77b6854e"",""8f26d27813d6195d9163593875c3a4d2cca5ca702b5b5c3fd219e1e00eec67cf""]",C:\windows\system32\WerFault.exe -u -p 6612 -s 1688,,REP_WHITE,,2023-08-08 12:09:13 +0000 UTC,2023-08-08 12:07:27.5625857 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Dilen-PC,c:\windows\system32\svchost.exe,EDR,,C:\windows\system32\services.exe,NT AUTHORITY\SYSTEM,628,c:\windows\system32\services.exe,2023-08-08 12:09:13 +0000 UTC,1.2.3.4,WINDOWS,628,1.2.3.4,"[""fae441a6ec7fd8f55a404797a25c8910"",""70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4""]",,,Dilen-PC,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,6348,,false,C:\windows\System32\svchost.exe -k WerSvcGroup,,2023-08-08 12:07:27.5625857 +0000 UTC,WINDOWS,C:\windows\System32\svchost.exe -k WerSvcGroup,7247102,,"[""9520a99e77d6196d0d09833146424113"",""dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048""]",7DESJ9GN-006e94fe-000018cc-00000000-1d9c9f0e6014671,7247102,,1,endpoint.event.procstart,,C:\windows\System32\svchost.exe -k WerSvcGroup,,REP_WHITE,,,1.2.3.4,6348,7DESJ9GN-006e94fe-00000274-00000000-1d9c9c94c3914a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:33.983 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,"""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=WebViewHost.exe --webview-exe-version=18.2305.1222.0 --user-data-dir=""C:\Users\axoncorp-localadmin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --mojo-named-platform-channel-pipe=6612.7096.12993504643384835315",Dilen-PC\axoncorp-localadmin,6596,c:\program files (x86)\microsoft\edgewebview\application\115.0.1901.188\msedgewebview2.exe,REP_WHITE,7DESJ9GN-006e94fe-000019c4-00000000-1d9c9f0e44b2c85,"[""17b527521f722cb0bfde9f3b485ab133"",""1b9db9b40085dcb36392fd7007eb29c3cde11473e5092b31ebd704ee07957f8f""]","""C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.188\msedgewebview2.exe"" --embedded-browser-webview=1 --webview-exe-name=WebViewHost.exe --webview-exe-version=18.2305.1222.0 --user-data-dir=""C:\Users\axoncorp-localadmin\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\EBWebView"" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --enable-features=MojoIpcz,msSingleSignOnOSForPrimaryAccountIsShared --mojo-named-platform-channel-pipe=6612.7096.12993504643384835315",,REP_WHITE,,2023-08-08 12:09:13 +0000 UTC,2023-08-08 12:07:24.3677148 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Dilen-PC,c:\windows\system32\svchost.exe,EDR,,C:\windows\system32\services.exe,NT AUTHORITY\SYSTEM,628,c:\windows\system32\services.exe,2023-08-08 12:09:13 +0000 UTC,1.2.3.4,WINDOWS,628,1.2.3.4,"[""fae441a6ec7fd8f55a404797a25c8910"",""70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4""]",,,Dilen-PC,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1320,,false,C:\windows\system32\svchost.exe -k netsvcs -p,,2023-08-08 12:07:24.3677148 +0000 UTC,WINDOWS,C:\windows\system32\svchost.exe -k netsvcs -p,7247102,,"[""9520a99e77d6196d0d09833146424113"",""dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048""]",7DESJ9GN-006e94fe-00000528-00000000-1d9c9c94cfdce39,7247102,,1,endpoint.event.procstart,,C:\windows\system32\svchost.exe -k netsvcs -p,,REP_WHITE,,,1.2.3.4,1320,7DESJ9GN-006e94fe-00000274-00000000-1d9c9c94c3914a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/8/2023, 12:17:33.983 PM",,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,"[{""name"":""Microsoft Windows Publisher"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS""}]",,,,,,,,,,,,,,"""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2305.1222.0_x64__8wekyb3d8bbwe\WebViewHost.exe"" ",Dilen-PC\axoncorp-localadmin,6612,c:\program files\windowsapps\microsoft.microsoftofficehub_18.2305.1222.0_x64__8wekyb3d8bbwe\webviewhost.exe,REP_WHITE,7DESJ9GN-006e94fe-000019d4-00000000-1d9c9f0e3d69efa,"[""4cdc69b043fc10834d7735e2747a8078"",""37dec72d2555c3a8623f46932354035b873c469d10ca4572767363274f35b265""]","""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2305.1222.0_x64__8wekyb3d8bbwe\WebViewHost.exe"" ",,REP_WHITE,,2023-08-08 12:09:13 +0000 UTC,2023-08-08 12:07:23.6800688 +0000 UTC,NT AUTHORITY\SYSTEM,c:\windows\system32\services.exe,endpoint.event.procstart,Dilen-PC,c:\windows\system32\svchost.exe,EDR,,C:\windows\system32\services.exe,NT AUTHORITY\SYSTEM,628,c:\windows\system32\services.exe,2023-08-08 12:09:13 +0000 UTC,1.2.3.4,WINDOWS,628,1.2.3.4,"[""fae441a6ec7fd8f55a404797a25c8910"",""70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4""]",,,Dilen-PC,,ACTION_ALLOW,7DESJ9GN,ACTION_CREATE_PROCESS | ACTION_CREATE_PROCESS_EFFECTIVE,,1320,,false,C:\windows\system32\svchost.exe -k netsvcs -p,,2023-08-08 12:07:23.6800688 +0000 UTC,WINDOWS,C:\windows\system32\svchost.exe -k netsvcs -p,7247102,,"[""9520a99e77d6196d0d09833146424113"",""dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048""]",7DESJ9GN-006e94fe-00000528-00000000-1d9c9c94cfdce39,7247102,,1,endpoint.event.procstart,,C:\windows\system32\svchost.exe -k netsvcs -p,,REP_WHITE,,,1.2.3.4,1320,7DESJ9GN-006e94fe-00000274-00000000-1d9c9c94c3914a3,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 1:15:37.318 PM",,,,,,,,,,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,1020,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000003fc-00000000-1d9d1d503ca723d,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-18 13:08:11 +0000 UTC,2023-08-18 13:08:00.601 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2668,c:\windows\system32\openssh\sshd.exe,2023-08-18 13:08:11 +0000 UTC,34.214.100.40,WINDOWS,2668,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,1112,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,425ae323-3dc8-11ee-90cf-c173f1d31796,2023-08-18 13:08:00.601 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,425ae323-3dc8-11ee-90cf-c173f1d31796,REP_WHITE,,,34.214.100.40,1112,7DESJ9GN-006a07ff-00000a6c-00000000-1d9d1d5023d13e1,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 1:16:51.260 PM",,,,,,,,,,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,1020,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000003fc-00000000-1d9d1d503ca723d,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-18 13:08:11 +0000 UTC,2023-08-18 13:08:00.601 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2668,c:\windows\system32\openssh\sshd.exe,2023-08-18 13:08:11 +0000 UTC,34.214.100.40,WINDOWS,2668,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,1112,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,425ae323-3dc8-11ee-90cf-c173f1d31796,2023-08-18 13:08:00.601 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,425ae323-3dc8-11ee-90cf-c173f1d31796,REP_WHITE,,,34.214.100.40,1112,7DESJ9GN-006a07ff-00000a6c-00000000-1d9d1d5023d13e1,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 1:17:27.988 PM",,,,,,,,,,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,e5c49aab-f8f3-9654-9ca8-7d316cb70e25,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,1020,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000003fc-00000000-1d9d1d503ca723d,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-18 13:08:50 +0000 UTC,2023-08-18 13:08:00.601 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2668,c:\windows\system32\openssh\sshd.exe,2023-08-18 13:08:50 +0000 UTC,34.214.100.40,WINDOWS,2668,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,1112,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,425ae323-3dc8-11ee-90cf-c173f1d31796,2023-08-18 13:08:00.601 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000458-00000000-1d9d1d5025de75f,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-8 -Cleanup """,425ae323-3dc8-11ee-90cf-c173f1d31796,REP_WHITE,,,34.214.100.40,1112,7DESJ9GN-006a07ff-00000a6c-00000000-1d9d1d5023d13e1,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 12:06:08.457 PM",,,,,,,,,,7486167a-3641-2b92-88ce-f70c4d8e5626,7486167a-3641-2b92-88ce-f70c4d8e5626,7486167a-3641-2b92-88ce-f70c4d8e5626,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""cmd.exe"" /c ""rmdir /q /s C:\Windows\Temp\ntds_T1003 >nul 2>&1""",KOGNOS-W19-CB-3\Administrator,3452,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-00000d7c-00000000-1d9d1cb7206a59f,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c ""rmdir /q /s C:\Windows\Temp\ntds_T1003 >nul 2>&1""",,REP_WHITE,,2023-08-18 11:59:46 +0000 UTC,2023-08-18 11:59:30.578 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2168,c:\windows\system32\openssh\sshd.exe,2023-08-18 11:59:46 +0000 UTC,34.214.100.40,WINDOWS,2168,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,2336,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,b0a8ff4c-3dbe-11ee-8296-09214fa5925c,2023-08-18 11:59:30.578 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,b0a8ff4c-3dbe-11ee-8296-09214fa5925c,REP_WHITE,,,34.214.100.40,2336,7DESJ9GN-006a07ff-00000878-00000000-1d9d1cb70704326,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 12:06:10.591 PM",,,,,,,,,,7486167a-3641-2b92-88ce-f70c4d8e5626,7486167a-3641-2b92-88ce-f70c4d8e5626,7486167a-3641-2b92-88ce-f70c4d8e5626,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""cmd.exe"" /c ""rmdir /q /s C:\Windows\Temp\ntds_T1003 >nul 2>&1""",KOGNOS-W19-CB-3\Administrator,3452,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-00000d7c-00000000-1d9d1cb7206a59f,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c ""rmdir /q /s C:\Windows\Temp\ntds_T1003 >nul 2>&1""",,REP_WHITE,,2023-08-18 12:00:09 +0000 UTC,2023-08-18 11:59:30.578 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2168,c:\windows\system32\openssh\sshd.exe,2023-08-18 12:00:09 +0000 UTC,34.214.100.40,WINDOWS,2168,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,2336,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,b0a8ff4c-3dbe-11ee-8296-09214fa5925c,2023-08-18 11:59:30.578 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,b0a8ff4c-3dbe-11ee-8296-09214fa5925c,REP_WHITE,,,34.214.100.40,2336,7DESJ9GN-006a07ff-00000878-00000000-1d9d1cb70704326,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 12:03:11.393 PM",,,,,,,,,,7486167a-3641-2b92-88ce-f70c4d8e5626,7486167a-3641-2b92-88ce-f70c4d8e5626,7486167a-3641-2b92-88ce-f70c4d8e5626,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""cmd.exe"" /c ""rmdir /q /s C:\Windows\Temp\ntds_T1003 >nul 2>&1""",KOGNOS-W19-CB-3\Administrator,3452,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-00000d7c-00000000-1d9d1cb7206a59f,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c ""rmdir /q /s C:\Windows\Temp\ntds_T1003 >nul 2>&1""",,REP_WHITE,,2023-08-18 11:59:46 +0000 UTC,2023-08-18 11:59:30.578 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2168,c:\windows\system32\openssh\sshd.exe,2023-08-18 11:59:46 +0000 UTC,34.214.100.40,WINDOWS,2168,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,2336,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,b0a8ff4c-3dbe-11ee-8296-09214fa5925c,2023-08-18 11:59:30.578 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000920-00000000-1d9d1cb70914c34,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-3 -Cleanup """,b0a8ff4c-3dbe-11ee-8296-09214fa5925c,REP_WHITE,,,34.214.100.40,2336,7DESJ9GN-006a07ff-00000878-00000000-1d9d1cb70704326,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 12:41:18.161 PM",,,,,,,,,,3eab44ee-312f-9752-c27d-7314c38041a0,3eab44ee-312f-9752-c27d-7314c38041a0,3eab44ee-312f-9752-c27d-7314c38041a0,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""C:\Windows\system32\cmd.exe"" /c ""wmic /node:""localhost"" shadowcopy list brief"" ",KOGNOS-W19-CB-3\Administrator,2940,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-00000b7c-00000000-1d9d1d05dca4312,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""C:\Windows\system32\cmd.exe"" /c ""wmic /node:""localhost"" shadowcopy list brief"" ",,REP_WHITE,,2023-08-18 12:35:20 +0000 UTC,2023-08-18 12:34:44.112 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1444,c:\windows\system32\openssh\sshd.exe,2023-08-18 12:35:20 +0000 UTC,34.214.100.40,WINDOWS,1444,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,2964,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365,2023-08-18 12:34:44.112 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365,REP_WHITE,,,34.214.100.40,2964,7DESJ9GN-006a07ff-000005a4-00000000-1d9d1d059e3aa95,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 12:41:18.782 PM",,,,,,,,,,3eab44ee-312f-9752-c27d-7314c38041a0,3eab44ee-312f-9752-c27d-7314c38041a0,3eab44ee-312f-9752-c27d-7314c38041a0,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""C:\Windows\system32\cmd.exe"" /c ""wmic /node:""localhost"" shadowcopy list brief"" ",KOGNOS-W19-CB-3\Administrator,2940,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-00000b7c-00000000-1d9d1d05dca4312,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""C:\Windows\system32\cmd.exe"" /c ""wmic /node:""localhost"" shadowcopy list brief"" ",,REP_WHITE,,2023-08-18 12:34:58 +0000 UTC,2023-08-18 12:34:44.112 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1444,c:\windows\system32\openssh\sshd.exe,2023-08-18 12:34:58 +0000 UTC,34.214.100.40,WINDOWS,1444,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,2964,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365,2023-08-18 12:34:44.112 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365,REP_WHITE,,,34.214.100.40,2964,7DESJ9GN-006a07ff-000005a4-00000000-1d9d1d059e3aa95,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/18/2023, 12:41:36.833 PM",,,,,,,,,,3eab44ee-312f-9752-c27d-7314c38041a0,3eab44ee-312f-9752-c27d-7314c38041a0,3eab44ee-312f-9752-c27d-7314c38041a0,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,"[{""name"":""Microsoft Windows"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED""}]",,,,,,,,,,,,,,"""C:\Windows\system32\cmd.exe"" /c ""wmic /node:""localhost"" shadowcopy list brief"" ",KOGNOS-W19-CB-3\Administrator,2940,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-00000b7c-00000000-1d9d1d05dca4312,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""C:\Windows\system32\cmd.exe"" /c ""wmic /node:""localhost"" shadowcopy list brief"" ",,REP_WHITE,,2023-08-18 12:34:58 +0000 UTC,2023-08-18 12:34:44.112 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1444,c:\windows\system32\openssh\sshd.exe,2023-08-18 12:34:58 +0000 UTC,34.214.100.40,WINDOWS,1444,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,2964,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365,2023-08-18 12:34:44.112 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000b94-00000000-1d9d1d05a051075,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -GetPrereqs """,9c6bedd7-3dc3-11ee-a5ad-ab06f6a48365,REP_WHITE,,,34.214.100.40,2964,7DESJ9GN-006a07ff-000005a4-00000000-1d9d1d059e3aa95,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:56:59.209 AM",,,,,,,,,,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,4300,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:49:32 +0000 UTC,2023-08-04 11:49:21.074 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1380,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:49:32 +0000 UTC,34.214.100.40,WINDOWS,1380,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,3080,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,2023-08-04 11:49:21.074 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,3080,7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:56:39.873 AM",,,,,,,,,,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,4300,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:49:32 +0000 UTC,2023-08-04 11:49:21.074 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1380,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:49:32 +0000 UTC,34.214.100.40,WINDOWS,1380,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,3080,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,2023-08-04 11:49:21.074 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,3080,7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:56:40.023 AM",,,,,,,,,,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,4300,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:49:32 +0000 UTC,2023-08-04 11:49:21.074 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1380,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:49:32 +0000 UTC,34.214.100.40,WINDOWS,1380,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,3080,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,2023-08-04 11:49:21.074 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,3080,7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:57:03.129 AM",,,,,,,,,,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,4300,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:49:32 +0000 UTC,2023-08-04 11:49:21.074 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1380,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:49:32 +0000 UTC,34.214.100.40,WINDOWS,1380,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,3080,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,2023-08-04 11:49:21.074 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,3080,7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:57:38.703 AM",,,,,,,,,,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,4300,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:49:58 +0000 UTC,2023-08-04 11:49:21.074 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1380,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:49:58 +0000 UTC,34.214.100.40,WINDOWS,1380,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,3080,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,2023-08-04 11:49:21.074 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,3080,7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:57:38.845 AM",,,,,,,,,,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,bcb284e7-c3a9-aff7-ae9e-30adaef1d88b,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,4300,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000010cc-00000000-1d9c6c9b4f3380a,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:49:58 +0000 UTC,2023-08-04 11:49:21.074 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,1380,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:49:58 +0000 UTC,34.214.100.40,WINDOWS,1380,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,3080,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,2023-08-04 11:49:21.074 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-00000c08-00000000-1d9c6c9b38569c9,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-6 -Cleanup """,f346ae59-32bc-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,3080,7DESJ9GN-006a07ff-00000564-00000000-1d9c6c9b364c066,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:43:51.662 AM",,,,,,,,,,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,504,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:36:20 +0000 UTC,2023-08-04 11:36:08.865 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2476,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:36:20 +0000 UTC,34.214.100.40,WINDOWS,2476,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,164,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,2023-08-04 11:36:08.865 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,164,7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:40:58.381 AM",,,,,,,,,,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,504,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:36:20 +0000 UTC,2023-08-04 11:36:08.865 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2476,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:36:20 +0000 UTC,34.214.100.40,WINDOWS,2476,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,164,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,2023-08-04 11:36:08.865 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,164,7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:42:56.339 AM",,,,,,,,,,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,504,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:36:50 +0000 UTC,2023-08-04 11:36:08.865 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2476,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:36:50 +0000 UTC,34.214.100.40,WINDOWS,2476,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,164,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,2023-08-04 11:36:08.865 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,164,7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:42:56.354 AM",,,,,,,,,,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,504,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:36:50 +0000 UTC,2023-08-04 11:36:08.865 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2476,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:36:50 +0000 UTC,34.214.100.40,WINDOWS,2476,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,164,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,2023-08-04 11:36:08.865 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,164,7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:43:50.828 AM",,,,,,,,,,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,504,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:36:20 +0000 UTC,2023-08-04 11:36:08.865 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2476,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:36:20 +0000 UTC,34.214.100.40,WINDOWS,2476,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,164,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,2023-08-04 11:36:08.865 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,164,7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232,,CarbonBlackEvents_CL,
+1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"8/4/2023, 11:43:51.584 AM",,,,,,,,,,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,825b1b46-b3e6-5f53-1eb5-0c2d2a3d5c47,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""cmd.exe"" /c """"",KOGNOS-W19-CB-3\Administrator,504,c:\windows\system32\cmd.exe,REP_WHITE,7DESJ9GN-006a07ff-000001f8-00000000-1d9c6c7dcc1d4d6,"["""",""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527""]","""cmd.exe"" /c """"",,REP_WHITE,,2023-08-04 11:36:20 +0000 UTC,2023-08-04 11:36:08.865 +0000 UTC,KOGNOS-W19-CB-3\Administrator,c:\windows\system32\openssh\sshd.exe,endpoint.event.procstart,Kognos-W19-CB-3,c:\windows\system32\windowspowershell\v1.0\powershell.exe,NGAV,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",,KOGNOS-W19-CB-3\Administrator,2476,c:\windows\system32\openssh\sshd.exe,2023-08-04 11:36:20 +0000 UTC,34.214.100.40,WINDOWS,2476,34.214.100.40,"["""",""731e8034cb953abcd0fc86400ad55113efa302f77d276213198a76065601576b""]",,,Kognos-W19-CB-3,,ACTION_TERMINATE,7DESJ9GN,ACTION_CREATE_PROCESS,,164,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",false,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,2023-08-04 11:36:08.865 +0000 UTC,WINDOWS,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,6948863,"The application ""<share><link hash=""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c"">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>"" invoked the application ""<share><link hash=""bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527"">C:\windows\system32\cmd.exe</link></share>"". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.","[""7353f60b1739074eb17c5f4dddefe239"",""de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c""]",7DESJ9GN-006a07ff-000000a4-00000000-1d9c6c7db4cf526,6948863,,1,endpoint.event.procstart,,"""c:\windows\system32\windowspowershell\v1.0\powershell.exe"" -c ""cd c:\ ; echo MYPID=$PID; Invoke-AtomicTest T1003.003-5 -Cleanup """,1b40aacb-32bb-11ee-b784-17ffc8c6bc2d,REP_WHITE,,,34.214.100.40,164,7DESJ9GN-006a07ff-000009ac-00000000-1d9c6c7db2c6232,,CarbonBlackEvents_CL,

Sample Data/ASIM/VMware_CarbonBlackCloud_ASimProcessTerminate_IngestedLogs.csv

@@ -0,0 +1,31 @@
+TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [UTC]",Computer,RawData,"modload_md5_s","fileless_scriptload_hash_s","fileless_scriptload_cmdline_length_d","fileless_scriptload_cmdline_s","scriptload_hash_s","scriptload_content_length_d","scriptload_content_s","incidentId_g","alert_id_g","securityEventCode_g","process_fork_pid_d","scriptload_effective_reputation_s","scriptload_publisher_s","scriptload_count_d","scriptload_reputation_s","scriptload_name_s","childproc_publisher_s","crossproc_name_s","crossproc_hash_s","crossproc_guid_s","crossproc_action_s","crossproc_publisher_s","crossproc_target_b","crossproc_reputation_s","process_publisher_s","filemod_name_s","filemod_hash_s","netconn_community_id_s","modload_md5_g","modload_publisher_s","modload_hash_s","modload_effective_reputation_s","modload_name_s","modload_sha256_s","modload_count_d","process_duration_d","crossproc_api_s","regmod_name_s","target_cmdline_s","childproc_username_s","childproc_pid_d","childproc_name_s","childproc_reputation_s","childproc_guid_s","childproc_hash_s","processDetails_targetCommandLine_s","local_ip_s","parent_reputation_s","netconn_inbound_b","createTime_s","eventTime_s","process_username_s","processDetails_parentName_s","type_s","device_name_s","process_path_s","event_origin_s","longDescription_s","parent_cmdline_s","processDetails_fullUserName_s","parent_pid_d","parent_path_s","backend_timestamp_s","device_external_ip_s","device_os_s","processDetails_parentPid_d","deviceDetails_deviceIpAddress_s","parent_hash_s","local_port_d","deviceDetails_msmGroupName_s","deviceDetails_deviceName_s","device_group_s","sensor_action_s","org_key_s","action_s","remote_ip_s","processDetails_processId_d","event_description_s","process_terminated_b","processDetails_commandLine_s","event_id_g","device_timestamp_s","deviceDetails_deviceType_s","process_cmdline_s","deviceDetails_deviceId_s","shortDescription_s","process_hash_s","process_guid_s","device_id_s","netconn_protocol_s","schema_d","eventType_s","remote_port_d","processDetails_parentCommandLine_s","eventId_g","process_reputation_s","netFlow_peerFqdn_s","netconn_domain_s","deviceDetails_deviceIpV4Address_s","process_pid_d","parent_guid_s","netFlow_peerIpAddress_s",Type,"_ResourceId"
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:16:00.856 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,6,,,"""C:\Users\JCrumpe\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",,,,,,,"""C:\Users\JCrumpe\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",,"REP_WHITE",,"2023-08-08 15:08:39 +0000 UTC","2023-08-08 15:07:29.360901 +0000 UTC","EIP\JCrumpe","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20001","c:\users\jcrumpe\appdata\local\microsoft\onedrive\23.147.0716.0001\filecoauth.exe",EDR,,"C:\Windows\system32\svchost.exe -k DcomLaunch -p","EIP\JCrumpe",964,"c:\windows\system32\svchost.exe","2023-08-08 15:08:39 +0000 UTC","11.12.1.2",WINDOWS,964,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,,"EIP\WW-20001",,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,6320,,true,"""C:\Users\JCrumpe\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",,"2023-08-08 15:07:29.360901 +0000 UTC",WINDOWS,"""C:\Users\JCrumpe\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",6612372,,"[""bb15c6bf740ebf82cf1110ef2abd458f"",""3316299c8b1caecb748ed2b299951c0f9bd018ed30a343e7f141598bdaa7e91f""]","7DESJ9GN-0064e594-000018b0-00000000-1d9ca0a08ae7440",6612372,,1,"endpoint.event.procend",,"""C:\Users\JCrumpe\AppData\Local\Microsoft\OneDrive\23.147.0716.0001\FileCoAuth.exe"" -Embedding",,"REP_WHITE",,,"11.12.1.2",6320,"7DESJ9GN-0064e594-000003c4-00000000-1d9b510f52729a8",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.237 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:19.0785762 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,6916,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:19.0785762 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001b04-00000000-1d9ca0ab9414c11",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",6916,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.237 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:23.1257324 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,1332,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:23.1257324 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00000534-00000000-1d9ca0abbabb1cc",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",1332,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:27.1870431 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,1356,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:27.1870431 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-0000054c-00000000-1d9ca0abe16a5e8",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",1356,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:31.2402536 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,4636,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:31.2402536 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-0000121c-00000000-1d9ca0ac0811578",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",4636,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:35.289547 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,7416,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:35.289547 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001cf8-00000000-1d9ca0ac2eaec75",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",7416,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:39.3446761 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,2388,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:39.3446761 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00000954-00000000-1d9ca0ac555b18f",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",2388,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:43.3920621 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,6464,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:43.3920621 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001940-00000000-1d9ca0ac7bfc631",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",6464,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:47.4504796 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,8184,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:47.4504796 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001ff8-00000000-1d9ca0aca2a8c58",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",8184,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:51.5056095 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,1956,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:51.5056095 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-000007a4-00000000-1d9ca0acc955082",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",1956,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:55.5559428 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,4968,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:55.5559428 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001368-00000000-1d9ca0aceff5a25",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",4968,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""name"":""Microsoft Corporation"",""state"":""FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"" /ua /installsource scheduler",,,,,,,"""C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"" /ua /installsource scheduler",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:59.5418722 +0000 UTC","NT AUTHORITY\SYSTEM","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","NT AUTHORITY\SYSTEM",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,2340,,true,"""C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"" /ua /installsource scheduler",,"2023-08-08 15:12:59.5418722 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"" /ua /installsource scheduler",6612402,,"[""c019e421d9f897108e51666cbae2c8b0"",""3096d8e82917a9b73f322f4b1743e52e9b0c8b3c5933a957e73e29d6973cdd5b""]","7DESJ9GN-0064e5b2-00000924-00000000-1d9ca0ad132987b",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"" /ua /installsource scheduler",,"REP_WHITE",,,"11.12.1.2",2340,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:12:59.6043737 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,5516,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:12:59.6043737 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-0000158c-00000000-1d9ca0ad168f085",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",5516,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:03.6563442 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,3436,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:03.6563442 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00000d6c-00000000-1d9ca0ad3d3bb4b",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",3436,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:07.7033274 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,4396,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:07.7033274 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-0000112c-00000000-1d9ca0ad63cf3f2",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",4396,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:11.751358 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,5132,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:11.751358 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-0000140c-00000000-1d9ca0ad8a6a8e3",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",5132,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:15.8077841 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,4828,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:15.8077841 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-000012dc-00000000-1d9ca0adb119e9d",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",4828,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:19.855455 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,7016,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:19.855455 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001b68-00000000-1d9ca0add7b1a4b",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",7016,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:23.9043824 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,7108,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:23.9043824 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001bc4-00000000-1d9ca0adfe50baa",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",7108,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:27.9491902 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,2920,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:27.9491902 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00000b68-00000000-1d9ca0ae24e5827",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",2920,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:31.9982173 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,2036,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:31.9982173 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-000007f4-00000000-1d9ca0ae4b7faf4",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",2036,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:36.0560562 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,2468,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:36.0560562 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-000009a4-00000000-1d9ca0ae7231d91",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",2468,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:40.1020365 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,5272,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:40.1020365 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001498-00000000-1d9ca0ae98c7071",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",5272,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:44.1350694 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,4780,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:44.1350694 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-000012ac-00000000-1d9ca0aebf4ba47",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",4780,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:48.1972189 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,7540,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:48.1972189 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001d74-00000000-1d9ca0aee5fd702",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",7540,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:52.253208 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,6720,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:52.253208 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001a40-00000000-1d9ca0af0cab2c2",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",6720,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:13:56.3068571 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,4268,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:13:56.3068571 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-000010ac-00000000-1d9ca0af33555ce",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",4268,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:14:00.3648368 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,7868,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:14:00.3648368 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00001ebc-00000000-1d9ca0af5a06e0a",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",7868,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:14:04.3819686 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,3008,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:14:04.3819686 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00000bc0-00000000-1d9ca0af8055454",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",3008,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",
+"1a0e2567-2e58-4989-ad18-206108185325",RestAPI,,,"8/8/2023, 3:18:27.268 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""state"":""FILE_SIGNATURE_STATE_NOT_SIGNED""}]",,,,,,,,,,,0,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,,,,,,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_WHITE",,"2023-08-08 15:14:27 +0000 UTC","2023-08-08 15:14:08.4285774 +0000 UTC","EIP\DKettle","c:\windows\system32\svchost.exe","endpoint.event.procend","EIP\WW-20003","c:\program files (x86)\rthreat\rthreatagent\app\rthreat.agent.exe",EDR,,"C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule","EIP\DKettle",1676,"c:\windows\system32\svchost.exe","2023-08-08 15:14:27 +0000 UTC","11.12.1.2",WINDOWS,1676,"11.12.1.2","[""b7f884c1b74a263f746ee12a5f7c9f6a"",""add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88""]",,abc,"EIP\WW-20003",abc,"ACTION_ALLOW",7DESJ9GN,"ACTION_PROCESS_TERMINATE",,3276,,true,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"2023-08-08 15:14:08.4285774 +0000 UTC",WINDOWS,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",6612402,,"[""02e333c54cbd65b783576da7643c1288"",""bc5e613bfb54cceb65ba1b3fb0cb8f2e329fc720803fb61e094565ae85482566""]","7DESJ9GN-0064e5b2-00000ccc-00000000-1d9ca0afa6edb86",6612402,,1,"endpoint.event.procend",,"""C:\Program Files (x86)\rThreat\rThreatAgent\App\rThreat.Agent.exe""",,"REP_NOT_LISTED",,,"11.12.1.2",3276,"7DESJ9GN-0064e5b2-0000068c-00000000-1d9b51265f796cd",,"CarbonBlackEvents_CL",