Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #1898 from socprime/Crowdstrike-FDR 

CrowdstrikeFDR
This commit is contained in:
v-jayakal 2021-03-16 12:32:07 -07:00 коммит произвёл GitHub
Родитель 56a750dcdf fa493ac41e
Коммит a50aeb71ae
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
12 изменённых файлов: 4238 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2017
.script/tests/KqlvalidationsTests/CustomTables/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Двоичные данные
DataConnectors/CrowdstrikeFDR/CrowdstrikeFalconAPISentinelConn.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

176
DataConnectors/CrowdstrikeFDR/CrowdstrikeFalconAPISentinelConnector/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,176 @@
import boto3
import json
import datetime
from botocore.config import Config as BotoCoreConfig
import tempfile
import os
import gzip
import time
import base64
import hashlib
import hmac
import requests
import threading
import azure.functions as func
import logging
import re
customer_id = os.environ['WorkspaceID']
shared_key = os.environ['WorkspaceKey']
log_type = "CrowdstrikeReplicatorLogs"
AWS_KEY = os.environ['AWS_KEY']
AWS_SECRET = os.environ['AWS_SECRET']
AWS_REGION_NAME = os.environ['AWS_REGION_NAME']
QUEUE_URL = os.environ['QUEUE_URL']
VISIBILITY_TIMEOUT = 60
temp_dir = tempfile.TemporaryDirectory()
if 'logAnalyticsUri' in os.environ:
logAnalyticsUri = os.environ['logAnalyticsUri']
pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$"
match = re.match(pattern,str(logAnalyticsUri))
if not match:
raise Exception("Invalid Log Analytics Uri.")
else:
logAnalyticsUri = "https://" + customer_id + ".ods.opinsights.azure.com"
def get_sqs_messages():
logging.info("Creating SQS connection")
sqs = boto3.resource('sqs', region_name=AWS_REGION_NAME, aws_access_key_id=AWS_KEY, aws_secret_access_key=AWS_SECRET)
queue = sqs.Queue(url=QUEUE_URL)
logging.info("Queue connected")
for msg in queue.receive_messages(VisibilityTimeout=VISIBILITY_TIMEOUT):
msg_body = json.loads(msg.body)
ts = datetime.datetime.utcfromtimestamp(msg_body['timestamp'] / 1000).strftime('%Y-%m-%d %H:%M:%S.%f')[:-3]
logging.info("Start processing bucket {0}: {1} files with total size {2}, bucket timestamp: {3}".format(msg_body['bucket'],msg_body['fileCount'],msg_body['totalSize'],ts))
if "files" in msg_body:
if download_message_files(msg_body) is True:
msg.delete()
def process_message_files():
for file in files_for_handling:
process_file(file)
def download_message_files(msg):
try:
msg_output_path = os.path.join(temp_dir.name, msg['pathPrefix'])
if not os.path.exists(msg_output_path):
os.makedirs(msg_output_path)
for s3_file in msg['files']:
s3_path = s3_file['path']
local_path = os.path.join(temp_dir.name, s3_path)
logging.info("Start downloading file {}".format(s3_path))
s3_client.download_file(msg['bucket'], s3_path, local_path)
if check_damaged_archive(local_path) is True:
logging.info("File {} successfully downloaded.".format(s3_path))
files_for_handling.append(local_path)
else:
logging.warn("File {} damaged. Unpack ERROR.".format(s3_path))
return True
except Exception as ex:
logging.error("Exception in downloading file from S3. Msg: {0}".format(str(ex)))
return False
def check_damaged_archive(file_path):
chunksize = 1024*1024 # 10 Mbytes
with gzip.open(file_path, 'rb') as f:
try:
while f.read(chunksize) != '':
return True
except:
return False
def process_file(file_path):
global processed_messages_success, processed_messages_failed
processed_messages_success = 0
processed_messages_failed = 0
size = 1024*1024
# unzip archive to temp file
out_tmp_file_path = file_path.replace(".gz", ".tmp")
with gzip.open(file_path, 'rb') as f_in:
with open(out_tmp_file_path, 'wb') as f_out:
while True:
data = f_in.read(size)
if not data:
break
f_out.write(data)
os.remove(file_path)
threads = []
with open(out_tmp_file_path) as file_handler:
for data_chunk in split_chunks(file_handler):
chunk_size = len(data_chunk)
logging.info("Processing data chunk of file {} with {} events.".format(out_tmp_file_path, chunk_size))
data = json.dumps(data_chunk)
t = threading.Thread(target=post_data, args=(data, chunk_size))
threads.append(t)
t.start()
for t in threads:
t.join()
logging.info("File {} processed. {} events - successfully, {} events - failed.".format(file_path, processed_messages_success,processed_messages_failed))
os.remove(out_tmp_file_path)
def split_chunks(file_handler, chunk_size=15000):
chunk = []
for line in file_handler:
chunk.append(json.loads(line))
if len(chunk) == chunk_size:
yield chunk
chunk = []
if chunk:
yield chunk
def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource):
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(customer_id,encoded_hash)
return authorization
def post_data(body,chunk_count):
global processed_messages_success, processed_messages_failed
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
uri = logAnalyticsUri + resource + "?api-version=2016-04-01"
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
response = requests.post(uri,data=body, headers=headers)
if (response.status_code >= 200 and response.status_code <= 299):
processed_messages_success = processed_messages_success + chunk_count
logging.info("Chunk with {} events was processed and uploaded to Azure".format(chunk_count))
else:
processed_messages_failed = processed_messages_failed + chunk_count
logging.warn("Problem with uploading to Azure. Response code: {}".format(response.status_code))
def cb_rename_tmp_to_json(file_path, file_size, lines_count):
out_file_name = file_path.replace(".tmp", ".json")
os.rename(file_path, out_file_name)
def create_s3_client():
try:
boto_config = BotoCoreConfig(region_name=AWS_REGION_NAME)
return boto3.client('s3', region_name=AWS_REGION_NAME, aws_access_key_id=AWS_KEY, aws_secret_access_key=AWS_SECRET, config=boto_config)
except Exception as ex:
logging.error("Connect to S3 exception. Msg: {0}".format(str(ex)))
return None
s3_client = create_s3_client()
def main(mytimer: func.TimerRequest) -> None:
if mytimer.past_due:
logging.info('The timer is past due!')
logging.info('Starting program')
logging.info(logAnalyticsUri)
global files_for_handling
files_for_handling = []
get_sqs_messages()
process_message_files()

11
DataConnectors/CrowdstrikeFDR/CrowdstrikeFalconAPISentinelConnector/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 */5 * * * *"
}
]
}

121
DataConnectors/CrowdstrikeFDR/CrowdstrikeReplicator_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,121 @@
{
"id": "CrowdstrikeReplicator",
"title": "Crowdstrike Falcon Data Replicator",
"publisher": "Crowdstrike",
"descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Azure Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).",
"graphQueries": [{
"metricName": "Total data received",
"legend": "CrowdstrikeReplicatorLogs_CL",
"baseQuery": "CrowdstrikeReplicatorLogs_CL"
}
],
"sampleQueries": [{
"description": "Data Replicator - All Activities",
"query": "CrowdstrikeReplicator\n | sort by TimeGenerated desc"
}
],
"dataTypes": [{
"name": "CrowdstrikeReplicatorLogs_CL",
"lastDataReceivedQuery": "CrowdstrikeReplicatorLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [{
"type": "IsConnectedQuery",
"value": [
"CrowdstrikeReplicatorLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "SQS and AWS S3 account credentials/permissions",
"description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket."
}
]
},
"instructionSteps": [{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the S3 bucket to pull logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-crowdstrikereplicator-parser) to create the Kusto functions alias, **CrowdstrikeReplicator**."
},
{
"title": "",
"description": "**STEP 1 - Contact CrowdStrike support to obtain the credentials and Queue URL.**\n"
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Crowdstrike Falcon Data Replicator connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicator-azuredeploy)\n2. Select the preferred **AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
]
}

206
DataConnectors/CrowdstrikeFDR/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,206 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "CSFalcon",
"minLength": 1,
"maxLength": 11,
"type": "string"
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<workspaceID>"
},
"WorkspaceKey": {
"type": "securestring",
"defaultValue": "<workspaceKey>"
},
"AWS_KEY": {
"type": "string",
"defaultValue": "<AWS_KEY>"
},
"AWS_SECRET": {
"type": "securestring",
"defaultValue": "<AWS_SECRET>"
},
"AWS_REGION_NAME": {
"type": "string",
"defaultValue": "<AWS_REGION_NAME>"
},
"QUEUE_URL": {
"type": "string",
"defaultValue": "<QUEUE_URL>"
}
},
"variables": {
"FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"AWS_KEY": "[parameters('AWS_KEY')]",
"AWS_SECRET": "[parameters('AWS_SECRET')]",
"AWS_REGION_NAME": "[parameters('AWS_REGION_NAME')]",
"QUEUE_URL": "[parameters('QUEUE_URL')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

15
DataConnectors/CrowdstrikeFDR/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[1.*, 2.0.0)"
}
}

4
DataConnectors/CrowdstrikeFDR/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

7
DataConnectors/CrowdstrikeFDR/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
azure-functions
boto3
requests

7
Logos/crowdstrike.svg Normal file
Просмотреть файл

@ -0,0 +1,7 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M71.2837 56.2381C68.5154 55.7879 65.6757 56.2237 63.1699 57.4833C59.5898 59.3123 58.1694 59.4291 56.3988 59.1956C56.9241 60.149 57.9748 61.4721 61.2826 61.7056C64.5903 61.9391 66.1664 62.0364 64.4347 66.1808C64.4347 64.9355 64.1817 62.5033 60.8934 62.9314C57.6051 63.3595 56.8463 66.3364 60.3681 67.8152C59.2201 68.0487 56.7879 68.1849 55.0562 63.6124C53.8499 64.1378 52.0014 65.1884 48.6547 62.6006C49.4985 62.8744 50.3757 63.0315 51.262 63.0676C48.2343 61.4944 45.6158 59.2357 43.6153 56.4715C44.9714 57.6327 46.597 58.4355 48.3434 58.8064C44.7347 54.5997 40.8336 50.653 36.669 46.9958C40.1324 49.2723 44.3352 52.833 51.1842 52.0547C58.0332 51.2764 62.5084 49.6809 71.2837 56.2381Z" fill="#FC3000"/>
<path d="M41.9614 54.6037C38.5202 53.0091 34.92 51.783 31.221 50.9457C25.5187 49.6367 20.3969 46.509 16.6279 42.0342C19.1768 43.9799 24.4109 47.7157 29.7811 47.3071C28.6667 45.9677 27.254 44.9082 25.6561 44.2134C27.6992 44.6999 33.8477 46.2954 41.9614 54.6037Z" fill="#FC3000"/>
<path d="M32.6024 38.6291C31.4933 35.4381 29.4892 31.3521 20.0135 25.2814C12.4574 20.7469 5.61242 15.1214 -0.299988 8.58698C0.342105 11.2332 3.16342 18.1016 17.3673 27.0131C22.0371 30.2041 28.0494 32.1888 32.6024 38.6875V38.6291Z" fill="#FC3000"/>
<path d="M33.1861 43.26C32.0187 40.5554 29.6838 37.092 20.4999 32.1498C13.8333 28.8269 7.75924 24.4291 2.52133 19.1329C3.10505 21.6429 6.1404 27.1688 19.1574 34.0761C22.7181 36.0608 28.8861 37.9287 33.1861 43.26Z" fill="#FC3000"/>
<path d="M42.0976 29.3091C24.1968 24.1529 17.0754 17.6736 11.569 10.8635C14.079 18.6464 20.0719 21.4872 26.4928 26.7407C32.9137 31.9942 33.264 34.8155 35.1513 37.9287C39.3541 44.836 40.0157 45.9646 44.1795 48.9999C49.1023 52.2688 55.0562 50.0506 61.5744 51.0819C66.7553 52.0585 71.4072 54.8786 74.6692 59.0205C76.0312 56.5688 72.7235 53.0471 71.8868 52.152C72.3538 48.9415 64.8043 47.5406 61.9247 46.4316C61.3799 46.2175 59.9789 45.8867 61.1853 43.0071C62.8197 39.1156 64.5125 35.5743 42.0976 29.3869V29.3091ZM67.9175 50.4009C71.3226 50.9067 71.1475 51.6267 71.1864 52.8719C70.2376 51.8768 69.1337 51.0423 67.9175 50.4009V50.4009Z" fill="#FC3000"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.2 KiB

1011
Parsers/CrowdstrikeFDR/CrowdstrikeReplicator Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

663
Sample Data/Custom/CrowdstrikeReplicatorLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,663 @@
[{
"ProcessCreateFlags":"525332",
"IntegrityLevel":"4096",
"ParentProcessId":"2065892889926",
"SourceProcessId":"2065892889926",
"aip":"165.165.165.165",
"SHA1HashData":"0000000000000000000000000000000000000000",
"UserSid":"S-1-12-1-3105947409-1312664182-3305734049-3050736265",
"event_platform":"Win",
"TokenType":"2",
"ProcessEndTime":"",
"AuthenticodeHashData":"7e23eb59249cc9d1be47b6e0dd9e89039d5dc6eb70b5105051ed739418a68c5e",
"ParentBaseFileName":"svchost.exe",
"RpcClientProcessId":"2065892889926",
"ImageSubsystem":"2",
"id":"8b1852b8-649f-11eb-811e-06ca739c04b7",
"EffectiveTransmissionClass":"3",
"SessionId":"1",
"Tags":"53, 54, 55, 12094627905582, 12094627906234",
"timestamp":"1612192196113",
"event_simpleName":"ProcessRollup2",
"RawProcessId":"19076",
"ConfigStateHash":"4091923303",
"MD5HashData":"b7fc4a29431d4f795bbab1fb182b759a",
"SHA256HashData":"48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
"ProcessSxsFlags":"1600",
"AuthenticationId":"1259939",
"ConfigBuild":"1007.3.0012806.1",
"WindowFlags":"128",
"CommandLine":"\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider",
"ParentAuthenticationId":"1259939",
"TargetProcessId":"2119008022556",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\backgroundTaskHost.exe",
"SourceThreadId":"67139455641525",
"Entitlements":"15",
"name":"ProcessRollup2V19",
"ProcessStartTime":"1612192197.855",
"ProcessParameterFlags":"16385",
"aid":"f0b5394377fb4cc1592c660de3ac2ccb",
"SignInfoFlags":"9175042",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"ScreenshotsTakenCount":"0",
"ExitCode":"0",
"ParentProcessId":"1421648597103",
"UserSid":"S-1-5-20",
"NetworkListenCount":"0",
"SuspiciousRawDiskReadCount":"0",
"NetworkBindCount":"0",
"NetworkRecvAcceptCount":"0",
"ContextData":"",
"id":"9047859a-649f-11eb-b1b3-068090ee3e49",
"NewExecutableWrittenCount":"0",
"ExeAndServiceCount":"0",
"NetworkCloseCount":"0",
"SuspectStackCount":"0",
"CLICreationCount":"0",
"UnsignedModuleLoadCount":"0",
"UserTime":"156250",
"event_simpleName":"EndOfProcess",
"RawProcessId":"13184",
"ContextTimeStamp":"1612192202.219",
"AllocateVirtualMemoryCount":"0",
"ContextProcessId":"1437581318764",
"ServiceEventCount":"0",
"SnapshotFileOpenCount":"0",
"RemovableDiskFileWrittenCount":"0",
"InjectedDllCount":"0",
"ModuleLoadCount":"39",
"UserMemoryProtectExecutableCount":"0",
"NetworkCapableAsepWriteCount":"0",
"TargetProcessId":"1437581318764",
"DnsRequestCount":"0",
"ArchiveFileWrittenCount":"0",
"Entitlements":"15",
"name":"EndOfProcessV15",
"ProcessStartTime":"1612192112.216",
"SetThreadContextCount":"0",
"SuspiciousCredentialModuleLoadCount":"0",
"aid":"d4a94db4404b42d95ae69960dd2364a5",
"cid":"e941027a2d1141f189b6c6c049c83215",
"FileDeletedCount":"0",
"UserMemoryAllocateExecutableCount":"0",
"DirectoryCreatedCount":"0",
"NetworkConnectCountUdp":"0",
"QueueApcCount":"0",
"ContextThreadId":"75529593909860",
"aip":"165.165.165.165",
"SuspiciousFontLoadCount":"0",
"ConHostId":"1152",
"NetworkConnectCount":"0",
"BinaryExecutableWrittenCount":"0",
"CycleTime":"105226185",
"event_platform":"Win",
"ConHostProcessId":"1421648597103",
"PrivilegedProcessHandleCount":"0",
"MaxThreadCount":"10",
"ImageSubsystem":"2",
"GenericFileWrittenCount":"0",
"EffectiveTransmissionClass":"3",
"ScriptEngineInvocationCount":"0",
"RunDllInvocationCount":"0",
"timestamp":"1612192204811",
"CreateProcessCount":"0",
"KernelTime":"312500",
"DirectoryEnumeratedCount":"0",
"ConfigStateHash":"4091923303",
"AsepWrittenCount":"0",
"SuspiciousDnsRequestCount":"0",
"DocumentFileWrittenCount":"0",
"ProtectVirtualMemoryCount":"0",
"SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15",
"UserMemoryProtectExecutableRemoteCount":"0",
"ConfigBuild":"1007.3.0012806.1",
"UserMemoryAllocateExecutableRemoteCount":"0",
"ExecutableDeletedCount":"0",
"RegKeySecurityDecreasedCount":"0",
"InjectedThreadCount":"0",
"NetworkModuleLoadCount":"0"
},
{
"event_simpleName":"DnsRequest",
"ContextTimeStamp":"1612192188.546",
"ConfigStateHash":"1187562179",
"ContextProcessId":"593354899211",
"DomainName":"domain1",
"ContextThreadId":"26667268649418",
"aip":"82.82.82.82",
"QueryStatus":"9003",
"InterfaceIndex":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"DnsRequestCount":"1",
"DualRequest":"0",
"Entitlements":"15",
"name":"DnsRequestV4",
"id":"881d1128-649f-11eb-9c59-022209fbed9d",
"EffectiveTransmissionClass":"3",
"aid":"eb2763e9afca47c996acf2a8e6651f18",
"timestamp":"1612192191111",
"cid":"e941027a2d1141f189b6c6c049c83215",
"RequestType":"1"
},
{
"ChannelVersion":"2353",
"event_simpleName":"ChannelVersionRequired",
"ConfigStateHash":"3574986334",
"aip":"165.165.165.165",
"ChannelVersionRequired":"0",
"ChannelId":"200",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"ChannelVersionRequiredV1",
"id":"7d66d49d-649f-11eb-8ef0-06f5d9b66909",
"EffectiveTransmissionClass":"0",
"aid":"ec61c9f00a054a7c499eb92b9f67e2ab",
"timestamp":"1612192173140",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"LocalAddressIP4":"10.10.10.10",
"event_simpleName":"NetworkConnectIP4",
"ContextTimeStamp":"1612192203.293",
"ConfigStateHash":"3840237054",
"ConnectionFlags":"0",
"ContextProcessId":"1435198812605",
"RemotePort":"443",
"ContextThreadId":"35388335972466",
"aip":"104.104.104.104",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"LocalPort":"54781",
"Entitlements":"15",
"name":"NetworkConnectIP4V5",
"id":"8fbf8c4c-649f-11eb-93e6-06d64cd93503",
"Protocol":"6",
"EffectiveTransmissionClass":"3",
"aid":"124bdfdf1dcf4bdb6cf503d3b93a8e36",
"RemoteAddressIP4":"52.52.52.52",
"ConnectionDirection":"0",
"InContext":"0",
"timestamp":"1612192203920",
"cid":"e941027a2d1141f189bc6c049c83215"
},
{
"ModuleCharacteristics":"8450",
"ContextThreadId":"118013339024792",
"aip":"189.189.189.189",
"OriginalEventTimeStamp":"1612192206.828",
"SHA1HashData":"0000000000000000000000000000000000000000",
"event_platform":"Win",
"MappedFromUserMode":"1",
"AuthenticodeHashData":"c733fb7f27aeb8af40676839d86bf52a58e175436de685abbc25bb881c3da65f",
"id":"92b01584-649f-11eb-b4d4-02d8cc9f6f77",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192208852",
"event_simpleName":"ImageHash",
"ContextTimeStamp":"1612192206.828",
"ConfigStateHash":"4091923303",
"ContextProcessId":"4770863664501",
"MD5HashData":"2d84620a2580073a2940067e9153243b",
"SHA256HashData":"7db6c8d5f59adbcda1fd8e4052cd0f0ad2d409b19e4ead5d9800e63913c478fb",
"ConfigBuild":"1007.3.0012806.1",
"TargetProcessId":"4770863664501",
"TreeId":"249108533330",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\gdi32.dll",
"Entitlements":"15",
"name":"ImageHashV4",
"PrimaryModule":"0",
"aid":"f46cf24c09c545c06826924f56e9b12",
"SignInfoFlags":"9175042",
"cid":"e941027a2d1141f89b6c6c049c83215"
},
{
"event_simpleName":"SensorHeartbeat",
"ConfigStateHash":"1187562179",
"NetworkContainmentState":"0",
"aip":"165.165.165.165",
"ConfigIDBase":"65994753",
"SensorStateBitMap":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ConfigurationVersion":"10",
"Entitlements":"15",
"name":"SensorHeartbeatV4",
"ConfigIDPlatform":"3",
"id":"99d1e81e-649f-11eb-b627-06e39ca35a05",
"ConfigIDBuild":"12806",
"EffectiveTransmissionClass":"0",
"aid":"265ebfb466e649e14f739b2ec82ef4c0",
"ProvisionState":"1",
"timestamp":"1612192220818",
"cid":"e941027a2d1141f89b6c6c049c83215"
},
{
"Parameter2":"104741656",
"event_simpleName":"ErrorEvent",
"Parameter1":"3934815034",
"Parameter3":"0",
"ConfigStateHash":"4091923303",
"aip":"104.104.104.104",
"Line":"1066",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ErrorStatus":"3221227780",
"Entitlements":"15",
"name":"ErrorEventV1",
"id":"851075fd-649f-11eb-9d98-0256c1ba3b87",
"Facility":"67109928",
"EffectiveTransmissionClass":"0",
"aid":"7eece200f1444be9650676f1460ec1f4",
"File":"0",
"timestamp":"1612192185995",
"cid":"e941027a2d114189b6c6c049c83215"
},
{
"Options":"35651617",
"ContextThreadId":"34965671247409",
"MinorFunction":"0",
"aip":"47.47.47.47",
"FileIdentifier":"f31039767b57934cab36a2c87ff011b649010000001a00",
"Information":"2",
"event_platform":"Win",
"ShareAccess":"3",
"id":"9c750397-649f-11eb-a468-02143f29d047",
"FileObject":"18446614397218495824",
"EffectiveTransmissionClass":"3",
"FileAttributes":"128",
"timestamp":"1612192225242",
"Status":"0",
"event_simpleName":"DirectoryCreate",
"ContextTimeStamp":"1612192225.647",
"ConfigStateHash":"370429029",
"ContextProcessId":"1015925104824",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1048577",
"Entitlements":"15",
"name":"DirectoryCreateV1",
"OperationFlags":"0",
"aid":"d9a8e94338e34c667ac3c406b33a26",
"cid":"e941027a2d114189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume4\\Users\\T\\AppData\\Local\\Temp\\{A6EDA298-D2B2-43BD-BF53-4AAC80A8F624}"
},
{
"event_simpleName":"SetWinEventHookEtw",
"RawProcessId":"0",
"ContextTimeStamp":"1612192180.085",
"ConfigStateHash":"1002018934",
"EtwRawProcessId":"12680",
"ContextProcessId":"1462865029781",
"EventMax":"2147483410",
"SourceProcessId":"0",
"aip":"147.147.147.147",
"EtwRawThreadId":"13348",
"Flags":"0",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"EventMin":"2147483408",
"SourceThreadId":"0",
"Entitlements":"15",
"name":"SetWinEventHookEtwV1",
"RawThreadId":"0",
"id":"8004b527-649f-11eb-9488-024e6bf3d6b1",
"EffectiveTransmissionClass":"3",
"aid":"e30dfd2dac46425c721ffb42691c1c",
"timestamp":"1612192177530",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"LocalAddressIP4":"10.10.10.10",
"event_simpleName":"NetworkReceiveAcceptIP4",
"ContextTimeStamp":"1612192231.439",
"ConfigStateHash":"976821965",
"ConnectionFlags":"0",
"ContextProcessId":"138285062270780",
"RemotePort":"137",
"aip":"165.165.165.165",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"LocalPort":"137",
"Entitlements":"15",
"name":"NetworkReceiveAcceptIP4V5",
"id":"a02b6add-649f-11eb-a61c-027816f012a3",
"Protocol":"17",
"EffectiveTransmissionClass":"3",
"aid":"acd89ebd166344b17e6d7018dbde25cc",
"RemoteAddressIP4":"23.23.23.23",
"ConnectionDirection":"1",
"InContext":"0",
"timestamp":"1612192231470",
"cid":"e941027a2d1141f186c6c049c83215"
},
{
"event_simpleName":"RegisterRawInputDevicesEtw",
"ContextTimeStamp":"1612192192.661",
"ConfigStateHash":"4091923303",
"EtwRawProcessId":"9528",
"ContextProcessId":"2801870511975",
"aip":"71.71.71.71",
"EtwRawThreadId":"9428",
"ApiReturnValue":"1",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"RegisterRawInputDevicesEtwV1",
"id":"89e6dbf0-649f-11eb-b45d-022d70a19ab5",
"EffectiveTransmissionClass":"3",
"aid":"ede5911c3ded4cac6927ee72eef376ba",
"timestamp":"1612192194111",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"Size":"14712251",
"ContextThreadId":"165986129080464",
"MinorFunction":"0",
"aip":"185.185.185.185",
"IsOnNetwork":"0",
"FileIdentifier":"5399f2747c5de811960c806e6f6e69632cc701000000e31f",
"event_platform":"Win",
"TokenType":"1",
"id":"7d82fc3d-649f-11eb-86d4-06271f28c015",
"FileObject":"2292681824",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192173324",
"event_simpleName":"DmpFileWritten",
"ContextTimeStamp":"1612192172.528",
"ConfigStateHash":"3840237054",
"ContextProcessId":"30359610206388",
"IrpFlags":"1028",
"AuthenticationId":"237790",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"DmpFileWrittenV12",
"OperationFlags":"0",
"aid":"e7149f2a8a69453b74a072f67cfc4d",
"cid":"e941027a2d1141f9b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume1\\ProgramData\\Zscaler\\ZSATray.exe.11924.dmp"
},
{
"Size":"5120",
"ContextThreadId":"20459934839588",
"MinorFunction":"0",
"aip":"165.165.165.165",
"IsOnNetwork":"0",
"FileIdentifier":"405e4cec2cac994b802c88a89583ce852db9000000002e00",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_8086&DEV_F1A6&SUBSYS_390B8086&REV_03\\4&280be160&0&00E4",
"id":"954b4f19-649f-11eb-86b9-06f80c26adc1",
"FileObject":"18446698488861015536",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192213225",
"event_simpleName":"PeFileWritten",
"ContextTimeStamp":"1612192154.275",
"ConfigStateHash":"1187562179",
"IsTransactedFile":"0",
"ContextProcessId":"538129154765",
"IrpFlags":"1028",
"SHA256HashData":"28ca0d1c692331a22174be034be2d6a39f4c1868e2a7b23172335554fcd1e681",
"AuthenticationId":"999",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"PeFileWrittenV15",
"OperationFlags":"0",
"aid":"578817b172b44b32fec1ab92ea86b0",
"cid":"e941027a2d1141f1b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\2C957836-F162-4817-87B7-A6668CC4AE78\\en-US\\UnattendProvider.dll.mui"
},
{
"Options":"33554532",
"ContextThreadId":"76915493345508",
"MinorFunction":"0",
"aip":"147.147.147.147",
"Information":"2",
"FileIdentifier":"edc203080b0ab8458680afe68146b1ed6c62010000009700",
"event_platform":"Win",
"ShareAccess":"0",
"id":"80d5ae7b-649f-11eb-9488-024e6bf3d6b1",
"FileObject":"18446634184237273600",
"EffectiveTransmissionClass":"3",
"FileAttributes":"0",
"timestamp":"1612192178899",
"Status":"0",
"event_simpleName":"NewExecutableWritten",
"ContextTimeStamp":"1612192178.595",
"ConfigStateHash":"1002018934",
"ContextProcessId":"1462865029781",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1180054",
"Entitlements":"15",
"name":"NewExecutableWrittenV1",
"OperationFlags":"0",
"aid":"e30dfd2dac464a925c721ffb42691c1c",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\S\\AppData\\Local\\assembly\\tmp\\VVCQJISQ\\Newtonsoft.Json.DLL"
},
{
"Options":"88080484",
"ContextThreadId":"121390994923701",
"MinorFunction":"0",
"aip":"165.165.165.165",
"Information":"2",
"FileIdentifier":"8e22c65ac1de534d924b77bef9724e893b34000000007e01",
"event_platform":"Win",
"ShareAccess":"1",
"id":"9a1112a6-649f-11eb-a1a0-02d051f2be4b",
"FileObject":"18446705066600845600",
"EffectiveTransmissionClass":"3",
"FileAttributes":"0",
"timestamp":"1612192221231",
"Status":"0",
"event_simpleName":"NewScriptWritten",
"ContextTimeStamp":"1612192219.844",
"ConfigStateHash":"4091923303",
"ContextProcessId":"2092451718379",
"IrpFlags":"2180",
"ConfigBuild":"1007.3.0012806.1",
"MajorFunction":"0",
"DesiredAccess":"1180054",
"Entitlements":"15",
"name":"NewScriptWrittenV7",
"OperationFlags":"0",
"aid":"1d26eadfb948448653c36c1b900df377",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Windows\\Temp\\__PSS.ps1"
},
{
"event_simpleName":"ExecutableDeleted",
"ContextTimeStamp":"1612192183.367",
"ConfigStateHash":"4091923303",
"ContextProcessId":"2235221295047",
"IrpFlags":"1028",
"ContextThreadId":"115372276358029",
"MinorFunction":"0",
"aip":"165.165.165.165",
"FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8e86ea010000006c00",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"MajorFunction":"18",
"Entitlements":"15",
"name":"ExecutableDeletedV3",
"OperationFlags":"0",
"id":"840c4b68-649f-11eb-bde3-024e3dec27db",
"FileObject":"18446713894431458368",
"EffectiveTransmissionClass":"3",
"aid":"e17bf6ec831e4f3976553f9969664271",
"timestamp":"1612192184290",
"cid":"e941027a2d1141f186c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\k\\AppData\\Local\\assembly\\tmp\\QN76W635\\WinZipExpressForOffice.DLL"
},
{
"Status":"3221225506",
"KernelTime":"0",
"event_simpleName":"SignInfoError",
"ConfigStateHash":"4091923303",
"aip":"165.165.165.165",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\iwprn.dll",
"Entitlements":"15",
"name":"SignInfoErrorV3",
"id":"8257ef61-649f-11eb-b376-02f6607228a3",
"EffectiveTransmissionClass":"2",
"aid":"c0da753d75ff4e7971901ab055d804b4",
"timestamp":"1612192181431",
"cid":"e941027a2d1141fb6c6c049c83215"
},
{
"Size":"104753",
"ContextThreadId":"68150305082852",
"MinorFunction":"0",
"aip":"165.165.165.165",
"IsOnNetwork":"0",
"FileIdentifier":"8e22c65ac1de534d924b77bef9724e89bd9c000000009300",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_15B7&DEV_5002&SUBSYS_500215B7&REV_00\\4&18cf69ef&0&00E4",
"id":"7d068550-649f-11eb-9be1-065505666d6f",
"FileObject":"18446655072069839760",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192172508",
"event_simpleName":"OoxmlFileWritten",
"ContextTimeStamp":"1612192167.261",
"ConfigStateHash":"1187562179",
"ContextProcessId":"1961692248212",
"TemporaryFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix",
"IrpFlags":"1028",
"AuthenticationId":"286344857",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"OoxmlFileWrittenV12",
"OperationFlags":"0",
"aid":"cfbece25ef5444715fb3340fad3cab37",
"cid":"e941027a2d1141f189b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\m\\Microsoft\\Power BI Desktop Store App\\TempSaves\\~$LIVE_MASTER_OH_PBI (Rec10bb0a63cb584bdf8f829122cf53fa99.pbix"
},
{
"event_simpleName":"ProcessRollup2Stats",
"ConfigStateHash":"2191674825",
"Timeout":"600",
"aip":"77.77.77.77",
"SHA256HashData":"7b7d042adc61f6bd613c202e72b88045702d3171ab27e4702411d337dd0ccb4b",
"ProcessCount":"6",
"ConfigBuild":"1007.4.0012204.1",
"UID":"0",
"event_platform":"Mac",
"CommandLine":"/usr/bin/awk {print $1;}",
"Entitlements":"15",
"name":"ProcessRollup2StatsMacV1",
"id":"7ddb47a2-649f-11eb-b100-069ffba97e11",
"aid":"4a685c5af31c441b78b96df71752f303",
"timestamp":"1612192173903",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"event_simpleName":"PeVersionInfo",
"ConfigStateHash":"4091923303",
"aip":"147.147.147.147",
"SHA256HashData":"b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15",
"ConfigBuild":"1007.3.0012806.1",
"VersionInfo":"880334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000a000100634500000a00010063453f000000000000000400040002000000000000000000000000000000e6020000010053007400720069006e006700460069006c00650049006e0066006f000000c202000001003000340030003900300034004200300000004c001600010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e0000004c0012000100460069006c0065004400650073006300720069007000740069006f006e000000000057004d0049002000500072006f0076006900640065007200200048006f00730074000000680024000100460069006c006500560065007200730069006f006e0000000000310030002e0030002e00310037003700360033002e00310020002800570069006e004200750069006c0064002e003100360030003100300031002e003000380030003000290000003a000d00010049006e007400650072006e0061006c004e0061006d006500000057006d006900700072007600730065002e006500780065000000000080002e0001004c006500670061006c0043006f0070007900720069006700680074000000a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e00000042000d0001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000057006d006900700072007600730065002e00650078006500000000006a0025000100500072006f0064007500630074004e0061006d006500000000004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d00000000003e000d000100500072006f006400750063007400560065007200730069006f006e000000310030002e0030002e00310037003700360033002e00310000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000904b00400000000000000000000000000000000",
"CompanyName":"Microsoft Corporation",
"event_platform":"Win",
"OriginalFilename":"Wmiprvse.exe",
"TargetProcessId":"1467339488123",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"FileVersion":"10.0.17763.1 (WinBuild.160101.0800)",
"Entitlements":"15",
"name":"PeVersionInfoV3",
"id":"85d170dd-649f-11eb-b7ab-02c72af1f307",
"EffectiveTransmissionClass":"3",
"aid":"8a7c4aa9c11944aa7afa437b73a4817d",
"LanguageId":"1033",
"timestamp":"1612192187260",
"cid":"e941027a2d1141f189b6c6c049c83215"
},
{
"Size":"5120",
"ContextThreadId":"37505999371785",
"MinorFunction":"0",
"aip":"84.84.84.84",
"IsOnNetwork":"0",
"FileIdentifier":"139d11a6904c3b409a0727ffe77c5f8ed2da010000007f00",
"event_platform":"Win",
"TokenType":"1",
"DiskParentDeviceInstanceId":"PCI\\VEN_17AA&DEV_0003&SUBSYS_100317AA&REV_00\\4&18cf69ef&0&00E4",
"id":"7fca95a3-649f-11eb-87c5-0608a1cc49e3",
"FileObject":"18446668234812634352",
"EffectiveTransmissionClass":"3",
"timestamp":"1612192177149",
"event_simpleName":"OleFileWritten",
"ContextTimeStamp":"1612192175.957",
"ConfigStateHash":"4091923303",
"ContextProcessId":"1017509766761",
"IrpFlags":"1028",
"AuthenticationId":"757446330",
"ConfigBuild":"1007.3.0012806.1",
"FileEcpBitmask":"0",
"MajorFunction":"18",
"IsOnRemovableDisk":"0",
"Entitlements":"15",
"name":"OleFileWrittenV12",
"OperationFlags":"0",
"aid":"b324ab19ddf34b8f6672c64a05758b",
"cid":"e941027a2d1141f9b6c6c049c83215",
"TargetFileName":"\\Device\\HarddiskVolume3\\Users\\D\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\AutomationManager\\Active\\{990EF5F6-645A-11EB-AE23-7C2A31092D5A}.dat"
},
{
"event_simpleName":"DriverLoad",
"ContextTimeStamp":"1612192188.246",
"ConfigStateHash":"1036481984",
"ContextProcessId":"1305670660340",
"DriverLoadFlags":"0",
"ContextThreadId":"47805865802230",
"aip":"104.104.104.104",
"MD5HashData":"3c15a5ac47b1ca4d9a9f8680e224996f",
"SHA256HashData":"f95ec4e4e5fdff1d68179205430aad01a0124dbd682faff6270b99b4aacc793f",
"ConfigBuild":"1007.3.0012806.1",
"CompanyName":"Microsoft Corporation",
"event_platform":"Win",
"OriginalFilename":"WSDScan.sys",
"ImageFileName":"\\Device\\HarddiskVolume3\\Windows\\System32\\drivers\\WSDScan.sys",
"FileVersion":"10.0.17134.1 (WinBuild.160101.0800)",
"Entitlements":"15",
"name":"DriverLoadV3",
"id":"948cb457-649f-11eb-a03c-065d96aa71d1",
"EffectiveTransmissionClass":"3",
"aid":"6bbe3993fd594f45d25512aeabbfd4",
"timestamp":"1612192211975",
"cid":"e941027a2d1141f9b6c6c049c83215"
},
{
"event_simpleName":"NeighborListIP4",
"ConfigStateHash":"1187562179",
"NeighborList":"BC-0F-9A-F5-62-FW|192.168.0.1|0|!!!!UNKNOWN!!!!;",
"aip":"103.103.103.103",
"InterfaceIndex":"7",
"ConfigBuild":"1007.3.0012806.1",
"event_platform":"Win",
"Entitlements":"15",
"name":"NeighborListIP4V2",
"id":"9926a93d-649f-11eb-910e-024bf0016c79",
"EffectiveTransmissionClass":"3",
"aid":"504c07d9cdbb47ac793b11238a2476e1",
"timestamp":"1612192219695",
"cid":"e941027a2d114189b6c6c049c83215"
}
]