Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #1904 from socprime/Corelight 

Corelight
This commit is contained in:
v-jayakal 2021-03-22 13:50:13 -07:00 коммит произвёл GitHub
Родитель 11e29d8c9e 752d638248
Коммит d2d09d17e2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
20 изменённых файлов: 2525 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

159
DataConnectors/Corelight/Connector_LogAnalytics_agent_Corelight.json Normal file
Просмотреть файл

@ -0,0 +1,159 @@
{
"id": "Corelight",
"title": "Corelight",
"publisher": "Corelight",
"descriptionMarkdown": "The [Corelight](https://corelight.com/) data connector provides the capability to ingest [Corelight Zeek/Bro events](https://www3.corelight.com/zeek-logs-v3.0) into Azure Sentinel. Refer to [Corelight Logs documentation](https://corelight.com/about-zeek/how-zeek-works) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **Corelight** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-Corelight-parser)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Corelight_CL",
"baseQuery": "Corelight"
}
],
"sampleQueries": [
{
"description" : "Top 10 Clients (Source IP)",
"query": "Corelight\n | summarize count() by SrcIpAddr\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Corelight_CL",
"lastDataReceivedQuery": "Corelight\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Corelight\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 2,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-Corelight-parser) to create the Kusto Functions alias, **Corelight**",
"instructions": [
]
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the Server where the Corelight logs are generated.\n\n> Logs from Corelight Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description":"Follow the configuration steps below to get Corelight logs into Azure Sentinel. This configuration enriches events generated by Corelight module to provide visibility on log source information for Corelight logs. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Download config file [corelight.conf](link to the file).\n2. Login to the server where you have installed Azure Log Analytics agent.\n3. Copy corelight.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n4. Edit corelight.conf as follows:\n\n\t i. change the path to Corelight logs based on your configuration (line 3)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 25,26,27,30)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
}
]
}
]
}

37
DataConnectors/Corelight/la_agent_configs/corelight.conf Normal file
Просмотреть файл

@ -0,0 +1,37 @@
<source>
type tail
path /var/log/corelight/*.log
pos_file /tmp/corelight.pos
read_from_head true
refresh_interval 10
tag oms.api.Corelight
path_key "log_file"
format none
</source>
<filter oms.api.Corelight>
type record_transformer
enable_ruby
<record>
hostname "${hostname}"
</record>
</filter>
<match oms.api.Corelight>
type out_oms_api
log_level info
num_threads 5
omsadmin_conf_path /etc/opt/microsoft/omsagent/<workspace id>/conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent/<workspace id>/certs/oms.crt
key_path /etc/opt/microsoft/omsagent/<workspace id>/certs/oms.key
buffer_chunk_limit 10m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/<workspace id>/state/out_oms_api_corelight*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 30s
retry_limit 10
retry_wait 30s
max_retry_wait 9m
</match>

1
Logos/corelight.svg Normal file
Просмотреть файл

@ -0,0 +1 @@
<svg id="a949bbb6-6d51-4e9b-b73e-d1f2070c8dbd" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 73 73.04"><path id="a201a3aa-59b7-4110-92df-cba76dad51ef" d="M49.16,32h0a.57.57,0,0,0-.63.63h0a2.61,2.61,0,0,0-1.72-.71,1.71,1.71,0,0,0-1.89,2v5.58a1.75,1.75,0,0,0,1.89,1.94,2.74,2.74,0,0,0,1.7-.71v2.66c0,.55-.26.79-.81.79H47c-.59,0-.85-.24-.85-.77v-.08c0-.24-.1-.53-.59-.53h-.06a.52.52,0,0,0-.59.57v.08c0,1.28.69,1.93,2,1.93h.65a1.91,1.91,0,0,0,2.17-2.11V32.61C49.81,32.19,49.59,32,49.16,32Zm-.65,7.41a2.33,2.33,0,0,1-1.5.73.72.72,0,0,1-.81-.82V34c0-.59.24-.85.79-.85a2.25,2.25,0,0,1,1.52.83Zm-6.39,3a.58.58,0,0,0,.65-.65V32.67a.57.57,0,0,0-.65-.64h0a.58.58,0,0,0-.65.64v9.07a.59.59,0,0,0,.65.65Zm0-13.37h0a.62.62,0,0,0-.67.67v.45a.62.62,0,0,0,.67.67h0a.61.61,0,0,0,.67-.67v-.45A.61.61,0,0,0,42.12,29ZM38.39,42.39a.58.58,0,0,0,.65-.65V29.43a.58.58,0,0,0-.65-.65h0a.58.58,0,0,0-.65.65V41.74a.59.59,0,0,0,.65.65Zm-3.34-4.63a.66.66,0,0,0,.73-.73V34.28A2.06,2.06,0,0,0,33.46,32H33.2a2.05,2.05,0,0,0-2.31,2.32v5.88a2,2,0,0,0,2.31,2.31h.26a2.05,2.05,0,0,0,2.32-2.31v-.67a.57.57,0,0,0-.63-.63h0a.57.57,0,0,0-.63.63v.71c0,.69-.33,1-1,1h-.22c-.69,0-1-.32-1-1V37.76Zm-2.8-3.52a.89.89,0,0,1,1-1h.2c.69,0,1,.33,1,1v2.25H32.23V34.24Zm-4.83-2.19h0a.56.56,0,0,0-.63.6v9.11a.58.58,0,0,0,.63.65h0a.58.58,0,0,0,.65-.65V34.15a3.18,3.18,0,0,1,1.16-.67c.56-.16.69-.5.69-.77v-.12a.57.57,0,0,0-.59-.65c-.39,0-.79.29-1.24.86v-.19A.59.59,0,0,0,27.42,32.05ZM22.68,32h-.39A2.05,2.05,0,0,0,20,34.28v5.88a2,2,0,0,0,2.31,2.31h.39A2,2,0,0,0,25,40.16V34.28A2,2,0,0,0,22.68,32Zm1,8.24a.86.86,0,0,1-1,1h-.37a.86.86,0,0,1-1-1v-6c0-.69.32-1,1-1h.37c.69,0,1,.33,1,1Zm-6-4.2h0a.58.58,0,0,0,.65-.65V34.24A2,2,0,0,0,16.05,32h-.33a2.05,2.05,0,0,0-2.31,2.32v5.88a2,2,0,0,0,2.31,2.31h.33a2,2,0,0,0,2.29-2.31V38.74a.58.58,0,0,0-.65-.63h0a.57.57,0,0,0-.63.63V40.2a.86.86,0,0,1-1,1h-.29a.86.86,0,0,1-1-1v-6c0-.69.32-1,1-1H16c.69,0,1,.33,1,1v1.11A.57.57,0,0,0,17.63,36Zm37.19-4a2.66,2.66,0,0,0-1.75.75V29.45a.58.58,0,0,0-.65-.65h0a.57.57,0,0,0-.62.65V41.76a.57.57,0,0,0,.62.65h0a.58.58,0,0,0,.65-.65V34a2.5,2.5,0,0,1,1.52-.77c.51,0,.75.26.75.81v7.75a.59.59,0,0,0,.65.65h0a.58.58,0,0,0,.63-.65V33.81A1.66,1.66,0,0,0,54.82,32Zm4.76,10.43h0a.59.59,0,0,1-.65-.65V33.3h-.16a.56.56,0,0,1-.61-.61v0a.54.54,0,0,1,.61-.58h.18V31a.59.59,0,0,1,.65-.65h0a.58.58,0,0,1,.65.65v1.08h.63a.52.52,0,0,1,.59.58v0a.54.54,0,0,1-.59.61h-.63v8.44A.6.6,0,0,1,59.58,42.39Z" transform="translate(-1 -0.98)"/><path id="f6598a2b-3c00-4d19-b9dc-59da3af4d8b7" d="M66.07,38.84a28.67,28.67,0,0,1-56.7,4.5,30,30,0,0,1-.56-5.72A28.68,28.68,0,0,1,37.48,8.93V1A36.52,36.52,0,1,0,74,38.84Z" transform="translate(-1 -0.98)" fill="#00ff17"/></svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.6 KiB

621
Parsers/Corelight/Corelight.txt Normal file
Просмотреть файл

@ -0,0 +1,621 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Corelight.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Corelight | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let Corelight_view = view () {
Corelight_CL | where isnotempty(Message)
| extend tmp = parse_json(Message)
| evaluate bag_unpack(tmp)| extend path_parts = parse_path(log_file_s)
| extend EventType = extract("(^.*?)_\\d+", 1, tostring(path_parts["Filename"])),
EventVendor="Corelight",
EventProduct="Corelight Sensor",
SrcDvcHostname=column_ifexists('hostname_s', ''),
EventEndTime=column_ifexists('ts', ''),
SrcDvcFile=column_ifexists('log_file_s', '')
| project-away path_parts, log_file_s
};
let Corelight_main_view = view () {
Corelight_view
| extend
Action=column_ifexists('action', ''),
Actions=column_ifexists('actions', ''),
AgentRemoteId=column_ifexists('agent_remote_id', ''),
Analyzer=column_ifexists('analyzer', ''),
AuthAttempts=column_ifexists('auth_attempts', ''),
AuthSuccess=column_ifexists('auth_success', ''),
BasicConstraintsCa=column_ifexists('basic_constraints.ca', ''),
BasicConstraintsPathLen=column_ifexists('basic_constraints.path_len', ''),
Cc=column_ifexists('cc', ''),
CertificateCn=column_ifexists('certificate.cn', ''),
CertificateCurve=column_ifexists('certificate.curve', ''),
CertificateExponent=column_ifexists('certificate.exponent', ''),
CertificateHashSha1=column_ifexists('orig_certificate_sha1', ''),
CertificateIssuer=column_ifexists('certificate.issuer', column_ifexists('client_issuer', '')),
CertificateKeyAlg=column_ifexists('certificate.key_alg', ''),
CertificateKeyLength=column_ifexists('certificate.key_length', ''),
CertificateKeyType=column_ifexists('certificate.key_type', ''),
CertificateNotValidAfter=column_ifexists('certificate.not_valid_after', ''),
CertificateNotValidBefore=column_ifexists('certificate.not_valid_before', ''),
CertificateSerial=column_ifexists('certificate.serial', ''),
CertificateSigAlg=column_ifexists('certificate.sig_alg', ''),
CertificateSubject=column_ifexists('certificate.subject', column_ifexists('client_subject', '')),
CertificateVersion=column_ifexists('certificate.version', ''),
CipherAlg=column_ifexists('cipher_alg', ''),
Client=column_ifexists('client', ''),
ClientMessage=column_ifexists('client_message', ''),
ClientSoftware=column_ifexists('client_software', ''),
CompileTs=column_ifexists('compile_ts', ''),
CompressionAlg=column_ifexists('compression_alg', ''),
Cshka=column_ifexists('cshka', ''),
DataChannelOrigH=column_ifexists('data_channel.orig_h', ''),
DataChannelPassive=column_ifexists('data_channel.passive', ''),
DataChannelRespH=column_ifexists('data_channel.resp_h', ''),
DataChannelRespP=column_ifexists('data_channel.resp_p', ''),
Date=column_ifexists('date', ''),
Depth=column_ifexists('depth', ''),
DhcpAssignedIpAddr=column_ifexists('assigned_addr', ''),
DhcpCircuitId=column_ifexists('circuit_id', ''),
DhcpLeaseTime=column_ifexists('lease_time', ''),
DhcpRequestedIpAddr=column_ifexists('requested_addr', ''),
DhcpSubscriberId=column_ifexists('subscriber_id', ''),
Direction=column_ifexists('direction', ''),
Dnp3FunctionReply=column_ifexists('fc_reply', ''),
Dnp3FunctionRequest=column_ifexists('fc_request', ''),
Dnp3Iin=column_ifexists('iin', ''),
DnsAdditionalAuthoritativeName=column_ifexists('auth', ''),
DnsAdditionalName=column_ifexists('addl', ''),
DnsFlagsAuthoritative=column_ifexists('AA', ''),
DnsFlagsRecursionAvailable=column_ifexists('RA', ''),
DnsFlagsRecursionDesired=column_ifexists('RD', ''),
DnsFlagsTruncated=column_ifexists('TC', ''),
DnsFlagsZ=column_ifexists('Z', ''),
DnsQueryClass=column_ifexists('qclass', ''),
DnsQueryClassName=column_ifexists('qclass_name', ''),
DnsQueryName=column_ifexists('query', ''),
DnsQueryType=column_ifexists('qtype', ''),
DnsQueryTypeName=column_ifexists('qtype_name', ''),
DnsRejected=column_ifexists('rejected', ''),
DnsResponseCode=column_ifexists('rcode', ''),
DnsResponseCodeName=column_ifexists('rcode_name', ''),
DnsResponseName=column_ifexists('answers', ''),
DnsResponseTtl=column_ifexists('TTLs', ''),
DnsRtt=column_ifexists('rtt', ''),
DnsTransactionId=column_ifexists('trans_id', ''),
Domainname=column_ifexists('domainname', ''),
Dropped=column_ifexists('dropped', ''),
Dst=column_ifexists('dst', ''),
DstBytes=column_ifexists('resp_bytes', ''),
DstCertificateIssuerName=column_ifexists('issuer', ''),
DstCertificateSha1=column_ifexists('resp_certificate_sha1', ''),
DstCertificateSubjectName=column_ifexists('subject', ''),
DstHostName=column_ifexists('http_header_host', column_ifexists('tls_server_name', '')),
DstIpAddr=column_ifexists('id.resp_h', column_ifexists('server_addr', column_ifexists('tx_hosts', ''))),
DstIpBytes=column_ifexists('resp_ip_bytes', ''),
DstMac=column_ifexists('resp_l2_addr', ''),
DstPackets=column_ifexists('resp_pkts', ''),
DstPort=column_ifexists('id.resp_p', ''),
Duration=column_ifexists('duration', ''),
EmailBodySections=column_ifexists('email_body_sections', ''),
EventDuration=column_ifexists('duration', ''),
EventUid=column_ifexists('z_Enrichment', column_ifexists('zeek_id_uids', column_ifexists('uid', ''))),
FailureReason=column_ifexists('failure_reason', ''),
FileAccessedTime=column_ifexists('times_accessed', ''),
FileChangedTime=column_ifexists('times_changed', ''),
FileCreationTime=column_ifexists('times_created', ''),
FileDesc=column_ifexists('file_desc', ''),
FileDirectory=column_ifexists('cwd', ''),
FileMimeType=column_ifexists('file_mime_type', column_ifexists('mime_type', column_ifexists('resp_mime_types', ''))),
FileModifiedTime=column_ifexists('times_modified', ''),
FileName=column_ifexists('filename', column_ifexists('resp_filenames', '')),
FilePath=column_ifexists('file_name', ''),
FilePreviousName=column_ifexists('prev_name', ''),
FileSize=column_ifexists('file_size', column_ifexists('total_bytes', column_ifexists('size', ''))),
FileSystemType=column_ifexists('native_file_system', ''),
FingerprintNetworkCommunityId=column_ifexists('community_id', ''),
FirstReceived=column_ifexists('first_received', ''),
From=column_ifexists('from', ''),
FtpCommandLine=column_ifexists('arg', ''),
FtpPassive=column_ifexists('ftp_passive', ''),
FtpProcessName=column_ifexists('command', ''),
Fuid=column_ifexists('fuid', ''),
Fuids=column_ifexists('fuids', ''),
HasCertTable=column_ifexists('has_cert_table', ''),
HasDebugData=column_ifexists('has_debug_data', ''),
HasExportTable=column_ifexists('has_export_table', ''),
HasImportTable=column_ifexists('has_import_table', ''),
HashJa3=column_ifexists('ja3', ''),
HashJa3s=column_ifexists('ja3s', ''),
HashMd5=column_ifexists('md5', ''),
HashSha1=column_ifexists('sha1', ''),
HashSha256=column_ifexists('sha256', ''),
Hassh=column_ifexists('hassh', ''),
Hasshalgorithms=column_ifexists('hasshAlgorithms', ''),
Hasshserver=column_ifexists('hasshServer', ''),
Hasshserveralgorithms=column_ifexists('hasshServerAlgorithms', ''),
Hasshversion=column_ifexists('hasshVersion', ''),
Helo=column_ifexists('helo', ''),
Host=column_ifexists('host', ''),
HostKey=column_ifexists('host_key', ''),
HostKeyAlg=column_ifexists('host_key_alg', ''),
HostP=column_ifexists('host_p', ''),
Hostname=column_ifexists('hostname', ''),
HttpCookieVariables=column_ifexists('cookie_vars', ''),
HttpInformationalCode=column_ifexists('info_code', ''),
HttpInformationalMessage=column_ifexists('info_msg', ''),
HttpProxiedHeaders=column_ifexists('proxied', ''),
HttpReferrerOriginal=column_ifexists('referrer', ''),
HttpRequestBodyBytes=column_ifexists('request_body_len', ''),
HttpRequestHeaderHost=column_ifexists('host', ''),
HttpRequestHeaderNames=column_ifexists('client_header_names', ''),
HttpRequestHeaderOrigin=column_ifexists('origin', ''),
HttpRequestMethod=column_ifexists('method', ''),
HttpResponseBodyBytes=column_ifexists('response_body_len', ''),
HttpResponseBodyOriginal=column_ifexists('post_body', ''),
HttpResponseHeaderNames=column_ifexists('server_header_names', ''),
HttpStatusCode=column_ifexists('status_code', ''),
HttpStatusMessage=column_ifexists('status_msg', ''),
HttpVersion=column_ifexists('version', ''),
Id=column_ifexists('id', ''),
InReplyTo=column_ifexists('in_reply_to', ''),
Is64bit=column_ifexists('is_64bit', ''),
IsExe=column_ifexists('is_exe', ''),
IsOrig=column_ifexists('is_orig', ''),
IsWebmail=column_ifexists('is_webmail', ''),
KexAlg=column_ifexists('kex_alg', ''),
LastReply=column_ifexists('last_reply', ''),
LocalOrig=column_ifexists('local_orig', ''),
Logcert=column_ifexists('logcert', ''),
MacAlg=column_ifexists('mac_alg', ''),
Machine=column_ifexists('machine', ''),
Mailfrom=column_ifexists('mailfrom', ''),
Matched=column_ifexists('matched', ''),
MimeType=column_ifexists('mime_type', ''),
Msg=column_ifexists('msg', ''),
MsgId=column_ifexists('msg_id', ''),
MsgOrig=column_ifexists('msg_orig', ''),
MsgTypes=column_ifexists('msg_types', ''),
N=column_ifexists('n', ''),
Name=column_ifexists('name', ''),
NetworkApplication=column_ifexists('service', ''),
NetworkConnectionHistory=column_ifexists('history', ''),
NetworkConnectionState=column_ifexists('conn_state', ''),
NetworkInnerVlanId=column_ifexists('inner_vlan', ''),
NetworkMissedBytes=column_ifexists('missed_bytes', ''),
NetworkOuterVlanId=column_ifexists('vlan', ''),
NetworkProtocol=case(EventType == "smb_files" or EventType == "smb_mapping" or EventType == "ssl" or EventType == "ssl_red" or EventType == "http" or EventType == "http_red", "tcp",EventType == "dhcp", "udp",column_ifexists('proto','')),
Node=column_ifexists('node', ''),
Note=column_ifexists('note', ''),
Notice=column_ifexists('notice', ''),
Os=column_ifexists('os', ''),
OscpValidationStatus=column_ifexists('ocsp_status', ''),
P=column_ifexists('p', ''),
PacketSegment=column_ifexists('packet_segment', ''),
Path=column_ifexists('path', ''),
Peer=column_ifexists('peer', ''),
PeerDescr=column_ifexists('peer_descr', ''),
Rcptto=column_ifexists('rcptto', ''),
RemoteLocationCity=column_ifexists('remote_location.city', ''),
RemoteLocationCountryCode=column_ifexists('remote_location.country_code', ''),
RemoteLocationLatitude=column_ifexists('remote_location.latitude', ''),
RemoteLocationLongitude=column_ifexists('remote_location.longitude', ''),
RemoteLocationRegion=column_ifexists('remote_location.region', ''),
ReplyCode=column_ifexists('reply_code', ''),
ReplyMsg=column_ifexists('reply_msg', ''),
ReplyTo=column_ifexists('reply_to', ''),
SanDns=column_ifexists('san.dns', ''),
SanEmail=column_ifexists('san.email', ''),
SanIp=column_ifexists('san.ip', ''),
SanUri=column_ifexists('san.uri', '') ,
SecondReceived=column_ifexists('second_received', ''),
SectionNames=column_ifexists('section_names', ''),
SeenIndicator=column_ifexists('seen.indicator', ''),
SeenIndicatorType=column_ifexists('seen.indicator_type', ''),
SeenWhere=column_ifexists('seen.where', ''),
Server=column_ifexists('server', ''),
ServerDnsComputerName=column_ifexists('server_dns_computer_name', ''),
ServerMessage=column_ifexists('server_message', ''),
ServerNbComputerName=column_ifexists('server_nb_computer_name', ''),
ServerSoftware=column_ifexists('server_software', ''),
ServerTreeName=column_ifexists('server_tree_name', ''),
Service=column_ifexists('service', ''),
ShareName=column_ifexists('path', ''),
ShareRelativeTargetName=column_ifexists('name', ''),
ShareType=column_ifexists('share_type', ''),
SmbAction=column_ifexists('action', ''),
SoftwareFlashVersionOriginal=column_ifexists('flash_version', ''),
SoftwareType=column_ifexists('software_type', ''),
Source=column_ifexists('source', ''),
Sources=column_ifexists('sources', ''),
Src=column_ifexists('src', ''),
SrcBytes=column_ifexists('orig_bytes', ''),
SrcDomain=column_ifexists('domain', ''),
SrcFileName=column_ifexists('orig_filenames', ''),
SrcFilePath=column_ifexists('src_file_name', ''),
SrcFqdn=column_ifexists('client_fqdn', ''),
SrcHostName=column_ifexists('host_name', ''),
SrcIpAddr=column_ifexists('id.orig_h', column_ifexists('rx_hosts', column_ifexists('client_addr', ''))),
SrcIpBytes=column_ifexists('orig_ip_bytes', ''),
SrcMac=column_ifexists('mac', column_ifexists('orig_l2_addr', '')),
SrcMimeType=column_ifexists('orig_mime_types', ''),
SrcPackets=column_ifexists('orig_pkts', ''),
SrcPort=column_ifexists('id.orig_p', ''),
Sub=column_ifexists('sub', ''),
Subject=column_ifexists('subject', ''),
SubpressFor=column_ifexists('subpress_for', ''),
Subsystem=column_ifexists('subsystem', ''),
Success=column_ifexists('success', ''),
Tls=column_ifexists('tls', ''),
TlsCertificateValidationStatus=column_ifexists('validation_status', ''),
TlsCipher=column_ifexists('cipher', ''),
TlsCurve=column_ifexists('curve', ''),
TlsEstablished=column_ifexists('established', ''),
TlsLastAlert=column_ifexists('last_alert', ''),
TlsNextProtocol=column_ifexists('next_protocol', ''),
TlsNotaryResponse=column_ifexists('notary', ''),
TlsResumed=column_ifexists('resumed', ''),
TlsServerName=column_ifexists('server_name', ''),
TlsVersion=column_ifexists('version', ''),
TlsVersionNumber=column_ifexists('version_num', ''),
To=column_ifexists('to', ''),
TransDepth=column_ifexists('trans_depth', ''),
TunnelType=column_ifexists('tunnel_type', ''),
UnparsedVersion=column_ifexists('unparsed_version', ''),
Url=column_ifexists('url', ''),
UrlOriginal=column_ifexists('uri', ''),
UrlQueryValues=column_ifexists('uri_vars', ''),
UserAgent=column_ifexists('user_agent', ''),
UserAgentOriginal=column_ifexists('user_agent', ''),
UserName=column_ifexists('user', column_ifexists('username', '')),
UserPassword=column_ifexists('password', ''),
Username=column_ifexists('username', ''),
UsesAslr=column_ifexists('uses_aslr', ''),
UsesCodeIntegrity=column_ifexists('uses_code_integrity', ''),
UsesDep=column_ifexists('uses_dep', ''),
UsesSeh=column_ifexists('uses_seh', ''),
ValidCtLogs=column_ifexists('valid_ct_logs', ''),
ValidCtOperators=column_ifexists('valid_ct_operators', ''),
ValidCtOperatorsList=column_ifexists('valid_ct_operators_list', ''),
Version=column_ifexists('version', ''),
VersionAddl=column_ifexists('version.addl', ''),
VersionMajor=column_ifexists('version.major', ''),
VersionMinor2=column_ifexists('version.minor2', ''),
VersionMinor3=column_ifexists('version.minor3', ''),
VersionMinor=column_ifexists('version.minor', ''),
X509=column_ifexists('x509', ''),
XOriginatingIp=column_ifexists('x_originating_ip', ''),
ZeekConnLocalDst=column_ifexists('local_resp', ''),
ZeekConnLocalSrc=column_ifexists('local_orig', ''),
ZeekFilesAnalyzers=column_ifexists('analyzers', ''),
ZeekFilesEntropy=column_ifexists('entropy', ''),
ZeekFilesExtracted=column_ifexists('extracted', ''),
ZeekFilesExtractedCutoff=column_ifexists('extracted_cutoff', ''),
ZeekFilesExtractedSize=column_ifexists('extracted_size', ''),
ZeekFilesMissingBytes=column_ifexists('missing_bytes', ''),
ZeekFilesOverflowBytes=column_ifexists('overflow_bytes', ''),
ZeekFilesSeenBytes=column_ifexists('seen_bytes', ''),
ZeekFilesTimedout=column_ifexists('timedout', ''),
ZeekHttpOmniture=column_ifexists('omniture', ''),
ZeekHttpTags=column_ifexists('tags', ''),
ZeekHttpTransDepth=column_ifexists('trans_depth', ''),
ZeekIdCertChainFuids=column_ifexists('cert_chain_fuids', ''),
ZeekIdClientCertChainFuids=column_ifexists('client_cert_chain_fuids', ''),
ZeekIdConnUids=column_ifexists('conn_uids', ''),
ZeekIdFuid=column_ifexists('fuid', ''),
ZeekIdOrigFuids=column_ifexists('orig_fuids', ''),
ZeekIdParentFuid=column_ifexists('parent_fuid', ''),
ZeekIdRespFuids=column_ifexists('resp_fuids', ''),
ZeekIdTunnelParents=column_ifexists('tunnel_parents', ''),
ZeekIdUids=column_ifexists('uids', ''),
ZeekMetaDstIpAddrHostName=column_ifexists('id.resp_h_name.vals', ''),
ZeekMetaDstIpAddrSource=column_ifexists('id.resp_h_name.src', ''),
ZeekMetaSrcIpAddrHostName=column_ifexists('id.orig_h_name.vals', ''),
ZeekMetaSrcIpAddrSource=column_ifexists('id.orig_h_name.src', ''),
ZeekOrigCc=column_ifexists('orig_cc', ''),
ZeekRespCc=column_ifexists('resp_cc', '')
| project
SrcDvcHostname,
EventEndTime,
SrcDvcFile,
Message,
TimeGenerated,
EventType,
EventVendor,
EventProduct,
Action,
Actions,
AgentRemoteId,
Analyzer,
AuthAttempts,
AuthSuccess,
BasicConstraintsCa,
BasicConstraintsPathLen,
Cc,
CertificateCn,
CertificateCurve,
CertificateExponent,
CertificateHashSha1,
CertificateIssuer,
CertificateKeyAlg,
CertificateKeyLength,
CertificateKeyType,
CertificateNotValidAfter,
CertificateNotValidBefore,
CertificateSerial,
CertificateSigAlg,
CertificateSubject,
CertificateVersion,
CipherAlg,
Client,
ClientMessage,
ClientSoftware,
CompileTs,
CompressionAlg,
Cshka,
DataChannelOrigH,
DataChannelPassive,
DataChannelRespH,
DataChannelRespP,
Date,
Depth,
DhcpAssignedIpAddr,
DhcpCircuitId,
DhcpLeaseTime,
DhcpRequestedIpAddr,
DhcpSubscriberId,
Direction,
Dnp3FunctionReply,
Dnp3FunctionRequest,
Dnp3Iin,
DnsAdditionalAuthoritativeName,
DnsAdditionalName,
DnsFlagsAuthoritative,
DnsFlagsRecursionAvailable,
DnsFlagsRecursionDesired,
DnsFlagsTruncated,
DnsFlagsZ,
DnsQueryClass,
DnsQueryClassName,
DnsQueryName,
DnsQueryType,
DnsQueryTypeName,
DnsRejected,
DnsResponseCode,
DnsResponseCodeName,
DnsResponseName,
DnsResponseTtl,
DnsRtt,
DnsTransactionId,
Domainname,
Dropped,
Dst,
DstBytes,
DstCertificateIssuerName,
DstCertificateSha1,
DstCertificateSubjectName,
DstHostName,
DstIpAddr,
DstIpBytes,
DstMac,
DstPackets,
DstPort,
Duration,
EmailBodySections,
EventDuration,
EventUid,
FailureReason,
FileAccessedTime,
FileChangedTime,
FileCreationTime,
FileDesc,
FileDirectory,
FileMimeType,
FileModifiedTime,
FileName,
FilePath,
FilePreviousName,
FileSize,
FileSystemType,
FingerprintNetworkCommunityId,
FirstReceived,
From,
FtpCommandLine,
FtpPassive,
FtpProcessName,
Fuid,
Fuids,
HasCertTable,
HasDebugData,
HasExportTable,
HasImportTable,
HashJa3,
HashJa3s,
HashMd5,
HashSha1,
HashSha256,
Hassh,
Hasshalgorithms,
Hasshserver,
Hasshserveralgorithms,
Hasshversion,
Helo,
Host,
HostKey,
HostKeyAlg,
HostP,
Hostname,
HttpCookieVariables,
HttpInformationalCode,
HttpInformationalMessage,
HttpProxiedHeaders,
HttpReferrerOriginal,
HttpRequestBodyBytes,
HttpRequestHeaderHost,
HttpRequestHeaderNames,
HttpRequestHeaderOrigin,
HttpRequestMethod,
HttpResponseBodyBytes,
HttpResponseBodyOriginal,
HttpResponseHeaderNames,
HttpStatusCode,
HttpStatusMessage,
HttpVersion,
Id,
InReplyTo,
Is64bit,
IsExe,
IsOrig,
IsWebmail,
KexAlg,
LastReply,
LocalOrig,
Logcert,
MacAlg,
Machine,
Mailfrom,
Matched,
MimeType,
Msg,
MsgId,
MsgOrig,
MsgTypes,
N,
Name,
NetworkApplication,
NetworkConnectionHistory,
NetworkConnectionState,
NetworkInnerVlanId,
NetworkMissedBytes,
NetworkOuterVlanId,
NetworkProtocol,
Node,
Note,
Notice,
Os,
OscpValidationStatus,
P,
PacketSegment,
Path,
Peer,
PeerDescr,
Rcptto,
RemoteLocationCity,
RemoteLocationCountryCode,
RemoteLocationLatitude,
RemoteLocationLongitude,
RemoteLocationRegion,
ReplyCode,
ReplyMsg,
ReplyTo,
SanDns,
SanEmail,
SanIp,
SanUri,
SecondReceived,
SectionNames,
SeenIndicator,
SeenIndicatorType,
SeenWhere,
Server,
ServerDnsComputerName,
ServerMessage,
ServerNbComputerName,
ServerSoftware,
ServerTreeName,
Service,
ShareName,
ShareRelativeTargetName,
ShareType,
SmbAction,
SoftwareFlashVersionOriginal,
SoftwareType,
Source,
Sources,
Src,
SrcBytes,
SrcDomain,
SrcFileName,
SrcFilePath,
SrcFqdn,
SrcHostName,
SrcIpAddr,
SrcIpBytes,
SrcMac,
SrcMimeType,
SrcPackets,
SrcPort,
Sub,
Subject,
SubpressFor,
Subsystem,
Success,
Tls,
TlsCertificateValidationStatus,
TlsCipher,
TlsCurve,
TlsEstablished,
TlsLastAlert,
TlsNextProtocol,
TlsNotaryResponse,
TlsResumed,
TlsServerName,
TlsVersion,
TlsVersionNumber,
To,
TransDepth,
TunnelType,
UnparsedVersion,
Url,
UrlOriginal,
UrlQueryValues,
UserAgent,
UserAgentOriginal,
UserName,
UserPassword,
Username,
UsesAslr,
UsesCodeIntegrity,
UsesDep,
UsesSeh,
ValidCtLogs,
ValidCtOperators,
ValidCtOperatorsList,
Version,
VersionAddl,
VersionMajor,
VersionMinor2,
VersionMinor3,
VersionMinor,
X509,
XOriginatingIp,
ZeekConnLocalDst,
ZeekConnLocalSrc,
ZeekFilesAnalyzers,
ZeekFilesEntropy,
ZeekFilesExtracted,
ZeekFilesExtractedCutoff,
ZeekFilesExtractedSize,
ZeekFilesMissingBytes,
ZeekFilesOverflowBytes,
ZeekFilesSeenBytes,
ZeekFilesTimedout,
ZeekHttpOmniture,
ZeekHttpTags,
ZeekHttpTransDepth,
ZeekIdCertChainFuids,
ZeekIdClientCertChainFuids,
ZeekIdConnUids,
ZeekIdFuid,
ZeekIdOrigFuids,
ZeekIdParentFuid,
ZeekIdRespFuids,
ZeekIdTunnelParents,
ZeekIdUids,
ZeekMetaDstIpAddrHostName,
ZeekMetaDstIpAddrSource,
ZeekMetaSrcIpAddrHostName,
ZeekMetaSrcIpAddrSource,
ZeekOrigCc,
ZeekRespCc
};
Corelight_main_view

967
Sample Data/Custom/Corelight_CL.json Normal file
Просмотреть файл

@ -0,0 +1,967 @@
[
{
"message":"{\"ts\":\"2018-08-03T23:37:28.937335Z\",\"uid\":\"CYEduc4AvbZxqylsqk\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49530,\"id.resp_h\":\"191.234.4.50\",\"id.resp_p\":80,\"proto\":\"tcp\",\"orig_size\":30615,\"resp_size\":107046238,\"mbps\":338.122437,\"age_of_conn\":2.413327}",
"log_file":"/var/log/corelight/conn_burst_20180803_16:37:28-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:42.980914Z\",\"uid\":\"CK3sI01OPsX7RoNlQ2\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49493,\"id.resp_h\":\"195.12.232.163\",\"id.resp_p\":80,\"proto\":\"tcp\",\"orig_size\":579,\"resp_size\":106980076,\"mbps\":362.046669,\"age_of_conn\":2.253853}",
"log_file":"/var/log/corelight/conn_burst_20180803_16:37:28-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:47.156977Z\",\"uid\":\"CqLHTe4QCc5A0bXrWd\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":49572,\"id.resp_h\":\"64.233.165.109\",\"id.resp_p\":587,\"trans_depth\":1,\"helo\":\"DellDator32\",\"last_reply\":\"220 2.0.0 Ready to start TLS\",\"path\":[\"64.233.165.109\",\"192.168.0.54\"],\"tls\":true,\"fuids\":[],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.545927Z\",\"uid\":\"C7dt3I3EPGcL9Dfob3\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2153,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Wed, 11 Mar 2015 13:20:11 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<EF168BBF16E344D49311C8F4870E03BF@passwordnedxp>\",\"subject\":\"Re: www.pwned.se now online\",\"last_reply\":\"250 <54EF7C1F0039BECF> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FkYyUX3O20nQIB8Oej\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CKcWml2DANiZ6nt7Xl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50642,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"anonymous\",\"password\":\"CommonUpdater%40McAfeeB2B.com\",\"command\":\"PASV\",\"reply_code\":227,\"reply_msg\":\"Entering Passive Mode. (77,67,22,165,195,204)\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.0.54\",\"data_channel.resp_h\":\"77.67.22.165\",\"data_channel.resp_p\":50124}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CKcWml2DANiZ6nt7Xl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50642,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"anonymous\",\"password\":\"CommonUpdater%40McAfeeB2B.com\",\"command\":\"RETR\",\"arg\":\"ftp://77.67.22.165/CommonUpdater/SiteStat.xml\",\"file_size\":118,\"reply_code\":226,\"reply_msg\":\"Transfer Complete\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CnFSLb4aP55YkNP2qc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50677,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"<unknown>\",\"command\":\"PASV\",\"reply_code\":213,\"reply_msg\":\"1436\",\"data_channel.passive\":true,\"data_channel.orig_h\":\"192.168.0.54\",\"data_channel.resp_h\":\"77.67.22.165\",\"data_channel.resp_p\":55634}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:54.728258Z\",\"uid\":\"CnFSLb4aP55YkNP2qc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50677,\"id.resp_h\":\"77.67.22.165\",\"id.resp_p\":21,\"user\":\"<unknown>\",\"command\":\"RETR\",\"arg\":\"ftp://77.67.22.165/./BOCVSE__1000/BOCVSE__1000/PkgCatalog.z\",\"reply_code\":213,\"reply_msg\":\"1436\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.210749Z\",\"fuid\":\"FCFk534jSanLgTUIK9\",\"tx_hosts\":[\"192.168.0.54\"],\"rx_hosts\":[\"192.168.0.1\"],\"conn_uids\":[\"CIhf2A1eM0sO4ZVyEl\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"SHA256\",\"MD5\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":true,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.476893Z\",\"fuid\":\"FJtflHVMljMnwuXQl\",\"tx_hosts\":[\"93.184.220.29\"],\"rx_hosts\":[\"192.168.0.2\"],\"conn_uids\":[\"CArZ6s3o464GaJTg7b\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":788,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.552833Z\",\"fuid\":\"FWVJ1GDbhVz2aBpmh\",\"tx_hosts\":[\"72.52.91.14\"],\"rx_hosts\":[\"192.168.0.51\"],\"conn_uids\":[\"CdvgcM26CxCaCwmL4b\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.553330Z\",\"fuid\":\"FXALax1SNy4ie6rAUh\",\"tx_hosts\":[\"217.195.49.146\"],\"rx_hosts\":[\"192.168.0.2\"],\"conn_uids\":[\"CRdU7myRHW1Lmn5U3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA256\",\"SHA1\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":true,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.553330Z\",\"fuid\":\"FlwmUy2bApwnWGkpYc\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CRdU7myRHW1Lmn5U3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA256\",\"SHA1\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":1,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.559949Z\",\"fuid\":\"F8lKOuRdzAwivoOYb\",\"tx_hosts\":[\"72.52.91.14\"],\"rx_hosts\":[\"192.168.0.51\"],\"conn_uids\":[\"CiDL9R1tDpuUZ2mU4h\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"SHA256\",\"MD5\"],\"duration\":0.0,\"local_orig\":false,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":16516,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.563011Z\",\"fuid\":\"FzMvQhlL2FQNwbt3l\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CMen3q2ZwVS3r1XPrj\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA256\",\"SHA1\",\"MD5\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":11363,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.563090Z\",\"fuid\":\"FWM9XD1OkYpyYNS7Nh\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"CpbMRO2vFC64HiL9na\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":71644,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:55.573188Z\",\"fuid\":\"FcmNZx1JYgbvul8Sjl\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"217.195.49.146\"],\"conn_uids\":[\"C3XKFg33c48ee5EtX5\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":4643,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:37:56.699118Z\",\"fuid\":\"FkgQNz2dye4VOjihZi\",\"tx_hosts\":[\"192.168.0.2\"],\"rx_hosts\":[\"37.48.81.52\"],\"conn_uids\":[\"CLErWp4pCb5euqBBK7\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"MD5\",\"SHA1\",\"SHA256\"],\"duration\":0.0,\"local_orig\":true,\"is_orig\":false,\"seen_bytes\":0,\"missing_bytes\":81740,\"overflow_bytes\":0,\"timedout\":true}",
"log_file":"/var/log/corelight/files_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:01.446597Z\",\"uid\":\"CvTrYj2scU7ZCC5pCe\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3706,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"d.knuth@hushmail.com\"],\"date\":\"Fri, 13 Mar 2015 14:01:05 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"<d.knuth@hushmail.com>\"],\"msg_id\":\"<5782CF072601423EAC2E00492D5218F4@passwordnedxp>\",\"subject\":\"Re: I\\u0027d like to purchase a secure password\",\"last_reply\":\"250 <54E6F8320061B982> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FIsdVz2Dv4ezujWIn4\",\"F0WUmi4UiEdfo1GSu3\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:01.560483Z\",\"uid\":\"CPT5L914wmfDebfHsb\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3852,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Fri, 13 Mar 2015 16:16:02 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<3DAC7AF9CE584CE293ED592C27084E16@passwordnedxp>\",\"subject\":\"Fw: You\\u0027re running a vulnerable version of SkyBlueCanvas\",\"last_reply\":\"250 <54E6F832006275FE> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FZEZ0W15JFy6T7yl6e\",\"FB5z1b1ruqnFdUigN3\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:05.518121Z\",\"uid\":\"CG4WBv1YvP5xn6hJP5\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":60362,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"[192.168.0.51]\",\"mailfrom\":\"homer.pwned.se@gmx.com\",\"rcptto\":[\"krusty.pwned.se@gmail.com\"],\"date\":\"Tue, 17 Mar 2015 08:17:43 +0100\",\"from\":\"Homer <homer.pwned.se@gmx.com>\",\"to\":[\"Krusty <krusty.pwned.se@gmail.com>\"],\"msg_id\":\"<5507D517.2010809@gmx.com>\",\"in_reply_to\":\"<009501d05d7a$b933aff0$2b9b0fd0$@gmail.com>\",\"subject\":\"Re: I\\u0027ve got 61 problems but my job aint one\",\"last_reply\":\"250 <54E6F832006D9D22> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.51\"],\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"tls\":false,\"fuids\":[\"F6UDerS2pfvei0KRb\",\"FXrqL92XflpLEXVZ44\",\"FgO5rW3M7VlUyIcCyd\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:05.534084Z\",\"uid\":\"Cka4Bv1qmbA1RTFF53\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1289,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 08:30:26 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"msg_id\":\"<3EF8E091DB36430A96BC3A6C31A183F8@passwordnedxp>\",\"subject\":\"Fw: The frog is back!\",\"last_reply\":\"250 <54EF7C1F00507F60> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FfJJQ74pDIlEgQWhGf\",\"FzVjQqYsRcLYhdctg\",\"FqnOzl4JMMdMrbOt72\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:05.546444Z\",\"uid\":\"CaOpm4JpVQx9WPa7d\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":60390,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"[192.168.0.51]\",\"mailfrom\":\"homer.pwned.se@gmx.com\",\"rcptto\":[\"ned.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 08:48:37 +0100\",\"from\":\"Homer <homer.pwned.se@gmx.com>\",\"to\":[\"Password Ned <ned.pwned.se@gmx.com>\"],\"msg_id\":\"<5507DC55.6090005@gmx.com>\",\"in_reply_to\":\"<3EF8E091DB36430A96BC3A6C31A183F8@passwordnedxp>\",\"subject\":\"Re: Fw: The frog is back!\",\"last_reply\":\"250 <54EF7C1F00509EF1> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.51\"],\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"tls\":false,\"fuids\":[\"FakMHq1PsByTwuXldh\",\"FsjHdk229asuLxBht6\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:07.145415Z\",\"uid\":\"CZDNzM17Z7IIM6aiCg\",\"id.orig_h\":\"212.71.235.158\",\"id.orig_p\":52998,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"direction\":\"INBOUND\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:07.634540Z\",\"uid\":\"C6o9LOw6TqD2qMLEc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1322,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"ed.dijkstra@yahoo.com\",\"homer.pwned.se@gmx.com\"],\"date\":\"Tue, 17 Mar 2015 10:15:02 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Edsger Dijkstra\\u0022 <ed.dijkstra@yahoo.com>\"],\"msg_id\":\"<82576B8A45B540B7BF165BEF67BB02C5@passwordnedxp>\",\"subject\":\"Re: The frog is back!\",\"last_reply\":\"250 <54E6F832006E937A> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FvPQjWWCYLJefchUh\",\"FzpSIF3VtoCmG9x903\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:12.367493Z\",\"uid\":\"C5yXAv453aG4WkzlBj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1283,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\",\"krusty.pwned.se@gmail.com\"],\"date\":\"Thu, 19 Mar 2015 12:42:06 +0100\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Homer\\u0022 <homer.pwned.se@gmx.com>\"],\"cc\":[\"\\u0022Krusty\\u0022 <krusty.pwned.se@gmail.com>\"],\"msg_id\":\"<A0E1C8DD4D4F4B93A3F65533283A85BA@passwordnedxp>\",\"subject\":\"Fw: My password has leaked online\",\"last_reply\":\"250 <54EF7C1F005E0201> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FaliahTGJHuhFeWt2\",\"FcR4TLdk7gJDb6h9k\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:14.341408Z\",\"uid\":\"Cd2Bw41Y3L43thVVtd\",\"id.orig_h\":\"85.25.43.94\",\"id.orig_p\":40522,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-paramiko_1.15.1\",\"server\":\"SSH-2.0-OpenSSH_6.4\",\"cipher_alg\":\"aes128-ctr\",\"mac_alg\":\"hmac-md5\",\"compression_alg\":\"none\",\"kex_alg\":\"diffie-hellman-group-exchange-sha1\",\"host_key_alg\":\"ssh-rsa\",\"host_key\":\"24:ca:ee:e1:84:b3:0f:1a:17:86:c0:72:0a:8c:61:f6\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:15.393648Z\",\"uid\":\"CcuRx42gzHsf8IyWFa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"111.221.77.146\",\"id.resp_p\":443,\"proto\":\"udp\",\"duration\":43.571823,\"orig_bytes\":18,\"resp_bytes\":52,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":2,\"resp_ip_bytes\":108,\"tunnel_parents\":[],\"resp_cc\":\"HK\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:16.038750Z\",\"uid\":\"ChlhLC372Wy90aCsie\",\"id.orig_h\":\"222.186.56.46\",\"id.orig_p\":4458,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:21.488530Z\",\"uid\":\"CwBz7k283qnrY1G3C\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"157.56.52.24\",\"id.resp_p\":443,\"proto\":\"udp\",\"duration\":37.534503,\"orig_bytes\":54,\"resp_bytes\":104,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":3,\"orig_ip_bytes\":138,\"resp_pkts\":4,\"resp_ip_bytes\":216,\"tunnel_parents\":[],\"resp_cc\":\"US\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:21.709801Z\",\"uid\":\"CuKJtW3Y0V28ohg7il\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3504,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":8080,\"trans_depth\":1,\"method\":\"SUBSCRIBE\",\"host\":\"192.168.0.1\",\"uri\":\"/WANIPConnection\",\"user_agent\":\"Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:44.981697Z\",\"uid\":\"C80aN92il06fzkTt5c\",\"id.orig_h\":\"61.160.247.150\",\"id.orig_p\":3029,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:45.138677Z\",\"host\":\"192.168.0.53\",\"host_p\":2869,\"software_type\":\"HTTP::SERVER\",\"name\":\"Microsoft-HTTPAPI\",\"version.major\":1,\"version.minor\":0,\"unparsed_version\":\"Microsoft-HTTPAPI/1.0\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.907917Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Office Source Engine\",\"unparsed_version\":\"Office Source Engine\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.910415Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Office Source Engine\",\"unparsed_version\":\"Office Source Engine\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.910415Z\",\"id\":\"FE3J0j3TsIQKs4zA2c\",\"machine\":\"I386\",\"compile_ts\":\"2014-03-20T14:31:56.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":false,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".rsrc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"seen.indicator\":\"homer.pwned.se@gmx.com\",\"seen.indicator_type\":\"Intel::EMAIL\",\"seen.where\":\"SMTP::IN_RCPT_TO\",\"matched\":[\"Intel::EMAIL\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"seen.indicator\":\"homer.pwned.se@gmx.com\",\"seen.indicator_type\":\"Intel::EMAIL\",\"seen.where\":\"SMTP::IN_TO\",\"matched\":[\"Intel::EMAIL\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CIqv2yvdg50rJT9Mk\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2210,\"id.resp_h\":\"5.254.127.11\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on www.mybusinessdoc.com at HTTP::IN_HOST_HEADER\",\"sub\":\"www.mybusinessdoc.com\",\"src\":\"192.168.0.53\",\"dst\":\"5.254.127.11\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CIqv2yvdg50rJT9Mk\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2210,\"id.resp_h\":\"5.254.127.11\",\"id.resp_p\":80,\"seen.indicator\":\"www.mybusinessdoc.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"HTTP::IN_HOST_HEADER\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on carina-paris-hotel.com at DNS::IN_REQUEST\",\"sub\":\"carina-paris-hotel.com\",\"src\":\"192.168.0.53\",\"dst\":\"192.168.0.1\",\"p\":53,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on www.mybusinessdoc.com at DNS::IN_REQUEST\",\"sub\":\"www.mybusinessdoc.com\",\"src\":\"192.168.0.53\",\"dst\":\"192.168.0.1\",\"p\":53,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CTdvGJ2M1oDwIJ9nKc\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":1244,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"seen.indicator\":\"carina-paris-hotel.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"DNS::IN_REQUEST\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CeEwr7suNmvvJmp14\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2211,\"id.resp_h\":\"216.47.227.188\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on 216.47.227.188 at Conn::IN_RESP\",\"sub\":\"216.47.227.188\",\"src\":\"192.168.0.53\",\"dst\":\"216.47.227.188\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CpvOV23eT05qD73gl4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2212,\"id.resp_h\":\"209.59.156.160\",\"id.resp_p\":80,\"proto\":\"tcp\",\"note\":\"Intel::Notice\",\"msg\":\"Intel hit on carina-paris-hotel.com at HTTP::IN_HOST_HEADER\",\"sub\":\"carina-paris-hotel.com\",\"src\":\"192.168.0.53\",\"dst\":\"209.59.156.160\",\"p\":80,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.925701Z\",\"uid\":\"CpvOV23eT05qD73gl4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2212,\"id.resp_h\":\"209.59.156.160\",\"id.resp_p\":80,\"seen.indicator\":\"carina-paris-hotel.com\",\"seen.indicator_type\":\"Intel::DOMAIN\",\"seen.where\":\"HTTP::IN_HOST_HEADER\",\"matched\":[\"Intel::DOMAIN\"],\"sources\":[\"Corelight MISP (5b1f252a-8d38-4a6e-8bcb-06a10a0ac7c9) - Corelight\"]}",
"log_file":"/var/log/corelight/intel_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"FHbgSb1YVdbVLUVtqa\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-07T06:24:04.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_CUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".seg17\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"FOj8Wh4jnTs2JXfDfa\",\"machine\":\"I386\",\"compile_ts\":\"2015-09-19T15:48:53.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".data\",\".rsrc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.927301Z\",\"id\":\"Fawiz94DjZdmOoK2dj\",\"machine\":\"I386\",\"compile_ts\":\"2011-12-04T21:44:10.000000Z\",\"os\":\"Windows 1.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".code\",\".idata\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.936416Z\",\"id\":\"FoIhp237WDbNURatZc\",\"machine\":\"I386\",\"compile_ts\":\"2011-12-04T21:44:10.000000Z\",\"os\":\"Windows 1.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".code\",\".idata\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.973457Z\",\"host\":\"192.168.0.53\",\"software_type\":\"SMTP::MAIL_CLIENT\",\"name\":\"Microsoft Outlook Express\",\"version.major\":6,\"version.minor\":0,\"version.minor2\":2900,\"version.minor3\":5512,\"unparsed_version\":\"Microsoft Outlook Express 6.00.2900.5512\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:48.973457Z\",\"uid\":\"CEH0pi3rUh8dJO0Agj\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":2370,\"id.resp_h\":\"81.236.55.3\",\"id.resp_p\":25,\"trans_depth\":1,\"helo\":\"passwordnedxp\",\"mailfrom\":\"ned.pwned.se@gmx.com\",\"rcptto\":[\"homer.pwned.se@gmx.com\",\"krusty.pwned.se@gmail.com\"],\"date\":\"Tue, 7 Apr 2015 15:36:29 +0200\",\"from\":\"\\u0022Password Ned\\u0022 <ned.pwned.se@gmx.com>\",\"to\":[\"\\u0022Krusty\\u0022 <krusty.pwned.se@gmail.com>\",\"<homer.pwned.se@gmx.com>\"],\"msg_id\":\"<5E99EDAF8CAE4C34862FF55486CB99C5@passwordnedxp>\",\"subject\":\"Re: Krusty, unable to deliver your item, #00000529832\",\"last_reply\":\"250 <54EF7C1F00AD3590> Mail accepted\",\"path\":[\"81.236.55.3\",\"192.168.0.53\"],\"user_agent\":\"Microsoft Outlook Express 6.00.2900.5512\",\"tls\":false,\"fuids\":[\"FS5nuj3XkXvMebrmdb\",\"FPxQhPcrO0yOQFbh9\"],\"is_webmail\":false}",
"log_file":"/var/log/corelight/smtp_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:49.630817Z\",\"id\":\"F54Kv41wqmJYmluTNj\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-07T14:43:55.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":true,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:51.556709Z\",\"id\":\"FXk0GZ31k7RZFFEq8c\",\"machine\":\"I386\",\"compile_ts\":\"2015-04-08T00:49:30.000000Z\",\"os\":\"Windows XP\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":true,\"has_cert_table\":false,\"has_debug_data\":true,\"section_names\":[\".text\",\".rdata\",\".data\",\".zdata\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:51.586164Z\",\"host\":\"192.168.0.53\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Client\",\"unparsed_version\":\"Client\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.090902Z\",\"host\":\"192.168.0.51\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"Python-urllib\",\"version.major\":3,\"version.minor\":4,\"unparsed_version\":\"Python-urllib/3.4\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.203241Z\",\"uid\":\"CzQqWP3aJDe8zy8TBe\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":4871,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.206022Z\",\"uid\":\"CunqCs2VofincaO988\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3574,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.210211Z\",\"uid\":\"Cpn0xm3AxnlqYiMuRh\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":1550,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.210211Z\",\"uid\":\"Cw2HA3QMlupOayfhe\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3416,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.211410Z\",\"uid\":\"CuzwQD115sos6GKflc\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2444,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.216550Z\",\"uid\":\"CwDrWLqZ4CoapKe15\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2482,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.223140Z\",\"uid\":\"Cdc4dG2bCkm6fpXxNf\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3935,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.226589Z\",\"uid\":\"CgYzka2SoJ8Zl9axf4\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":2334,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.227677Z\",\"uid\":\"CKiZuk1Axq1tUnk5B3\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":4653,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.229456Z\",\"uid\":\"Csa0Z73EXyT0QU7kuh\",\"id.orig_h\":\"146.52.78.242\",\"id.orig_p\":3802,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"tcp\",\"analyzer\":\"HTTP\",\"failure_reason\":\"not a http reply line\"}",
"log_file":"/var/log/corelight/dpd_20180803_16:36:45-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.292434Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"NVIDIA Notifius\",\"version.major\":1,\"version.minor\":14,\"version.minor2\":17,\"unparsed_version\":\"NVIDIA Notifius v1.14.17\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.292434Z\",\"id\":\"FU7lf04eX89UTxvc2c\",\"machine\":\"I386\",\"compile_ts\":\"2012-02-24T19:20:04.000000Z\",\"os\":\"Windows 2000\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".ndata\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:56.437867Z\",\"uid\":\"CzzfiW35EGQRLBFouk\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62801,\"id.resp_h\":\"108.160.166.138\",\"id.resp_p\":443,\"version\":\"TLSv10\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"curve\":\"secp256r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"F5b5EIBsnFV30Bt5h\",\"F2jv9r2b5CjPqT1eog\",\"Fksb6730CMJUNZehec\"],\"client_cert_chain_fuids\":[],\"ja3\":\"8d0230b6ce881f161d1875364f4a156b\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:58.894631Z\",\"host\":\"192.168.0.54\",\"software_type\":\"HTTP::BROWSER\",\"name\":\"NVIDIA Notifius\",\"version.major\":1,\"version.minor\":14,\"version.minor2\":17,\"unparsed_version\":\"NVIDIA Notifius v1.14.17\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:58.894631Z\",\"id\":\"FqeCdEdtohZbSZPW2\",\"machine\":\"I386\",\"compile_ts\":\"2012-02-24T19:20:04.000000Z\",\"os\":\"Windows 2000\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":true,\"uses_dep\":true,\"uses_code_integrity\":false,\"uses_seh\":false,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".ndata\",\".rsrc\",\".reloc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:58.900979Z\",\"uid\":\"C7j0kK3LbsiwywnHR1\",\"id.orig_h\":\"37.113.135.20\",\"id.orig_p\":23221,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"proto\":\"udp\",\"conn_state\":\"S0\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":1,\"orig_ip_bytes\":47,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"RU\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.144930Z\",\"host\":\"192.168.0.2\",\"host_p\":22,\"software_type\":\"SSH::SERVER\",\"name\":\"OpenSSH\",\"version.major\":6,\"version.minor\":4,\"unparsed_version\":\"OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.148362Z\",\"host\":\"192.168.0.2\",\"host_p\":22,\"software_type\":\"SSH::SERVER\",\"name\":\"OpenSSH\",\"version.major\":6,\"version.minor\":4,\"unparsed_version\":\"OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/software_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.148362Z\",\"uid\":\"C0HyjnU8giZuxqPC9\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":3929,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"direction\":\"INBOUND\",\"client\":\"\\u0000\\u0000\\u0003$\\u00a7\\u0014\\u00ae\\u000f\\u00a3\\u0001\\u00db;SD\\u001fe\\u009b\\u00e3Th\\u0002e\\u0000\\u0000\\u0000Ydiffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1\\u0000\\u0000\\u0000\\u000fssh-rsa,ssh-dss\\u0000\\u0000\\u0000\\u0092aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\\u0000\\u0000\\u0000\\u0092aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc\\u0000\\u0000\\u0000Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\\u0000\\u0000\\u0000Uhmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com\\u0000\\u0000\\u0000\\u0004none\\u0000\\u0000\\u0000\\u0004none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000o\\u00bd\\u00edt+\\u00f2\\u0091\\u0008\\u00dc\\u00cc\\u00c8\\u00bdqA0\\u00c4\\u0098\\u0017\\u00c5\\u00fa\\u00ea\\u00f3\\u008c\\u00e7\\u00bc\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.149811Z\",\"uid\":\"CKjFMW2DiNiXKkipk5\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":1048,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.160619Z\",\"uid\":\"CwQw6D3ll7W8PSB5z6\",\"id.orig_h\":\"61.160.247.104\",\"id.orig_p\":4680,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":22,\"version\":2,\"direction\":\"INBOUND\",\"client\":\"SSH-2.0-libssh2_1.4.3\",\"server\":\"SSH-2.0-OpenSSH_6.4\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.280678Z\",\"uid\":\"CsaSLq4ag8XtiYxvt4\",\"id.orig_h\":\"162.253.130.90\",\"id.orig_p\":3,\"id.resp_h\":\"192.168.0.54\",\"id.resp_p\":3,\"proto\":\"icmp\",\"duration\":0.02791,\"orig_bytes\":4144,\"resp_bytes\":0,\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"orig_pkts\":74,\"orig_ip_bytes\":6216,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"CA\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.288730Z\",\"uid\":\"CgV4Rq4mULfGfcCwmd\",\"id.orig_h\":\"70.48.138.88\",\"id.orig_p\":3,\"id.resp_h\":\"192.168.0.54\",\"id.resp_p\":1,\"proto\":\"icmp\",\"conn_state\":\"OTH\",\"local_orig\":false,\"local_resp\":true,\"missed_bytes\":0,\"orig_pkts\":1,\"orig_ip_bytes\":80,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"orig_cc\":\"CA\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.289238Z\",\"uid\":\"CkhnAP1pPhPNjvI3Ng\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"190.88.150.6\",\"id.resp_p\":42285,\"proto\":\"udp\",\"duration\":0.000006,\"orig_bytes\":18,\"resp_bytes\":26,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":1,\"resp_ip_bytes\":54,\"tunnel_parents\":[],\"resp_cc\":\"CW\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.304832Z\",\"uid\":\"CvVYcx3vExjfwILFQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"64.4.23.140\",\"id.resp_p\":443,\"proto\":\"udp\",\"conn_state\":\"SHR\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"^d\",\"orig_pkts\":0,\"orig_ip_bytes\":0,\"resp_pkts\":1,\"resp_ip_bytes\":54,\"tunnel_parents\":[],\"resp_cc\":\"US\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.307168Z\",\"uid\":\"C99Xsy1SZ94ZVIdXd1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"157.55.235.147\",\"id.resp_p\":443,\"proto\":\"udp\",\"conn_state\":\"S0\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"D\",\"orig_pkts\":1,\"orig_ip_bytes\":46,\"resp_pkts\":0,\"resp_ip_bytes\":0,\"tunnel_parents\":[],\"resp_cc\":\"IE\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.334229Z\",\"uid\":\"CuKeDJ3zaOcws1t8wi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50392,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":31828,\"query\":\"play.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"play.l.google.com\",\"216.58.209.142\"],\"TTLs\":[168.0,168.0],\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.824656Z\",\"uid\":\"CZxXNh2PrduLyJMZa7\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"177.3.93.142\",\"id.resp_p\":3892,\"proto\":\"udp\",\"duration\":0.000084,\"orig_bytes\":54,\"resp_bytes\":104,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":3,\"orig_ip_bytes\":138,\"resp_pkts\":4,\"resp_ip_bytes\":216,\"tunnel_parents\":[],\"resp_cc\":\"BR\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.838807Z\",\"uid\":\"C5KYsNWDVWC2agMPj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":64649,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":2277,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.848581Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":8856,\"query\":\"wpad.pwned.se\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.852988Z\",\"uid\":\"CXTkCuSnwOyoMNQJa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":56934,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":45275,\"query\":\"talkgadget.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:38:59.883311Z\",\"uid\":\"CWJBPaI9e0QuH1mTl\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":55269,\"id.resp_h\":\"111.221.77.174\",\"id.resp_p\":40021,\"proto\":\"udp\",\"duration\":0.002513,\"orig_bytes\":304,\"resp_bytes\":108,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":false,\"missed_bytes\":0,\"history\":\"Dd\",\"orig_pkts\":2,\"orig_ip_bytes\":360,\"resp_pkts\":2,\"resp_ip_bytes\":164,\"tunnel_parents\":[],\"resp_cc\":\"HK\"}",
"log_file":"/var/log/corelight/conn_20180803_16:37:13-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.263340Z\",\"uid\":\"CstFQx4BI1fg8CWVI1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":51785,\"id.resp_h\":\"193.149.88.183\",\"id.resp_p\":443,\"version\":\"TLSv10\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"curve\":\"secp384r1\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FOjrklZl04wHbhdUd\",\"FwoJPw4TdhPBlnv6Ea\"],\"client_cert_chain_fuids\":[],\"ja3\":\"06207a1730b5deeb207b0556e102ded2\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.925904Z\",\"uid\":\"CXTkCuSnwOyoMNQJa\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":56934,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":2244,\"query\":\"mail.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.938600Z\",\"uid\":\"COrePssLENSOflB2g\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":49865,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":32153,\"query\":\"www.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.945553Z\",\"uid\":\"CXgUSFFDSVzOfZ8x9\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52640,\"id.resp_h\":\"23.78.127.162\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.microsoft.com\",\"uri\":\"/pkiops/crl/MicSecSerCA2011_2011-10-18.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:00.964107Z\",\"uid\":\"Cy26oNvQBpiu1PEG\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52714,\"id.resp_h\":\"108.160.166.139\",\"id.resp_p\":443,\"resumed\":false,\"established\":false,\"ja3\":\"8d0230b6ce881f161d1875364f4a156b\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.001217Z\",\"uid\":\"Cvh6wj4VimbGAfsIq2\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52794,\"id.resp_h\":\"23.78.127.162\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.microsoft.com\",\"uri\":\"/pkiops/crl/MicSecSerCA2011_2011-10-18.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.006067Z\",\"uid\":\"C5qsU43WVspFbFHtkf\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52795,\"id.resp_h\":\"80.239.237.10\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"crl.microsoft.com\",\"uri\":\"/pki/crl/products/tspca.crl\",\"user_agent\":\"Microsoft-CryptoAPI/6.1\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.022738Z\",\"uid\":\"CdAux82PdcPXUx7NX4\",\"id.orig_h\":\"192.168.0.53\",\"id.orig_p\":3424,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":8080,\"trans_depth\":1,\"method\":\"SUBSCRIBE\",\"host\":\"192.168.0.1\",\"uri\":\"/WANCommonInterfaceConfig\",\"user_agent\":\"Mozilla/4.0 (compatible; UPnP/1.0; Windows 9x)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.032946Z\",\"uid\":\"CAdhMq3LBdw6Tw40oj\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":53943,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":16916,\"query\":\"safebrowsing.google.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.044659Z\",\"uid\":\"CMWcFP23u6AkrdEfZh\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52898,\"id.resp_h\":\"64.233.161.189\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"curve\":\"secp256r1\",\"server_name\":\"12.client-channel.google.com\",\"resumed\":false,\"established\":false,\"cert_chain_fuids\":[\"FO8b6W2yJRpm2KXng6\",\"FmnhOg1Eb8Eb2PmsP7\",\"FneYmJiFUIxkgqpWc\"],\"client_cert_chain_fuids\":[],\"ja3\":\"e03fdb6b99211ce6d1ed8a21abf4b25b\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.047976Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":44335,\"query\":\"safebrowsing-cache.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"safebrowsing.cache.l.google.com\",\"213.155.151.155\",\"213.155.151.148\",\"213.155.151.149\",\"213.155.151.150\",\"213.155.151.151\",\"213.155.151.152\",\"213.155.151.153\",\"213.155.151.154\"],\"TTLs\":[168497.0,276.0,276.0,276.0,276.0,276.0,276.0,276.0,276.0],\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.056647Z\",\"uid\":\"CdNU9c2P0uebDBSWo5\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":60416,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":21121,\"query\":\"accounts.google.com\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":true,\"Z\":0,\"answers\":[\"accounts.l.google.com\",\"216.58.209.141\"],\"TTLs\":[278777.0,262.0],\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.056647Z\",\"uid\":\"Cm7HKR3RQ9cPxV5X0h\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52923,\"id.resp_h\":\"198.199.14.15\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.wajam.com\",\"uri\":\"/webenhancer/config?v=d1.4.1.5\\u0026os_mj=6\\u0026os_mn=1\\u0026os_bitness=64\\u0026mid=f06847d131a21bb534bd07962f92bd3e\\u0026uid=942E7E7368DAADD6C1330C564D1D3954\\u0026aid=9860\\u0026aid2=none\\u0026ts=1426247458\\u0026ts2=\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.069973Z\",\"uid\":\"ChWglr3KAZblx8vTR1\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52938,\"id.resp_h\":\"213.155.151.152\",\"id.resp_p\":443,\"server_name\":\"talkgadget.google.com\",\"resumed\":false,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"FruyQsIM31LEyQ5mj\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":2,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"F7v4Ep1MMC13a4yDD6\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.071442Z\",\"uid\":\"CYmMV1vb53b2jV07l\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":37324,\"id.resp_h\":\"93.184.220.29\",\"id.resp_p\":80,\"trans_depth\":3,\"method\":\"POST\",\"host\":\"ocsp.digicert.com\",\"uri\":\"/\",\"user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0\",\"request_body_len\":83,\"response_body_len\":0,\"tags\":[],\"orig_fuids\":[\"F8en7l1LV2IPx6fLCi\"],\"orig_mime_types\":[\"application/ocsp-request\"]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.079083Z\",\"uid\":\"Cae8jj44kIVwU95K9\",\"id.orig_h\":\"61.160.195.10\",\"id.orig_p\":1285,\"id.resp_h\":\"192.168.0.2\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"95.192.215.175\",\"uri\":\"/8nzr701m3s.jsp\",\"user_agent\":\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)\",\"request_body_len\":0,\"response_body_len\":0,\"tags\":[]}",
"log_file":"/var/log/corelight/http_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.085129Z\",\"uid\":\"CqRVMl43u5sQROjmK9\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":52966,\"id.resp_h\":\"213.155.151.152\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"server_name\":\"talkgadget.google.com\",\"resumed\":true,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.092663Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":292319466}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.100860Z\",\"uid\":\"CVAKdv11VMygyHMWoh\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53009,\"id.resp_h\":\"213.155.151.183\",\"id.resp_p\":443,\"server_name\":\"clients6.google.com\",\"resumed\":false,\"established\":false,\"ja3\":\"daca8a9af4450c4d2e0ef0c691db8d7a\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.102810Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":1730265640}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.113819Z\",\"uid\":\"C19mag3BYc9imOhGF\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53043,\"id.resp_h\":\"75.101.135.23\",\"id.resp_p\":443,\"server_name\":\"www.hipchat.com\",\"resumed\":false,\"established\":false,\"ja3\":\"d6d0268c238e629784c6440543062546\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.114483Z\",\"uid\":\"CQcGkX1PaSnGr3ORJ9\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b2:45\",\"assigned_ip\":\"192.168.0.51\",\"lease_time\":86400.0,\"trans_id\":1560696338}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":1357091566}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3186368546}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3409528128}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.117978Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":647710817}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.124145Z\",\"uid\":\"C9FY9f3dBGwUJTUrsi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53055,\"id.resp_h\":\"216.58.209.141\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"server_name\":\"accounts.google.com\",\"resumed\":true,\"established\":false,\"ja3\":\"5039c2e4865acfa462910ad50a1ecd66\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.124570Z\",\"uid\":\"C9ywaY2tEz5PCm2gmi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":63612,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":3934,\"rcode\":3,\"rcode_name\":\"NXDOMAIN\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
"log_file":"/var/log/corelight/dns_20180803_16:36:44-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.138206Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":3203197054}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.145435Z\",\"uid\":\"Cp6Jg83qPc3E7AZOpc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":53118,\"id.resp_h\":\"23.53.58.73\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"server_name\":\"ads1.msads.net\",\"resumed\":false,\"established\":false,\"ja3\":\"2a458dd9c65afbcf591cd8c2a194b804\"}",
"log_file":"/var/log/corelight/ssl_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"F0T1T52YtVLugdWEA9\",\"certificate.version\":3,\"certificate.serial\":\"615DAAD2000600000040\",\"certificate.subject\":\"CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com\",\"certificate.issuer\":\"CN=Microsoft Internet Authority\",\"certificate.not_valid_before\":\"2012-05-16T03:40:55.000000Z\",\"certificate.not_valid_after\":\"2016-05-16T03:50:55.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FAuQnh411Poc4j6IB5\",\"certificate.version\":3,\"certificate.serial\":\"0851F959814145CABDE024E212C9C20E\",\"certificate.subject\":\"CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.issuer\":\"CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.not_valid_before\":\"2007-04-03T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2022-04-03T07:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FTDJXw3B9FNH6LllVi\",\"certificate.version\":3,\"certificate.serial\":\"07276FAE\",\"certificate.subject\":\"CN=Microsoft Internet Authority\",\"certificate.issuer\":\"CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE\",\"certificate.not_valid_before\":\"2012-04-26T00:41:36.000000Z\",\"certificate.not_valid_after\":\"2020-04-26T00:40:55.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":4096,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":1}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FlwjH1VX5WGZwfNA\",\"certificate.version\":3,\"certificate.serial\":\"67FBBC6F0001000077AF\",\"certificate.subject\":\"CN=flex.msn.com,OU=Adcenter,O=Microsoft,L=Redmond,ST=WA,C=US\",\"certificate.issuer\":\"CN=MSIT Machine Auth CA 2,DC=redmond,DC=corp,DC=microsoft,DC=com\",\"certificate.not_valid_before\":\"2013-06-06T00:09:06.000000Z\",\"certificate.not_valid_after\":\"2015-06-06T00:09:06.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\"}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.156487Z\",\"id\":\"FnbDjP2vdfoNORnLy9\",\"certificate.version\":3,\"certificate.serial\":\"0809E169141E080784D177C649586BFA\",\"certificate.subject\":\"CN=*.ib-ibi.com,OU=IT,O=I-Behavior\\u005c, Inc,L=Louisville,ST=Colorado,C=US\",\"certificate.issuer\":\"CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US\",\"certificate.not_valid_before\":\"2013-09-27T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2016-11-30T20:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"*.ib-ibi.com\",\"ib-ibi.com\"],\"basic_constraints.ca\":false}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.158369Z\",\"uid\":\"ClPpoU1txFznvRQVOj\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":68,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":67,\"mac\":\"ec:f4:bb:4f:b0:96\",\"assigned_ip\":\"192.168.0.54\",\"lease_time\":0.0,\"trans_id\":41767348}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"F0ycGZ2X6t2bjfE77k\",\"certificate.version\":3,\"certificate.serial\":\"6ECC7AA5A7032009B8CEBCF4E952D491\",\"certificate.subject\":\"CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.issuer\":\"CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\u005c, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2010-02-08T08:00:00.000000Z\",\"certificate.not_valid_after\":\"2020-02-08T07:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"FEbyRb1pcTUgT14Jxd\",\"certificate.version\":3,\"certificate.serial\":\"1F6AAF787FE640ABBC314A3DEBE434A7\",\"certificate.subject\":\"CN=na.gmtdmp.com,OU=TechOps,O=Media Innovation Group\\u005c, LLC,L=New York,ST=New York,C=US\",\"certificate.issuer\":\"CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2014-10-15T07:00:00.000000Z\",\"certificate.not_valid_after\":\"2015-10-17T06:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"na.gmtdmp.com\",\"gmtdmp.mookie1.com\"],\"basic_constraints.ca\":false}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166082Z\",\"id\":\"FwZxHaTosC5HMTFQ2\",\"certificate.version\":3,\"certificate.serial\":\"250CE8E030612E9F2B89F7054D7CF8FD\",\"certificate.subject\":\"CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\u005c, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.issuer\":\"OU=Class 3 Public Primary Certification Authority,O=VeriSign\\u005c, Inc.,C=US\",\"certificate.not_valid_before\":\"2006-11-08T08:00:00.000000Z\",\"certificate.not_valid_after\":\"2021-11-08T07:59:59.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166295Z\",\"id\":\"F8Wvj82UfJkQXp14pg\",\"certificate.version\":3,\"certificate.serial\":\"12BBE6\",\"certificate.subject\":\"CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US\",\"certificate.issuer\":\"OU=Equifax Secure Certificate Authority,O=Equifax,C=US\",\"certificate.not_valid_before\":\"2002-05-21T11:00:00.000000Z\",\"certificate.not_valid_after\":\"2018-08-21T11:00:00.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.166295Z\",\"id\":\"FyfBmE1uxR4LPQiiwg\",\"certificate.version\":3,\"certificate.serial\":\"0236D1\",\"certificate.subject\":\"CN=RapidSSL CA,O=GeoTrust\\u005c, Inc.,C=US\",\"certificate.issuer\":\"CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US\",\"certificate.not_valid_before\":\"2010-02-20T06:45:05.000000Z\",\"certificate.not_valid_after\":\"2020-02-19T06:45:05.000000Z\",\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha1WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"basic_constraints.ca\":true,\"basic_constraints.path_len\":0}",
"log_file":"/var/log/corelight/x509_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.231971Z\",\"uid\":\"Ct9xQdrkYT5FlOxzl\",\"id.orig_h\":\"1.2.3.4\",\"id.orig_p\":0,\"id.resp_h\":\"5.6.7.8\",\"id.resp_p\":0,\"tunnel_type\":\"Tunnel::IP\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.305873Z\",\"uid\":\"CjqVGPVXXCE13mZEi\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":43073,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,249,214\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63958}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.305873Z\",\"uid\":\"CjqVGPVXXCE13mZEi\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":43073,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.306900Z\",\"uid\":\"CbmdWd4gP4unkau5rj\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":45831,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,249,29\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63773}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.306900Z\",\"uid\":\"CbmdWd4gP4unkau5rj\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":45831,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.307124Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.307124Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"hostname\":\"lQPxf2ISQgEV1bGK\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.310882Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"path\":\"IPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.313522Z\",\"uid\":\"CBEYYM9tj0f5jXsM5\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":56724,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"PORT\",\"arg\":\"10,0,0,11,248,143\",\"reply_code\":200,\"reply_msg\":\"Port command successful\",\"data_channel.passive\":false,\"data_channel.orig_h\":\"119.74.138.214\",\"data_channel.resp_h\":\"10.0.0.11\",\"data_channel.resp_p\":63631}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.313522Z\",\"uid\":\"CBEYYM9tj0f5jXsM5\",\"id.orig_h\":\"10.0.0.11\",\"id.orig_p\":56724,\"id.resp_h\":\"119.74.138.214\",\"id.resp_p\":21,\"user\":\"1\",\"password\":\"<hidden>\",\"command\":\"RETR\",\"arg\":\"ftp://119.74.138.214/doc.exe\",\"file_size\":0,\"reply_code\":226,\"reply_msg\":\"Transfer OK\"}",
"log_file":"/var/log/corelight/ftp_20180803_16:37:54-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C2P6jt32gESqlJqb32\",\"id.orig_h\":\"125.5.61.130\",\"id.orig_p\":4577,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 125.5.61.130 to 10.0.0.11\",\"src\":\"125.5.61.130\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"C4cMdr30cSbBpKtxH4\",\"id.orig_h\":\"85.132.46.226\",\"id.orig_p\":62248,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 85.132.46.226 to 10.0.0.11\",\"src\":\"85.132.46.226\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"CJ2I2X3eumh4KByV81\",\"id.orig_h\":\"202.177.98.46\",\"id.orig_p\":8530,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 202.177.98.46 to 10.0.0.11\",\"src\":\"202.177.98.46\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.314346Z\",\"uid\":\"CbOpF7444p309keZB9\",\"id.orig_h\":\"81.213.174.63\",\"id.orig_p\":54313,\"id.resp_h\":\"10.0.0.11\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 81.213.174.63 to 10.0.0.11\",\"src\":\"81.213.174.63\",\"dst\":\"10.0.0.11\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.347346Z\",\"id\":\"FISJc7YSDyP0IIgZj\",\"machine\":\"I386\",\"compile_ts\":\"2007-10-06T03:09:43.000000Z\",\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":false,\"has_debug_data\":false,\"section_names\":[\":\\u00c2I\\u00ce\\u009b\\u00b7vA\",\"\\u000c\\u00afk7\\u00fa\\u001d\\u0012<\",\".rsrc\"]}",
"log_file":"/var/log/corelight/pe_20180803_16:37:18-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.348480Z\",\"uid\":\"CX0U3u2aujkDwKyUZj\",\"id.orig_h\":\"172.16.253.130\",\"id.orig_p\":68,\"id.resp_h\":\"172.16.253.254\",\"id.resp_p\":67,\"mac\":\"00:0c:29:af:9c:dc\",\"assigned_ip\":\"172.16.253.130\",\"lease_time\":1800.0,\"trans_id\":1671394645}",
"log_file":"/var/log/corelight/dhcp_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.394640Z\",\"uid\":\"Cvvh1e10TgqGgOUKIh\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"65.55.158.81\",\"id.resp_p\":3544,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.395376Z\",\"uid\":\"C1fJIA1dasC4KZQJia\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"83.170.1.38\",\"id.resp_p\":32900,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.396052Z\",\"uid\":\"Cf80KsDADsn4c7Koa\",\"id.orig_h\":\"192.168.2.16\",\"id.orig_p\":3797,\"id.resp_h\":\"65.55.158.80\",\"id.resp_p\":3544,\"tunnel_type\":\"Tunnel::TEREDO\",\"action\":\"Tunnel::DISCOVER\"}",
"log_file":"/var/log/corelight/tunnel_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.434681Z\",\"uid\":\"CMY1OYctlBZ1FMkyg\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":2828,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"COLD_RESTART\",\"fc_reply\":\"RESPONSE\",\"iin\":0}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.434681Z\",\"uid\":\"CMY1OYctlBZ1FMkyg\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":2828,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"CONFIRM\",\"fc_reply\":\"UNSOLICITED_RESPONSE\",\"iin\":0}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.436247Z\",\"uid\":\"CFtzZB20l6R7JprzA\",\"id.orig_h\":\"10.0.0.8\",\"id.orig_p\":1159,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_reply\":\"UNSOLICITED_RESPONSE\",\"iin\":256}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:01.439072Z\",\"uid\":\"CTLKmv8tYC2Buh1i\",\"id.orig_h\":\"10.0.0.9\",\"id.orig_p\":1084,\"id.resp_h\":\"10.0.0.3\",\"id.resp_p\":20000,\"fc_request\":\"STOP_APPL\"}",
"log_file":"/var/log/corelight/dnp3_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.805909Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.805909Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEYfiD3mbXWS12t6c1\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38889,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.806384Z\",\"uid\":\"CEYfiD3mbXWS12t6c1\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38889,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808066Z\",\"uid\":\"C2QZER6w0F3Z8qPpa\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38888,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808066Z\",\"uid\":\"C2QZER6w0F3Z8qPpa\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38888,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808643Z\",\"uid\":\"CPjVQz26XMOipsHhZj\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38886,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"proto\":\"tcp\",\"note\":\"FindSMBv1::Seen\",\"msg\":\"SMBv1 Connection 172.16.1.8 to 172.16.1.7\",\"src\":\"172.16.1.8\",\"dst\":\"172.16.1.7\",\"p\":445,\"peer_descr\":\"bro\",\"actions\":[\"Notice::ACTION_LOG\"],\"suppress_for\":3600.0,\"dropped\":false}",
"log_file":"/var/log/corelight/notice_20180803_16:37:37-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808953Z\",\"uid\":\"Co7dkb3VZW4JUWlYV5\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38891,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":false,\"status\":\"LOGON_FAILURE\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.808982Z\",\"uid\":\"C21en73FMP4ek9D6V7\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38894,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":false,\"status\":\"LOGON_FAILURE\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.809566Z\",\"uid\":\"CkoU0m2UO5IJCGczh\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":41952,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":22,\"version\":2,\"auth_success\":true,\"auth_attempts\":2,\"client\":\"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10\",\"server\":\"SSH-2.0-OpenSSH_7.4p1 Ubuntu-10\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256@libssh.org\",\"host_key_alg\":\"ssh-rsa\",\"host_key\":\"2e:65:01:b6:47:1c:7f:9e:de:7e:eb:00:98:2b:a1:1d\"}",
"log_file":"/var/log/corelight/ssh_20180803_16:38:12-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cMUSIC\",\"service\":\"A:\",\"native_file_system\":\"NTFS\",\"share_type\":\"DISK\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.810316Z\",\"uid\":\"CtXGTtnwGhwiZGX4c\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38895,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cIPC$\",\"service\":\"IPC\",\"share_type\":\"PIPE\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"path\":\"\\u005c\\u005c172.16.1.7\\u005cMUSIC\",\"service\":\"A:\",\"native_file_system\":\"NTFS\",\"share_type\":\"DISK\"}",
"log_file":"/var/log/corelight/smb_mapping_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.812722Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"username\":\"sonos\",\"hostname\":\"INTENSE\",\"domainname\":\"WORKGROUP\",\"success\":true,\"status\":\"SUCCESS\"}",
"log_file":"/var/log/corelight/ntlm_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.858240Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.tiff\",\"size\":1913531,\"times.modified\":\"2018-07-24T17:56:05.520403Z\",\"times.accessed\":\"2018-07-24T17:56:05.356403Z\",\"times.created\":\"2018-07-24T17:56:05.356403Z\",\"times.changed\":\"2018-07-24T17:56:05.520403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cjpg.jpg\",\"size\":61292,\"times.modified\":\"2018-07-24T17:56:04.832403Z\",\"times.accessed\":\"2018-07-24T17:56:04.824403Z\",\"times.created\":\"2018-07-24T17:56:04.824403Z\",\"times.changed\":\"2018-07-24T17:56:04.832403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cjpg.string.~1~\",\"size\":2373948,\"times.modified\":\"2018-07-24T17:56:04.824403Z\",\"times.accessed\":\"2018-07-24T17:56:04.620403Z\",\"times.created\":\"2018-07-24T17:56:04.620403Z\",\"times.changed\":\"2018-07-24T17:56:04.824403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.908827Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpacket_filter.log\",\"size\":253,\"times.modified\":\"2018-07-24T17:56:05.132403Z\",\"times.accessed\":\"2018-07-24T17:56:05.128403Z\",\"times.created\":\"2018-07-24T17:56:05.128403Z\",\"times.changed\":\"2018-07-24T17:56:05.132403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.959412Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cgif-small.gif\",\"size\":1085,\"times.modified\":\"2018-07-24T17:56:05.356403Z\",\"times.accessed\":\"2018-07-24T17:56:05.352403Z\",\"times.created\":\"2018-07-24T17:56:05.352403Z\",\"times.changed\":\"2018-07-24T17:56:05.356403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:02.959412Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.xwd\",\"size\":5095658,\"times.modified\":\"2018-07-24T17:56:04.600403Z\",\"times.accessed\":\"2018-07-24T17:56:04.164402Z\",\"times.created\":\"2018-07-24T17:56:04.164402Z\",\"times.changed\":\"2018-07-24T17:56:04.600403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cftp.log\",\"size\":1040,\"times.modified\":\"2018-07-24T17:56:05.020403Z\",\"times.accessed\":\"2018-07-24T17:56:05.020403Z\",\"times.created\":\"2018-07-24T17:56:05.020403Z\",\"times.changed\":\"2018-07-24T17:56:05.020403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cgif.string\",\"size\":162232,\"times.modified\":\"2018-07-24T17:56:04.616403Z\",\"times.accessed\":\"2018-07-24T17:56:04.600403Z\",\"times.created\":\"2018-07-24T17:56:04.600403Z\",\"times.changed\":\"2018-07-24T17:56:04.616403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpng.png\",\"size\":148698,\"times.modified\":\"2018-07-24T17:56:04.848403Z\",\"times.accessed\":\"2018-07-24T17:56:04.832403Z\",\"times.created\":\"2018-07-24T17:56:04.832403Z\",\"times.changed\":\"2018-07-24T17:56:04.848403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:03.070676Z\",\"uid\":\"COGaRD3cM7jP2XFdy8\",\"id.orig_h\":\"172.16.1.8\",\"id.orig_p\":38896,\"id.resp_h\":\"172.16.1.7\",\"id.resp_p\":445,\"action\":\"SMB::FILE_OPEN\",\"name\":\"\\u005chack\\u005cpnm.pnm\",\"size\":1910848,\"times.modified\":\"2018-07-24T17:56:05.308403Z\",\"times.accessed\":\"2018-07-24T17:56:05.132403Z\",\"times.created\":\"2018-07-24T17:56:05.132403Z\",\"times.changed\":\"2018-07-24T17:56:05.308403Z\"}",
"log_file":"/var/log/corelight/smb_files_20180803_16:39:01-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:18.568559Z\",\"uid\":\"CATSgW2JPVhX7ESua5\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":39491,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:18.872776Z\",\"uid\":\"CR1nf0433a3ialytj1\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":64427,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.053959Z\",\"uid\":\"Cb0oDz1hEwX3a8sPc\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50281,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.211561Z\",\"uid\":\"Cee4q23WQLcRqZlJ94\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":57515,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.308033Z\",\"uid\":\"CMMvTP2PNc0xC5kWvk\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":48458,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.334330Z\",\"uid\":\"CuKeDJ3zaOcws1t8wi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":50392,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.793311Z\",\"uid\":\"CAdhMq3LBdw6Tw40oj\",\"id.orig_h\":\"192.168.0.51\",\"id.orig_p\":53943,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.825907Z\",\"uid\":\"C83b3V1vZIrsJ2P6lg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":54297,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.848609Z\",\"uid\":\"CHJWCW3g7DUgXOExQg\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":62969,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
},
{
"message":"{\"ts\":\"2018-08-03T23:39:19.864909Z\",\"uid\":\"C9ywaY2tEz5PCm2gmi\",\"id.orig_h\":\"192.168.0.54\",\"id.orig_p\":63612,\"id.resp_h\":\"192.168.0.1\",\"id.resp_p\":53,\"name\":\"dns_unmatched_msg\",\"notice\":false}",
"log_file":"/var/log/corelight/weird_20180803_16:37:08-16:40:00-0700.log",
"hostname":"srv-sentinel-000"
}
]

740
Workbooks/Corelight.json Normal file
Просмотреть файл

@ -0,0 +1,740 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": ">**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://aka.ms/sentinel-Corelight-parser) to create the Kusto function alias **Corelight**."
},
"name": "text - 23"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "d723eef6-b3f0-40be-9a56-125421b32619",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight Main Dashboard",
"subTarget": "corelight_main_dashboard",
"style": "link"
},
{
"id": "5736d4f4-bd4c-4a49-bea7-00da2bbc7fd9",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight Connections",
"subTarget": "corelight_connections",
"style": "link"
},
{
"id": "5336f601-4da3-4da0-8196-332a97636047",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight DNS",
"subTarget": "corelight_dns",
"style": "link"
},
{
"id": "5c26ac35-85e3-4f48-8673-f80d30314d1a",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Correlight Files",
"subTarget": "corelight_files",
"style": "link"
},
{
"id": "14595b52-fcaa-402c-9a39-3d236b2aeba9",
"cellValue": "Tab",
"linkTarget": "parameter",
"linkLabel": "Corelight Software",
"subTarget": "corelight_software",
"style": "link"
}
]
},
"name": "links - 24"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "c64d5d3d-90c6-484a-ab88-c70652b75b6e",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 300000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
"size": 0,
"title": "Sensor Events Timechart",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_main_dashboard"
},
"customWidth": "50",
"name": "Sensor Events Timechart"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| summarize Count=count() by EventType | sort by Count desc",
"size": 0,
"title": "Sensor Events Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_main_dashboard"
},
"customWidth": "50",
"name": "Sensor Events Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| where isnotempty(Service)\n| summarize count() by Service | take 10",
"size": 3,
"title": "Top Services",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Services"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| where isnotempty(DstPort)\n| extend dstprt = tostring(DstPort)\n| summarize Count=count() by dstprt | sort by Count desc |take 10",
"size": 3,
"title": "Top Responder Ports",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"showMetrics": false,
"showLegend": true,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Responder Ports"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where NetworkDirection == \"outbound\"\n| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(SrcIpBytes) + toint(DstIpBytes)\n| summarize Bytes=sum(bytes) by SrcIpAddr, DstIpAddr, NetworkProtocol | sort by Bytes desc | take 15",
"size": 0,
"title": "Top Outbound Data Flows by Originator Bytes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Outbound Data Flows by Originator Bytes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"conn\"\n| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where NetworkDirection == \"inbound\"\n| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(SrcIpBytes) + toint(DstIpBytes)\n| summarize Bytes=sum(bytes) by SrcIpAddr, DstIpAddr, NetworkProtocol | sort by Bytes desc | take 15",
"size": 0,
"title": "Top Inbound Data Flows by Originator Bytes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Inbound Data Flows by Originator Bytes - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by SrcIpAddr | sort by Count",
"size": 3,
"title": "Top Originators (sources) by # of connections",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Originators (sources) by # of connections"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by DstIpAddr | sort by Count",
"size": 3,
"title": "Top Responders (destinations) by # of connections",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"customWidth": "50",
"name": "Top Responders (destinations) by # of connections - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(Service) and isnotempty(DstPort) and isnotempty(SrcPort)\n| summarize duration=avg(toint(Duration)), make_list(SrcIpAddr), make_list(DstIpAddr), make_list(NetworkProtocol) by EventUid | sort by duration desc | take 50",
"size": 0,
"title": "Open/Active Long Lived Connections (requires Long Connections Pkg)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"sortBy": [
{
"itemKey": "duration",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "duration",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_connections"
},
"name": "Open/Active Long Lived Connections (requires Long Connections Pkg)"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where isnotempty(DnsQueryTypeName)\n| where DstPort ==\"53\" | summarize count() by DnsQueryTypeName",
"size": 3,
"title": "Top Query Types",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Query Types"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where isnotempty(DnsQueryName)\n| summarize Count=count() by DnsQueryName | sort by Count desc | take 10\n| join kind = inner (Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where isnotempty(DnsQueryName)\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DnsQueryName)\n on DnsQueryName",
"size": 0,
"title": "Top 10 Queries by Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blueDark"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top 10 Queries by Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where DnsResponseCodeName ==\"NXDOMAIN\" and DnsQueryTypeName !=\"PTR\" and DstPort ==\"53\"\n| summarize Count=count() by DnsQueryName | sort by Count desc | take 10\n| join kind = inner (Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DnsQueryName)\n on DnsQueryName",
"size": 0,
"title": "Top 10 Queries by Count to Non-Existent Domains",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "DnsQueryName1",
"formatter": 5
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"palette": "blueDark"
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 5
}
]
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top 10 Queries by Count to Non-Existent Domains"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"dns\"\n| where TimeGenerated {TimeRange}\n| where DstPort == \"53\" and isnotempty(DnsQueryTypeName)\n| summarize Count=count() by SrcIpAddr | sort by Count | take 10",
"size": 0,
"title": "Top Originators by Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Originators by Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where DnsResponseCodeName ==\"NOERROR\" and DnsQueryTypeName ==\"PTR\" and DstPort ==\"53\"\n| where DstPort == \"53\" and isnotempty(DnsQueryTypeName)\n| summarize Count=count() by DnsQueryName | sort by Count | take 10",
"size": 0,
"title": "Top Successful Reverse Queries by Count",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Successful Reverse Queries by Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"dns\"\n| where DnsResponseCodeName ==\"NXDOMAIN\" and DnsQueryTypeName == \"PTR\" and DstPort == \"53\"\n| summarize Count=count() by DnsQueryName | sort by Count | take 10",
"size": 0,
"title": "Top Reverse Queries by Count to Non-Existent Domains",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_dns"
},
"customWidth": "33",
"name": "Top Reverse Queries by Count to Non-Existent Domains"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| summarize Count=count() by MimeType | sort by Count desc | take 20",
"size": 0,
"title": "Top 20 Mime Types by File Count",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"name": "Top 20 Mime Types by File Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| summarize [\"File Count\"]=count() by Source | sort by [\"File Count\"] desc | take 15",
"size": 0,
"title": "Top File Protocols by File Count",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"name": "Top File Protocols by File Count"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| extend NetworkDirection = case(LocalOrig == \"true\", \"outbound\", LocalOrig == \"false\", \"inbound\", \"\" )\n|make-series [\"Files Sent\"]=countif(NetworkDirection==\"outbound\"), [\"Files Received\"]=countif(NetworkDirection==\"inbound\") on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType | project [\"Files Sent\"], [\"Files Received\"], TimeGenerated;",
"size": 0,
"title": "File Flow - # of Files",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"customWidth": "50",
"name": "File Flow - # of Files"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"files\"\n| where isnotempty(MimeType)\n| where MimeType != \"application/pkix-cert\"\n| extend NetworkDirection = case(LocalOrig == \"true\", \"outbound\", LocalOrig == \"false\", \"inbound\", \"\" )\n|make-series [\"Bytes Sent\"]=sumif(toint(ZeekFilesSeenBytes), NetworkDirection==\"outbound\" ), [\"Bytes Received\"]=sumif(toint(ZeekFilesSeenBytes),NetworkDirection==\"inbound\") on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType;",
"size": 0,
"title": "File Flow - Bytes",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_files"
},
"customWidth": "50",
"name": "File Flow - Bytes"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"software\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(SoftwareType)\n| summarize Count=count() by Name | sort by Count | take 20",
"size": 0,
"title": "Top Software",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar"
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_software"
},
"name": "Top Software"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where TimeGenerated {TimeRange}\n| where EventType startswith \"software\"\n| where isnotempty(SoftwareType)\n| summarize Count=count() by Name, UnparsedVersion | sort by Count ",
"size": 0,
"title": "Top Software Versions",
"timeContext": {
"durationMs": 43200000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Name",
"formatter": 5
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Name"
],
"expandTopLevel": true
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_software"
},
"customWidth": "50",
"name": "Top Software Versions"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Corelight\n| where EventType startswith \"software\"\n| where isnotempty(SoftwareType)\n| summarize Count=count() by SoftwareType | sort by Count ",
"size": 0,
"title": "Top Software Types",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Name",
"formatter": 5
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Name"
],
"expandTopLevel": true
}
}
},
"conditionalVisibility": {
"parameterName": "Tab",
"comparison": "isEqualTo",
"value": "corelight_software"
},
"customWidth": "50",
"name": "Top Software Types"
}
],
"fallbackResourceIds": [],
"fromTemplateId": "sentinel-CorelightWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 137 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsBlack2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 150 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 147 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightConnectionsWhite2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 169 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightDNSBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 132 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightDNSWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 163 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 85 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileBlack2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 53 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 105 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightFileWhite2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 56 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightMainBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 135 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightMainWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 149 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightSoftwareBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 103 KiB

Двоичные данные
Workbooks/Images/Preview/CorelightSoftwareWhite1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 115 KiB