Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Sample Data/CEF/CrowdStrikeFalconEndpointPr...

3083 строки
102 KiB
JSON
Исходник Ответственный История

[
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.162 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "X201_ja-JP_Ttmdm.xml",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\Mup\\\\jpptyodcdb460\\\\web\\\\PQDAMS\\\\PRD\\\\GCC\\\\Resource\\\\ja-JP",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:21",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.169 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "X202_ja-JP_Tmgdm.xml",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\Mup\\\\jpptyodcdb460\\\\web\\\\PQDAMS\\\\PRD\\\\GCC\\\\Resource\\\\ja-JP",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:21",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.169 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "X001_Tsydm.xml",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\Mup\\\\jpptyodcdb460\\\\web\\\\PQDAMS\\\\PRD\\\\GCC\\\\Resource\\\\Common",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:21",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.169 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "oracle.key",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\HarddiskVolume3\\\\Oracle\\\\product\\\\12.1.0\\\\client_1\\\\bin",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:22",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.169 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "oracle.key",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\HarddiskVolume3\\\\Oracle\\\\product\\\\12.1.0\\\\client_1\\\\bin",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:22",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "GC00001_Tdsdm.xml",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\Mup\\\\jpptyodcdb460\\\\web\\\\PQDAMS\\\\PRD\\\\GCC\\\\Resource\\\\Common\\\\GC00",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "#NAME?",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\HarddiskVolume3\\\\log\\\\SQLLOG\\\\20201208",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "TESTUSER011_SQLLOG_202012031130.txt",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\HarddiskVolume3\\\\log\\\\SQLLOG\\\\20201203",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "GC00001_Tdsdm.xml",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\Mup\\\\jpptyodcdb460\\\\web\\\\PQDAMS\\\\PRD\\\\GCC\\\\Resource\\\\Common\\\\GC00",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Document Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "GC00001_Tdtdm.xml",
"DeviceCustomString2Label": "AccessedDocFileName",
"DeviceCustomString3": "\\\\Device\\\\Mup\\\\jpptyodcdb460\\\\web\\\\PQDAMS\\\\PRD\\\\GCC\\\\Resource\\\\Common\\\\GC00",
"DeviceCustomString3Label": "AccessedDocFilePath",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Document Accessed Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Network Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "1521",
"DestinationIP": "111.111.111.111",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "58452",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "164.162.197.43",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Network Access Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "Network Access In A Detection Summary Event",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "1521",
"DestinationIP": "222.22.222.222",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "58451",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "164.162.197.43",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "Feb 04 2021 23:57:23",
"DeviceCustomDate1Label": "Network Access Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/4/2021, 11:57:45.170 PM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "DetectionSummaryEvent",
"LogSeverity": "2",
"OriginalLogSeverity": "",
"DeviceAction": "Sensor-based ML",
"SimplifiedDeviceAction": "Sensor-based ML",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.",
"Protocol": "",
"SourcePort": "",
"SourceIP": "192.168.174.193",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "Machine Learning",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "",
"DeviceTranslatedAddress": "",
"DestinationHostName": "TESTUSER011B001",
"DestinationMACAddress": "",
"DestinationNTDomain": "ABC COMPANY",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "TESTUSER011",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "8936baa7cfa6bf9b597c6cd2d842926d",
"FileID": "",
"FileModificationTime": "",
"FilePath": "\\\\Device\\\\HarddiskVolume3\\\\GCC\\\\Exe",
"FilePermission": "",
"FileType": "",
"FileName": "GCC.exe",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "00-15-5d-76-f9-c1",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "ParentProcessId",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "ProcessId",
"DeviceCustomNumber3": "47546",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "\"C:\\\\GCC\\\\Exe\\\\GCC.exe\" ",
"DeviceCustomString5Label": "CommandLine",
"DeviceCustomString6": "https://falcon.crowdstrike.com/activity/detections/detail/1e5acbe02b554471833e0a9fb399b0b3/184683891785?_cid\\=639b91eaf5544fe68d561b96e9659677",
"DeviceCustomString6Label": "FalconHostLink",
"DeviceCustomDate1": "",
"DeviceCustomDate1Label": "",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=Machine Learning;reason=Falcon Detection Method;outcome=2304;CSMTRPatternDisposition=Detection, process would have been blocked if related prevention policy setting was enabled.",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 2:26:09.223 AM",
"ReceiptTime": "1.61249E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "UserActivityAuditEvent",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "quarantined_file_update",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "quarantined_files",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "Crowdstrike",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2040",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "",
"DeviceCustomDate1Label": "",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=UserActivityAuditEvent",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 2:26:09.223 AM",
"ReceiptTime": "1.61249E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "UserActivityAuditEvent",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "quarantined_file_update",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "quarantined_files",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "Crowdstrike",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2041",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "",
"DeviceCustomDate1Label": "",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=UserActivityAuditEvent",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 2:53:02.623 AM",
"ReceiptTime": "1.61249E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "streamStopped",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "streamStopped",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "Crowdstrike Streaming API",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "api-client-id:7992a9d0336046c1a83028544820241d",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2042",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "Feb 05 2021 02:52:40",
"DeviceCustomDate1Label": "Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=AuthActivityAuditEvent;outcome=true",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 2:53:02.624 AM",
"ReceiptTime": "1.61249E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "streamStopped",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "streamStopped",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "Crowdstrike Streaming API",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "api-client-id:9c45a593267e486886d785a51f23456d",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2043",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "Feb 05 2021 02:52:40",
"DeviceCustomDate1Label": "Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=AuthActivityAuditEvent;outcome=true",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 2:53:02.624 AM",
"ReceiptTime": "1.61249E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "streamStarted",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "streamStarted",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "Crowdstrike Streaming API",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "api-client-id:7992a9d0336046c1a83028544820241d",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2044",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "Feb 05 2021 02:52:41",
"DeviceCustomDate1Label": "Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=AuthActivityAuditEvent;outcome=true",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 2:53:02.624 AM",
"ReceiptTime": "1.61249E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "streamStarted",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "streamStarted",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "Crowdstrike Streaming API",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "api-client-id:9c45a593267e486886d785a51f23456d",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2045",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "Feb 05 2021 02:52:41",
"DeviceCustomDate1Label": "Timestamp",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=AuthActivityAuditEvent;outcome=true",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
},
{
"TenantId": "00000-000-00000-000000-0000000000000",
"SourceSystem": "OpsManager",
"TimeGenerated [UTC]": "2/5/2021, 12:10:18.793 AM",
"ReceiptTime": "1.61248E+12",
"DeviceVendor": "CrowdStrike",
"DeviceProduct": "FalconHost",
"DeviceEventClassID": "UserActivityAuditEvent",
"LogSeverity": "1",
"OriginalLogSeverity": "",
"DeviceAction": "",
"SimplifiedDeviceAction": "",
"Computer": "",
"CommunicationDirection": "",
"DeviceFacility": "",
"DestinationPort": "",
"DestinationIP": "",
"DeviceAddress": "",
"DeviceName": "",
"Message": "",
"Protocol": "",
"SourcePort": "",
"SourceIP": "",
"RemoteIP": "",
"RemotePort": "",
"MaliciousIP": "",
"ThreatSeverity": "",
"IndicatorThreatType": "",
"ThreatDescription": "",
"ThreatConfidence": "",
"ReportReferenceLink": "",
"MaliciousIPLongitude": "",
"MaliciousIPLatitude": "",
"MaliciousIPCountry": "",
"DeviceVersion": "1",
"Activity": "quarantined_file_update",
"ApplicationProtocol": "",
"EventCount": "",
"DestinationDnsDomain": "",
"DestinationServiceName": "",
"DestinationTranslatedAddress": "",
"DestinationTranslatedPort": "",
"DeviceDnsDomain": "",
"DeviceExternalID": "",
"DeviceInboundInterface": "",
"DeviceNtDomain": "",
"DeviceOutboundInterface": "",
"DevicePayloadId": "",
"ProcessName": "quarantined_files",
"DeviceTranslatedAddress": "",
"DestinationHostName": "",
"DestinationMACAddress": "",
"DestinationNTDomain": "",
"DestinationProcessId": "",
"DestinationUserPrivileges": "",
"DestinationProcessName": "",
"DeviceTimeZone": "",
"DestinationUserID": "",
"DestinationUserName": "Crowdstrike",
"DeviceMacAddress": "",
"ProcessID": "",
"ExternalID": "",
"FileCreateTime": "",
"FileHash": "",
"FileID": "",
"FileModificationTime": "",
"FilePath": "",
"FilePermission": "",
"FileType": "",
"FileName": "",
"FileSize": "",
"ReceivedBytes": "",
"OldFileCreateTime": "",
"OldFileHash": "",
"OldFileID": "",
"OldFileModificationTime": "",
"OldFileName": "",
"OldFilePath": "",
"OldFilePermission": "",
"OldFileSize": "",
"OldFileType": "",
"SentBytes": "",
"RequestURL": "",
"RequestClientApplication": "",
"RequestContext": "",
"RequestCookies": "",
"RequestMethod": "",
"SourceHostName": "",
"SourceMACAddress": "",
"SourceNTDomain": "",
"SourceDnsDomain": "",
"SourceServiceName": "",
"SourceTranslatedAddress": "",
"SourceTranslatedPort": "",
"SourceProcessId": "",
"SourceUserPrivileges": "",
"SourceProcessName": "",
"SourceUserID": "",
"SourceUserName": "",
"EventType": "",
"DeviceCustomIPv6Address1": "",
"DeviceCustomIPv6Address1Label": "",
"DeviceCustomIPv6Address2": "",
"DeviceCustomIPv6Address2Label": "",
"DeviceCustomIPv6Address3": "",
"DeviceCustomIPv6Address3Label": "",
"DeviceCustomIPv6Address4": "",
"DeviceCustomIPv6Address4Label": "",
"DeviceCustomFloatingPoint1": "",
"DeviceCustomFloatingPoint1Label": "",
"DeviceCustomFloatingPoint2": "",
"DeviceCustomFloatingPoint2Label": "",
"DeviceCustomFloatingPoint3": "",
"DeviceCustomFloatingPoint3Label": "",
"DeviceCustomFloatingPoint4": "",
"DeviceCustomFloatingPoint4Label": "",
"DeviceCustomNumber1": "",
"DeviceCustomNumber1Label": "",
"DeviceCustomNumber2": "",
"DeviceCustomNumber2Label": "",
"DeviceCustomNumber3": "2039",
"DeviceCustomNumber3Label": "Offset",
"DeviceCustomString1": "",
"DeviceCustomString1Label": "",
"DeviceCustomString2": "",
"DeviceCustomString2Label": "",
"DeviceCustomString3": "",
"DeviceCustomString3Label": "",
"DeviceCustomString4": "",
"DeviceCustomString4Label": "",
"DeviceCustomString5": "",
"DeviceCustomString5Label": "",
"DeviceCustomString6": "",
"DeviceCustomString6Label": "",
"DeviceCustomDate1": "",
"DeviceCustomDate1Label": "",
"DeviceCustomDate2": "",
"DeviceCustomDate2Label": "",
"FlexDate1": "",
"FlexDate1Label": "",
"FlexNumber1": "",
"FlexNumber1Label": "",
"FlexNumber2": "",
"FlexNumber2Label": "",
"FlexString1": "",
"FlexString1Label": "",
"FlexString2": "",
"FlexString2Label": "",
"AdditionalExtensions": "cat=UserActivityAuditEvent",
"StartTime [UTC]": "",
"EndTime [UTC]": "",
"Type": "CommonSecurityLog",
"_ResourceId": "/subscriptions/1ef0bead-010f-49ae-bcf3-142bbc8572cd/resourcegroups/cd-cefsyslog-rg/providers/microsoft.compute/virtualmachines/cefserver"
}
]
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку