694 строки
18 KiB
JSON
694 строки
18 KiB
JSON
[
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
586
|
|
],
|
|
"answers": [
|
|
"ns.icann.org"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:6509a8cfdb7ea1368ca5ad6044d6f6bdeb012f5c",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.153.17",
|
|
"id.orig_p": 49920,
|
|
"id.resp_h": "8.8.8.8",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "leroy_brown",
|
|
"orig_huid": "s96UneYo",
|
|
"orig_sluid": "mpZ-WRh7",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "wpad.corp.example.com",
|
|
"rcode": 3,
|
|
"rcode_name": "NXDomain",
|
|
"rejected": true,
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 0,
|
|
"total_replies": 1,
|
|
"trans_id": 30844,
|
|
"ts": 1623176452950,
|
|
"uid": "By6.7Uvbw80avjcq"
|
|
},
|
|
{
|
|
"AA": true,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
3600
|
|
],
|
|
"answers": [
|
|
"dc01.corp.example.com"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:0839e1d9ba1e9a0fc1b66e1e4d01268f9b785ce4",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.18",
|
|
"id.orig_p": 56520,
|
|
"id.resp_h": "192.168.50.191",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": true,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "conrad-t480",
|
|
"orig_huid": "s96UneYs",
|
|
"orig_sluid": "0NV-o6qm",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "wpad.corp.example.com",
|
|
"rcode": 3,
|
|
"rcode_name": "NXDomain",
|
|
"rejected": true,
|
|
"resp_hostname": "Windows-Server-2016-Demo",
|
|
"resp_huid": "s96UneYy",
|
|
"resp_sluid": "0NR--OAG",
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 0,
|
|
"total_replies": 1,
|
|
"trans_id": 43207,
|
|
"ts": 1623176458909,
|
|
"uid": "C1o-egaRw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
2404,
|
|
277,
|
|
2350,
|
|
176,
|
|
3
|
|
],
|
|
"answers": [
|
|
"sevillecloudgateway-cus-prd.trafficmanager.net",
|
|
"wdatpprd-cus.securitycenter.windows.com",
|
|
"k8stm-prd-cus.trafficmanager.net",
|
|
"wdatp-prd-cus-6.centralus.cloudapp.azure.com",
|
|
"104.43.247.104"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:684d81d1cc96ac6a4b8085b0f1c3638624e29b30",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.150.100",
|
|
"id.orig_p": 51392,
|
|
"id.resp_h": "8.8.8.8",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "Piper-desktop",
|
|
"orig_huid": "s96UneYi",
|
|
"orig_sluid": "mpZ-aN4Z",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "winatp-gw-cus.microsoft.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 5,
|
|
"total_replies": 5,
|
|
"trans_id": 8649,
|
|
"ts": 1623176466226,
|
|
"uid": "C8o.Ta5fw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
3,
|
|
139,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38
|
|
],
|
|
"answers": [
|
|
"telemetry-incoming.r53-2.services.mozilla.com",
|
|
"pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com",
|
|
"44.235.28.153",
|
|
"44.226.235.191",
|
|
"54.149.10.221",
|
|
"54.184.190.181",
|
|
"52.88.2.59",
|
|
"34.216.18.93",
|
|
"34.215.151.143",
|
|
"34.216.113.46"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:6878abab24ec05167c9d5265dfd054d27a9ee935",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.99",
|
|
"id.orig_p": 60907,
|
|
"id.resp_h": "192.168.50.191",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": true,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "fabien-pc",
|
|
"orig_huid": "s96UneYl",
|
|
"orig_sluid": "mpZ-6pew",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "incoming.telemetry.mozilla.org",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"resp_hostname": "Windows-Server-2016-Demo",
|
|
"resp_huid": "s96UneYy",
|
|
"resp_sluid": "0NR--OAG",
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 10,
|
|
"total_replies": 10,
|
|
"trans_id": 30381,
|
|
"ts": 1623176474380,
|
|
"uid": "CGY.ivkIw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38,
|
|
38
|
|
],
|
|
"answers": [
|
|
"34.216.113.46",
|
|
"44.235.28.153",
|
|
"44.226.235.191",
|
|
"54.149.10.221",
|
|
"54.184.190.181",
|
|
"52.88.2.59",
|
|
"34.216.18.93",
|
|
"34.215.151.143"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:fc2191dc1914f5365b2433cd9e969a17fe007b6b",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.99",
|
|
"id.orig_p": 61723,
|
|
"id.resp_h": "192.168.50.191",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": true,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "fabien-pc",
|
|
"orig_huid": "s96UneYl",
|
|
"orig_sluid": "mpZ-6pew",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"resp_hostname": "Windows-Server-2016-Demo",
|
|
"resp_huid": "s96UneYy",
|
|
"resp_sluid": "0NR--OAG",
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 8,
|
|
"total_replies": 8,
|
|
"trans_id": 62217,
|
|
"ts": 1623176474397,
|
|
"uid": "CGc.aA2Aw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
14
|
|
],
|
|
"answers": [
|
|
"ns-332.awsdns-41.com"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:a19360a857cc1c7b114fad62f93bf1fd37e11277",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.99",
|
|
"id.orig_p": 54676,
|
|
"id.resp_h": "192.168.50.191",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": true,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "fabien-pc",
|
|
"orig_huid": "s96UneYl",
|
|
"orig_sluid": "mpZ-6pew",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 28,
|
|
"qtype_name": "AAAA",
|
|
"query": "pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": true,
|
|
"resp_hostname": "Windows-Server-2016-Demo",
|
|
"resp_huid": "s96UneYy",
|
|
"resp_sluid": "0NR--OAG",
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 0,
|
|
"total_replies": 1,
|
|
"trans_id": 63197,
|
|
"ts": 1623176474399,
|
|
"uid": "CGc.0Y64w80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
3499,
|
|
1721,
|
|
239,
|
|
278,
|
|
19,
|
|
19
|
|
],
|
|
"answers": [
|
|
"wu-fg-shim.trafficmanager.net",
|
|
"2-01-3cf7-0009.cdx.cedexis.net",
|
|
"download.windowsupdate.com.edgesuite.net",
|
|
"a767.dspw65.akamai.net",
|
|
"104.114.77.82",
|
|
"104.114.77.27"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:6ac5c544e9152c96f78a4abc9b88d9b900d075e4",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "172.16.199.104",
|
|
"id.orig_p": 57647,
|
|
"id.resp_h": "8.8.8.8",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "comet_client",
|
|
"orig_huid": "s96UneYh",
|
|
"orig_sluid": "5gd-rmTa",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "www.download.windowsupdate.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 6,
|
|
"total_replies": 6,
|
|
"trans_id": 32912,
|
|
"ts": 1623176476836,
|
|
"uid": "CIw-Pf0Fw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
15,
|
|
185,
|
|
658
|
|
],
|
|
"answers": [
|
|
"detectportal.prod.mozaws.net",
|
|
"prod.detectportal.prod.cloudops.mozgcp.net",
|
|
"34.107.221.82"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:94704c1427afe5e7526abb08cc8dd6f5382a88bd",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.99",
|
|
"id.orig_p": 64680,
|
|
"id.resp_h": "192.168.50.191",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": true,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "fabien-pc",
|
|
"orig_huid": "s96UneYl",
|
|
"orig_sluid": "mpZ-6pew",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "detectportal.firefox.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"resp_hostname": "Windows-Server-2016-Demo",
|
|
"resp_huid": "s96UneYy",
|
|
"resp_sluid": "0NR--OAG",
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 3,
|
|
"total_replies": 3,
|
|
"trans_id": 57234,
|
|
"ts": 1623176477462,
|
|
"uid": "CJU.IYN1w80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
3597,
|
|
297,
|
|
897,
|
|
3597,
|
|
17
|
|
],
|
|
"answers": [
|
|
"prod.fs.microsoft.com.akadns.net",
|
|
"fs-wildcard.microsoft.com.edgekey.net",
|
|
"fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net",
|
|
"e1723.g.akamaiedge.net",
|
|
"96.16.113.122"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:25fa14cbd3822eb652d3675f2903f184b3f3556a",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.99",
|
|
"id.orig_p": 62150,
|
|
"id.resp_h": "1.1.1.1",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "fabien-pc",
|
|
"orig_huid": "s96UneYl",
|
|
"orig_sluid": "mpZ-6pew",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "fs.microsoft.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 5,
|
|
"total_replies": 5,
|
|
"trans_id": 5721,
|
|
"ts": 1623176484684,
|
|
"uid": "CQQ.yF5dw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
2657,
|
|
299,
|
|
83,
|
|
702,
|
|
18
|
|
],
|
|
"answers": [
|
|
"prod.fs.microsoft.com.akadns.net",
|
|
"fs-wildcard.microsoft.com.edgekey.net",
|
|
"fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net",
|
|
"e1723.g.akamaiedge.net",
|
|
"104.84.225.97"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:d93b734fcc6c111c316c00f2527e3c5fb7590300",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.199.99",
|
|
"id.orig_p": 62150,
|
|
"id.resp_h": "192.168.50.191",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": true,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "fabien-pc",
|
|
"orig_huid": "s96UneYl",
|
|
"orig_sluid": "mpZ-6pew",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "fs.microsoft.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"resp_hostname": "Windows-Server-2016-Demo",
|
|
"resp_huid": "s96UneYy",
|
|
"resp_sluid": "0NR--OAG",
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 5,
|
|
"total_replies": 5,
|
|
"trans_id": 5721,
|
|
"ts": 1623176484660,
|
|
"uid": "CQM.dXfIw80avjcq"
|
|
},
|
|
{
|
|
"AA": false,
|
|
"RA": true,
|
|
"RD": true,
|
|
"TC": false,
|
|
"TTLs": [
|
|
2374,
|
|
247,
|
|
2320,
|
|
146,
|
|
9
|
|
],
|
|
"answers": [
|
|
"sevillecloudgateway-cus-prd.trafficmanager.net",
|
|
"wdatpprd-cus.securitycenter.windows.com",
|
|
"k8stm-prd-cus.trafficmanager.net",
|
|
"wdatp-prd-cus-6.centralus.cloudapp.azure.com",
|
|
"104.43.247.104"
|
|
],
|
|
"auth": [],
|
|
"community_id": "1:c32aee8d89475720f98499777c498d0ea0b0491d",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.150.100",
|
|
"id.orig_p": 51133,
|
|
"id.resp_h": "8.8.8.8",
|
|
"id.resp_p": 53,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_dns",
|
|
"orig_hostname": "Piper-desktop",
|
|
"orig_huid": "s96UneYi",
|
|
"orig_sluid": "mpZ-aN4Z",
|
|
"proto": 17,
|
|
"qclass": 1,
|
|
"qclass_name": "Internet (IN)",
|
|
"qtype": 1,
|
|
"qtype_name": "A",
|
|
"query": "winatp-gw-cus.microsoft.com",
|
|
"rcode": 0,
|
|
"rcode_name": "NoError",
|
|
"rejected": false,
|
|
"saw_query": true,
|
|
"saw_reply": true,
|
|
"sensor_uid": "w80avjcq",
|
|
"total_answers": 5,
|
|
"total_replies": 5,
|
|
"trans_id": 22860,
|
|
"ts": 1623176496628,
|
|
"uid": "Cbo.mhuiw80avjcq"
|
|
},
|
|
{
|
|
"basic_constraints.ca": false,
|
|
"basic_constraints.path_len": 0,
|
|
"certificate.cn": "ts01-b.cloudsink.net",
|
|
"certificate.exponent": "65537",
|
|
"certificate.issuer": "/C=US/O=CrowdStrike, Inc./CN=CrowdStrike Global EV CA G2",
|
|
"certificate.key_alg": "RSA Encryption",
|
|
"certificate.key_length": "4096",
|
|
"certificate.key_type": "RSA",
|
|
"certificate.not_valid_after": 1687478399000,
|
|
"certificate.not_valid_before": 1655856000000,
|
|
"certificate.self_issued": false,
|
|
"certificate.serial": "063a608a951b7cfc9f6df454289b7288",
|
|
"certificate.sig_alg": "sha256WithRsaEncryption",
|
|
"certificate.subject": "/C=US/ST=California/L=Sunnyvale/O=CrowdStrike, Inc./CN=ts01-b.cloudsink.net",
|
|
"certificate.version": 2,
|
|
"community_id": "1:c7d807ce23516979f30eae75d71ab3dc366c685f",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.150.100",
|
|
"id.orig_p": 49267,
|
|
"id.resp_h": "54.183.140.32",
|
|
"id.resp_p": 443,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_x509",
|
|
"orig_hostname": "PIPER-DESKTOP",
|
|
"orig_huid": "1gwOm6ZH",
|
|
"orig_sluid": "ItB-aN4Z",
|
|
"san.dns": ["ts01-b.cloudsink.net", "cloudsink.net", "lfodown01-b.cloudsink.net", "lfoup01-b.cloudsink.net"],
|
|
"san.other_fields": false,
|
|
"sensor_uid": "om0yofzd",
|
|
"ts": 1666052829206,
|
|
"uid": "6rk.5qUTom0yofzd"
|
|
},
|
|
{
|
|
"basic_constraints.ca": false,
|
|
"basic_constraints.path_len": 0,
|
|
"certificate.cn": "*.events.data.microsoft.com",
|
|
"certificate.exponent": "65537",
|
|
"certificate.issuer": "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Secure Server CA 2011",
|
|
"certificate.key_alg": "RSA Encryption",
|
|
"certificate.key_length": "2048",
|
|
"certificate.key_type": "RSA",
|
|
"certificate.not_valid_after": 1696096756000,
|
|
"certificate.not_valid_before": 1656611956000,
|
|
"certificate.self_issued": false,
|
|
"certificate.serial": "33000001de1a8917657fbd692c0000000001de",
|
|
"certificate.sig_alg": "sha256WithRsaEncryption",
|
|
"certificate.subject": "/C=US/ST=WA/L=Redmond/O=Microsoft/OU=WSE/CN=*.events.data.microsoft.com",
|
|
"certificate.version": 2,
|
|
"community_id": "1:e66d230d867c28e4e38e80a6d8d8165178e11e5f",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.150.100",
|
|
"id.orig_p": 49327,
|
|
"id.resp_h": "52.168.112.67",
|
|
"id.resp_p": 443,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_x509",
|
|
"orig_hostname": "Piper-desktop",
|
|
"orig_huid": "1rb1pj3D",
|
|
"orig_sluid": "Jzx-aN4Z",
|
|
"san.dns": ["*.events.data.microsoft.com", "events.data.microsoft.com", "*.vortex-win.data.microsoft.com", "vortex-win.data.microsoft.com", "*.vortex.data.microsoft.com", "vortex.data.microsoft.com", "umwatsonc.telemetry.microsoft.com", "kmwatsonc.telemetry.microsoft.com", "watson.telemetry.microsoft.com", "watson.microsoft.com", "oca.telemetry.microsoft.com", "oca.microsoft.com", "*.events.data.microsoft.us", "events.data.microsoft.us", "*.vortex-win.data.microsoft.us", "vortex-win.data.microsoft.us", "*.vortex.data.microsoft.us", "vortex.data.microsoft.us", "umwatsonc.telemetry.microsoft.us", "kmwatsonc.telemetry.microsoft.us", "watson.telemetry.microsoft.us", "watson.microsoft.us", "oca.telemetry.microsoft.us", "oca.microsoft.us"],
|
|
"san.other_fields": false,
|
|
"sensor_uid": "qvksm4yy",
|
|
"ts": 1666053935886,
|
|
"uid": "OE--q068qvksm4yy"
|
|
},
|
|
{
|
|
"basic_constraints.ca": false,
|
|
"basic_constraints.path_len": 0,
|
|
"certificate.cn": "winatp-gw.microsoft.com",
|
|
"certificate.exponent": "65537",
|
|
"certificate.issuer": "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Secure Server CA 2011",
|
|
"certificate.key_alg": "RSA Encryption",
|
|
"certificate.key_length": "2048",
|
|
"certificate.key_type": "RSA",
|
|
"certificate.not_valid_after": 1682705940000,
|
|
"certificate.not_valid_before": 1651169940000,
|
|
"certificate.self_issued": false,
|
|
"certificate.serial": "33000001cf5349abdb6d2c6b750000000001cf",
|
|
"certificate.sig_alg": "sha256WithRsaEncryption",
|
|
"certificate.subject": "/CN=winatp-gw.microsoft.com",
|
|
"certificate.version": 2,
|
|
"community_id": "1:446a29b78483c9f1b14c16a6448b308b141bcd83",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "192.168.150.100",
|
|
"id.orig_p": 49323,
|
|
"id.resp_h": "104.43.247.104",
|
|
"id.resp_p": 443,
|
|
"local_orig": true,
|
|
"local_resp": false,
|
|
"metadata_type": "metadata_x509",
|
|
"orig_hostname": "PIPER-DESKTOP",
|
|
"orig_huid": "1gwOm6ZH",
|
|
"orig_sluid": "ItB-aN4Z",
|
|
"san.dns": ["winatp-gw.microsoft.com", "winatp-gw-cus.microsoft.com", "winatp-gw-eus.microsoft.com", "winatp-gw-weu.microsoft.com", "winatp-gw-neu.microsoft.com", "winatp-gw-uks.microsoft.com", "winatp-gw-ukw.microsoft.com", "winatp-gw-canc.microsoft.com", "winatp-gw-cane.microsoft.com", "winatp-gw-asmw.microsoft.com", "winatp-gw-asmc.microsoft.com", "winatp-gw-cus3.microsoft.com", "winatp-gw-eus3.microsoft.com", "winatp-gw-neu3.microsoft.com", "winatp-gw-weu3.microsoft.com", "SevilleCloudGateway.microsoft.com", "sevillegw.microsoft.com", "sevillegweus.microsoft.com", "sevillegwcus.microsoft.com", "sevillegweu.microsoft.com", "sevillegwneu.microsoft.com", "sevillegwweu.microsoft.com"],
|
|
"san.other_fields": false,
|
|
"sensor_uid": "om0yofzd",
|
|
"ts": 1666053816645,
|
|
"uid": "MSM-assyom0yofzd"
|
|
},
|
|
{
|
|
"community_id": "1:1d57c4c53a65139e5bfaf514f578831d77e48aee",
|
|
"date": "Thu, 9 Apr 2020 23:52:02 +0000",
|
|
"first_received": "from ABC.example.outlook.com\r\n ([fe80::a4c4:303:5248:7d7d]) by BYAPR08MB5223.namprd08.prod.outlook.com",
|
|
"from": "Tom Harper",
|
|
"helo": "NAM10-BN7-obe.outbound.protection.outlook.com",
|
|
"id.ip_ver": "ipv4",
|
|
"id.orig_h": "11.12.13.14",
|
|
"id.orig_p": 6208,
|
|
"id.resp_h": "10.1.6.4",
|
|
"id.resp_p": 25,
|
|
"local_orig": false,
|
|
"local_resp": true,
|
|
"mail_from": "sanitized@sanitized.com",
|
|
"metadata_type": "metadata_smtp",
|
|
"msgid": " mamdalmdaldm",
|
|
"orig_hostname": null,
|
|
"rcpt_to": ["sanitized@sanitized.com"],
|
|
"resp_hostname": "IP-10.1.6.4",
|
|
"resp_sluid": "KXt-1zzg",
|
|
"second_received": "from ABC123.outlook.com by CDE.outlook.com",
|
|
"sensor_uid": "2x2ir6i9",
|
|
"spf_mailfrom": "none",
|
|
"subject": "Welcome to Vectra ",
|
|
"tls": false,
|
|
"to": ["sanitized@sanitized.com"],
|
|
"ts": 1666068877672,
|
|
"uid": "stw-eKj72x2ir6i9",
|
|
"x_originating_ip": "[1.2.3.4]"
|
|
}
|
|
]
|
|
|