Azure-Sentinel/Sample Data/VectraStream_CL.json

694 строки
18 KiB
JSON

[
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
586
],
"answers": [
"ns.icann.org"
],
"auth": [],
"community_id": "1:6509a8cfdb7ea1368ca5ad6044d6f6bdeb012f5c",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.153.17",
"id.orig_p": 49920,
"id.resp_h": "8.8.8.8",
"id.resp_p": 53,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_dns",
"orig_hostname": "leroy_brown",
"orig_huid": "s96UneYo",
"orig_sluid": "mpZ-WRh7",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "wpad.corp.example.com",
"rcode": 3,
"rcode_name": "NXDomain",
"rejected": true,
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 0,
"total_replies": 1,
"trans_id": 30844,
"ts": 1623176452950,
"uid": "By6.7Uvbw80avjcq"
},
{
"AA": true,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
3600
],
"answers": [
"dc01.corp.example.com"
],
"auth": [],
"community_id": "1:0839e1d9ba1e9a0fc1b66e1e4d01268f9b785ce4",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.18",
"id.orig_p": 56520,
"id.resp_h": "192.168.50.191",
"id.resp_p": 53,
"local_orig": true,
"local_resp": true,
"metadata_type": "metadata_dns",
"orig_hostname": "conrad-t480",
"orig_huid": "s96UneYs",
"orig_sluid": "0NV-o6qm",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "wpad.corp.example.com",
"rcode": 3,
"rcode_name": "NXDomain",
"rejected": true,
"resp_hostname": "Windows-Server-2016-Demo",
"resp_huid": "s96UneYy",
"resp_sluid": "0NR--OAG",
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 0,
"total_replies": 1,
"trans_id": 43207,
"ts": 1623176458909,
"uid": "C1o-egaRw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
2404,
277,
2350,
176,
3
],
"answers": [
"sevillecloudgateway-cus-prd.trafficmanager.net",
"wdatpprd-cus.securitycenter.windows.com",
"k8stm-prd-cus.trafficmanager.net",
"wdatp-prd-cus-6.centralus.cloudapp.azure.com",
"104.43.247.104"
],
"auth": [],
"community_id": "1:684d81d1cc96ac6a4b8085b0f1c3638624e29b30",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.150.100",
"id.orig_p": 51392,
"id.resp_h": "8.8.8.8",
"id.resp_p": 53,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_dns",
"orig_hostname": "Piper-desktop",
"orig_huid": "s96UneYi",
"orig_sluid": "mpZ-aN4Z",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "winatp-gw-cus.microsoft.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 5,
"total_replies": 5,
"trans_id": 8649,
"ts": 1623176466226,
"uid": "C8o.Ta5fw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
3,
139,
38,
38,
38,
38,
38,
38,
38,
38
],
"answers": [
"telemetry-incoming.r53-2.services.mozilla.com",
"pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com",
"44.235.28.153",
"44.226.235.191",
"54.149.10.221",
"54.184.190.181",
"52.88.2.59",
"34.216.18.93",
"34.215.151.143",
"34.216.113.46"
],
"auth": [],
"community_id": "1:6878abab24ec05167c9d5265dfd054d27a9ee935",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.99",
"id.orig_p": 60907,
"id.resp_h": "192.168.50.191",
"id.resp_p": 53,
"local_orig": true,
"local_resp": true,
"metadata_type": "metadata_dns",
"orig_hostname": "fabien-pc",
"orig_huid": "s96UneYl",
"orig_sluid": "mpZ-6pew",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "incoming.telemetry.mozilla.org",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"resp_hostname": "Windows-Server-2016-Demo",
"resp_huid": "s96UneYy",
"resp_sluid": "0NR--OAG",
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 10,
"total_replies": 10,
"trans_id": 30381,
"ts": 1623176474380,
"uid": "CGY.ivkIw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
38,
38,
38,
38,
38,
38,
38,
38
],
"answers": [
"34.216.113.46",
"44.235.28.153",
"44.226.235.191",
"54.149.10.221",
"54.184.190.181",
"52.88.2.59",
"34.216.18.93",
"34.215.151.143"
],
"auth": [],
"community_id": "1:fc2191dc1914f5365b2433cd9e969a17fe007b6b",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.99",
"id.orig_p": 61723,
"id.resp_h": "192.168.50.191",
"id.resp_p": 53,
"local_orig": true,
"local_resp": true,
"metadata_type": "metadata_dns",
"orig_hostname": "fabien-pc",
"orig_huid": "s96UneYl",
"orig_sluid": "mpZ-6pew",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"resp_hostname": "Windows-Server-2016-Demo",
"resp_huid": "s96UneYy",
"resp_sluid": "0NR--OAG",
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 8,
"total_replies": 8,
"trans_id": 62217,
"ts": 1623176474397,
"uid": "CGc.aA2Aw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
14
],
"answers": [
"ns-332.awsdns-41.com"
],
"auth": [],
"community_id": "1:a19360a857cc1c7b114fad62f93bf1fd37e11277",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.99",
"id.orig_p": 54676,
"id.resp_h": "192.168.50.191",
"id.resp_p": 53,
"local_orig": true,
"local_resp": true,
"metadata_type": "metadata_dns",
"orig_hostname": "fabien-pc",
"orig_huid": "s96UneYl",
"orig_sluid": "mpZ-6pew",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 28,
"qtype_name": "AAAA",
"query": "pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": true,
"resp_hostname": "Windows-Server-2016-Demo",
"resp_huid": "s96UneYy",
"resp_sluid": "0NR--OAG",
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 0,
"total_replies": 1,
"trans_id": 63197,
"ts": 1623176474399,
"uid": "CGc.0Y64w80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
3499,
1721,
239,
278,
19,
19
],
"answers": [
"wu-fg-shim.trafficmanager.net",
"2-01-3cf7-0009.cdx.cedexis.net",
"download.windowsupdate.com.edgesuite.net",
"a767.dspw65.akamai.net",
"104.114.77.82",
"104.114.77.27"
],
"auth": [],
"community_id": "1:6ac5c544e9152c96f78a4abc9b88d9b900d075e4",
"id.ip_ver": "ipv4",
"id.orig_h": "172.16.199.104",
"id.orig_p": 57647,
"id.resp_h": "8.8.8.8",
"id.resp_p": 53,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_dns",
"orig_hostname": "comet_client",
"orig_huid": "s96UneYh",
"orig_sluid": "5gd-rmTa",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "www.download.windowsupdate.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 6,
"total_replies": 6,
"trans_id": 32912,
"ts": 1623176476836,
"uid": "CIw-Pf0Fw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
15,
185,
658
],
"answers": [
"detectportal.prod.mozaws.net",
"prod.detectportal.prod.cloudops.mozgcp.net",
"34.107.221.82"
],
"auth": [],
"community_id": "1:94704c1427afe5e7526abb08cc8dd6f5382a88bd",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.99",
"id.orig_p": 64680,
"id.resp_h": "192.168.50.191",
"id.resp_p": 53,
"local_orig": true,
"local_resp": true,
"metadata_type": "metadata_dns",
"orig_hostname": "fabien-pc",
"orig_huid": "s96UneYl",
"orig_sluid": "mpZ-6pew",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "detectportal.firefox.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"resp_hostname": "Windows-Server-2016-Demo",
"resp_huid": "s96UneYy",
"resp_sluid": "0NR--OAG",
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 3,
"total_replies": 3,
"trans_id": 57234,
"ts": 1623176477462,
"uid": "CJU.IYN1w80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
3597,
297,
897,
3597,
17
],
"answers": [
"prod.fs.microsoft.com.akadns.net",
"fs-wildcard.microsoft.com.edgekey.net",
"fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net",
"e1723.g.akamaiedge.net",
"96.16.113.122"
],
"auth": [],
"community_id": "1:25fa14cbd3822eb652d3675f2903f184b3f3556a",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.99",
"id.orig_p": 62150,
"id.resp_h": "1.1.1.1",
"id.resp_p": 53,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_dns",
"orig_hostname": "fabien-pc",
"orig_huid": "s96UneYl",
"orig_sluid": "mpZ-6pew",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "fs.microsoft.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 5,
"total_replies": 5,
"trans_id": 5721,
"ts": 1623176484684,
"uid": "CQQ.yF5dw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
2657,
299,
83,
702,
18
],
"answers": [
"prod.fs.microsoft.com.akadns.net",
"fs-wildcard.microsoft.com.edgekey.net",
"fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net",
"e1723.g.akamaiedge.net",
"104.84.225.97"
],
"auth": [],
"community_id": "1:d93b734fcc6c111c316c00f2527e3c5fb7590300",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.199.99",
"id.orig_p": 62150,
"id.resp_h": "192.168.50.191",
"id.resp_p": 53,
"local_orig": true,
"local_resp": true,
"metadata_type": "metadata_dns",
"orig_hostname": "fabien-pc",
"orig_huid": "s96UneYl",
"orig_sluid": "mpZ-6pew",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "fs.microsoft.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"resp_hostname": "Windows-Server-2016-Demo",
"resp_huid": "s96UneYy",
"resp_sluid": "0NR--OAG",
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 5,
"total_replies": 5,
"trans_id": 5721,
"ts": 1623176484660,
"uid": "CQM.dXfIw80avjcq"
},
{
"AA": false,
"RA": true,
"RD": true,
"TC": false,
"TTLs": [
2374,
247,
2320,
146,
9
],
"answers": [
"sevillecloudgateway-cus-prd.trafficmanager.net",
"wdatpprd-cus.securitycenter.windows.com",
"k8stm-prd-cus.trafficmanager.net",
"wdatp-prd-cus-6.centralus.cloudapp.azure.com",
"104.43.247.104"
],
"auth": [],
"community_id": "1:c32aee8d89475720f98499777c498d0ea0b0491d",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.150.100",
"id.orig_p": 51133,
"id.resp_h": "8.8.8.8",
"id.resp_p": 53,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_dns",
"orig_hostname": "Piper-desktop",
"orig_huid": "s96UneYi",
"orig_sluid": "mpZ-aN4Z",
"proto": 17,
"qclass": 1,
"qclass_name": "Internet (IN)",
"qtype": 1,
"qtype_name": "A",
"query": "winatp-gw-cus.microsoft.com",
"rcode": 0,
"rcode_name": "NoError",
"rejected": false,
"saw_query": true,
"saw_reply": true,
"sensor_uid": "w80avjcq",
"total_answers": 5,
"total_replies": 5,
"trans_id": 22860,
"ts": 1623176496628,
"uid": "Cbo.mhuiw80avjcq"
},
{
"basic_constraints.ca": false,
"basic_constraints.path_len": 0,
"certificate.cn": "ts01-b.cloudsink.net",
"certificate.exponent": "65537",
"certificate.issuer": "/C=US/O=CrowdStrike, Inc./CN=CrowdStrike Global EV CA G2",
"certificate.key_alg": "RSA Encryption",
"certificate.key_length": "4096",
"certificate.key_type": "RSA",
"certificate.not_valid_after": 1687478399000,
"certificate.not_valid_before": 1655856000000,
"certificate.self_issued": false,
"certificate.serial": "063a608a951b7cfc9f6df454289b7288",
"certificate.sig_alg": "sha256WithRsaEncryption",
"certificate.subject": "/C=US/ST=California/L=Sunnyvale/O=CrowdStrike, Inc./CN=ts01-b.cloudsink.net",
"certificate.version": 2,
"community_id": "1:c7d807ce23516979f30eae75d71ab3dc366c685f",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.150.100",
"id.orig_p": 49267,
"id.resp_h": "54.183.140.32",
"id.resp_p": 443,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_x509",
"orig_hostname": "PIPER-DESKTOP",
"orig_huid": "1gwOm6ZH",
"orig_sluid": "ItB-aN4Z",
"san.dns": ["ts01-b.cloudsink.net", "cloudsink.net", "lfodown01-b.cloudsink.net", "lfoup01-b.cloudsink.net"],
"san.other_fields": false,
"sensor_uid": "om0yofzd",
"ts": 1666052829206,
"uid": "6rk.5qUTom0yofzd"
},
{
"basic_constraints.ca": false,
"basic_constraints.path_len": 0,
"certificate.cn": "*.events.data.microsoft.com",
"certificate.exponent": "65537",
"certificate.issuer": "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Secure Server CA 2011",
"certificate.key_alg": "RSA Encryption",
"certificate.key_length": "2048",
"certificate.key_type": "RSA",
"certificate.not_valid_after": 1696096756000,
"certificate.not_valid_before": 1656611956000,
"certificate.self_issued": false,
"certificate.serial": "33000001de1a8917657fbd692c0000000001de",
"certificate.sig_alg": "sha256WithRsaEncryption",
"certificate.subject": "/C=US/ST=WA/L=Redmond/O=Microsoft/OU=WSE/CN=*.events.data.microsoft.com",
"certificate.version": 2,
"community_id": "1:e66d230d867c28e4e38e80a6d8d8165178e11e5f",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.150.100",
"id.orig_p": 49327,
"id.resp_h": "52.168.112.67",
"id.resp_p": 443,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_x509",
"orig_hostname": "Piper-desktop",
"orig_huid": "1rb1pj3D",
"orig_sluid": "Jzx-aN4Z",
"san.dns": ["*.events.data.microsoft.com", "events.data.microsoft.com", "*.vortex-win.data.microsoft.com", "vortex-win.data.microsoft.com", "*.vortex.data.microsoft.com", "vortex.data.microsoft.com", "umwatsonc.telemetry.microsoft.com", "kmwatsonc.telemetry.microsoft.com", "watson.telemetry.microsoft.com", "watson.microsoft.com", "oca.telemetry.microsoft.com", "oca.microsoft.com", "*.events.data.microsoft.us", "events.data.microsoft.us", "*.vortex-win.data.microsoft.us", "vortex-win.data.microsoft.us", "*.vortex.data.microsoft.us", "vortex.data.microsoft.us", "umwatsonc.telemetry.microsoft.us", "kmwatsonc.telemetry.microsoft.us", "watson.telemetry.microsoft.us", "watson.microsoft.us", "oca.telemetry.microsoft.us", "oca.microsoft.us"],
"san.other_fields": false,
"sensor_uid": "qvksm4yy",
"ts": 1666053935886,
"uid": "OE--q068qvksm4yy"
},
{
"basic_constraints.ca": false,
"basic_constraints.path_len": 0,
"certificate.cn": "winatp-gw.microsoft.com",
"certificate.exponent": "65537",
"certificate.issuer": "/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Secure Server CA 2011",
"certificate.key_alg": "RSA Encryption",
"certificate.key_length": "2048",
"certificate.key_type": "RSA",
"certificate.not_valid_after": 1682705940000,
"certificate.not_valid_before": 1651169940000,
"certificate.self_issued": false,
"certificate.serial": "33000001cf5349abdb6d2c6b750000000001cf",
"certificate.sig_alg": "sha256WithRsaEncryption",
"certificate.subject": "/CN=winatp-gw.microsoft.com",
"certificate.version": 2,
"community_id": "1:446a29b78483c9f1b14c16a6448b308b141bcd83",
"id.ip_ver": "ipv4",
"id.orig_h": "192.168.150.100",
"id.orig_p": 49323,
"id.resp_h": "104.43.247.104",
"id.resp_p": 443,
"local_orig": true,
"local_resp": false,
"metadata_type": "metadata_x509",
"orig_hostname": "PIPER-DESKTOP",
"orig_huid": "1gwOm6ZH",
"orig_sluid": "ItB-aN4Z",
"san.dns": ["winatp-gw.microsoft.com", "winatp-gw-cus.microsoft.com", "winatp-gw-eus.microsoft.com", "winatp-gw-weu.microsoft.com", "winatp-gw-neu.microsoft.com", "winatp-gw-uks.microsoft.com", "winatp-gw-ukw.microsoft.com", "winatp-gw-canc.microsoft.com", "winatp-gw-cane.microsoft.com", "winatp-gw-asmw.microsoft.com", "winatp-gw-asmc.microsoft.com", "winatp-gw-cus3.microsoft.com", "winatp-gw-eus3.microsoft.com", "winatp-gw-neu3.microsoft.com", "winatp-gw-weu3.microsoft.com", "SevilleCloudGateway.microsoft.com", "sevillegw.microsoft.com", "sevillegweus.microsoft.com", "sevillegwcus.microsoft.com", "sevillegweu.microsoft.com", "sevillegwneu.microsoft.com", "sevillegwweu.microsoft.com"],
"san.other_fields": false,
"sensor_uid": "om0yofzd",
"ts": 1666053816645,
"uid": "MSM-assyom0yofzd"
},
{
"community_id": "1:1d57c4c53a65139e5bfaf514f578831d77e48aee",
"date": "Thu, 9 Apr 2020 23:52:02 +0000",
"first_received": "from ABC.example.outlook.com\r\n ([fe80::a4c4:303:5248:7d7d]) by BYAPR08MB5223.namprd08.prod.outlook.com",
"from": "Tom Harper",
"helo": "NAM10-BN7-obe.outbound.protection.outlook.com",
"id.ip_ver": "ipv4",
"id.orig_h": "11.12.13.14",
"id.orig_p": 6208,
"id.resp_h": "10.1.6.4",
"id.resp_p": 25,
"local_orig": false,
"local_resp": true,
"mail_from": "sanitized@sanitized.com",
"metadata_type": "metadata_smtp",
"msgid": " mamdalmdaldm",
"orig_hostname": null,
"rcpt_to": ["sanitized@sanitized.com"],
"resp_hostname": "IP-10.1.6.4",
"resp_sluid": "KXt-1zzg",
"second_received": "from ABC123.outlook.com by CDE.outlook.com",
"sensor_uid": "2x2ir6i9",
"spf_mailfrom": "none",
"subject": "Welcome to Vectra ",
"tls": false,
"to": ["sanitized@sanitized.com"],
"ts": 1666068877672,
"uid": "stw-eKj72x2ir6i9",
"x_originating_ip": "[1.2.3.4]"
}
]