diff --git a/packages/crowdstrike/_dev/build/docs/README.md b/packages/crowdstrike/_dev/build/docs/README.md index d6b35fce661..4007eaafba9 100644 --- a/packages/crowdstrike/_dev/build/docs/README.md +++ b/packages/crowdstrike/_dev/build/docs/README.md @@ -352,12 +352,8 @@ FROM logs-crowdstrike.fdr-* | LIMIT 20 ``` -**Elasticsearch 8.19+** is required for `LOOKUP JOIN` to resolve an alias. Use `crowdstrike_lookup.aidmaster` as in the example above. On **releases before 8.19**, `LOOKUP JOIN` must target the concrete transform destination index instead: in Kibana go to **Stack Management** → **Transforms**, open the CrowdStrike latest aidmaster transform, and use the **destination_index** name shown there (that name can change with the integration version). - **Using enriched fields:** Enrichment from the lookup is under the `crowdstrike.info.host.*` namespace (e.g. `crowdstrike.info.host.hostname` for hostname, `crowdstrike.info.host.cid` for customer ID). Use these fields in dashboards and detection rules when building on query-time enrichment. -**Ingest-time versus query-time:** The FDR integration’s **Enrich Host and User Metadata** option (`enrich_metadata`, on by default) uses the Elastic Agent (Filebeat) metadata cache to attach `aidmaster` and `userinfo` to events at ingest time. If you rely on query-time host enrichment only (transform + `LOOKUP JOIN` above), set **Enrich Host and User Metadata** to **Off** so host metadata is not applied twice. Turning it off also disables ingest-time enrichment from `userinfo`; if you still need user fields from `userinfo` on every document, keep ingest-time enrichment enabled or supplement with a separate query pattern. Disabling **Enrich Host and User Metadata** automatically makes **Keep Original Host and User Metadata** option (`keep_metadata`) ineffective and the metadata events are retained. - ### Query-time user metadata enrichment (LOOKUP JOIN) A second transform maintains the latest user metadata per host-user pair from `UserIdentity` and `UserLogon` sensor events in a lookup index. Unlike `userinfo` directory data (which requires [Falcon Discover](https://www.crowdstrike.com/platform/exposure-management/falcon-discover/) and covers only Windows), sensor events are available to all FDR customers on all platforms (Windows, macOS, Linux, ChromeOS). You can enrich FDR events with user metadata at query time using ES|QL [`LOOKUP JOIN`](https://www.elastic.co/docs/reference/query-languages/esql/commands/lookup-join). @@ -393,11 +389,7 @@ FROM logs-crowdstrike.fdr-* | LIMIT 20 ``` -**Elasticsearch 8.19+** is required for `LOOKUP JOIN` to resolve an alias. Use `crowdstrike_lookup.userinfo` as in the examples above. On **releases before 8.19**, `LOOKUP JOIN` must target the concrete transform destination index instead: in Kibana go to **Stack Management** → **Transforms**, open the CrowdStrike latest userinfo transform, and use the **destination_index** name shown there (that name can change with the integration version). If you use both host and user lookups on releases before 8.19, you will need two concrete destination index names — one for aidmaster and one for userinfo — both obtainable from **Stack Management** → **Transforms**. - -**Using enriched fields:** Enrichment from the user lookup is under the `crowdstrike.info.user.*` namespace (e.g. `crowdstrike.info.user.name` for username, `crowdstrike.info.user.domain` for UPN domain, `crowdstrike.info.user.logon_type` for logon type). Use these fields in dashboards and ES|QL detection rules when building on query-time enrichment. Note that detection rules using EQL, threshold, or KQL operate on stored documents and cannot use `LOOKUP JOIN` — those rule types continue to rely on ingest-time cache enrichment for user metadata. - -**Ingest-time versus query-time:** The same **Enrich Host and User Metadata** option (`enrich_metadata`) that controls ingest-time host enrichment also controls ingest-time user enrichment from `userinfo` directory data. Query-time user enrichment via the transform is additive — it works regardless of whether ingest-time enrichment is enabled. If you rely on query-time enrichment only, set **Enrich Host and User Metadata** to **Off** so metadata is not applied twice. If both are active, user metadata may appear under `crowdstrike.info.user.*` from both the ingest-time cache and the query-time lookup; the values should be consistent but the ingest-time cache is populated from `userinfo` while the query-time lookup uses sensor events, so field availability may differ. +**Using enriched fields:** Enrichment from the user lookup is under the `crowdstrike.info.user.*` namespace (e.g. `crowdstrike.info.user.name` for username, `crowdstrike.info.user.domain` for UPN domain, `crowdstrike.info.user.logon_type` for logon type). Use these fields in dashboards and ES|QL detection rules when building on query-time enrichment. #### ES|QL dashboard panels diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 7004c5c9bee..43390162e36 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,31 @@ # newer versions go on top +- version: "4.0.0" + changes: + - description: >- + Remove ingest-time cache processor from FDR. Users with custom KQL, EQL, or threshold + queries filtering on `crowdstrike.info.*` as stored fields must rewrite those queries + as ES|QL using LOOKUP JOIN against `crowdstrike_lookup.aidmaster` or + `crowdstrike_lookup.userinfo`. + type: breaking-change + link: https://github.com/elastic/integrations/pull/19434 + - description: >- + Remove `enrich_metadata`, `keep_metadata`, `metadata_ttl`, `metadata_cache_capacity`, + and `metadata_cache_write_interval` configuration variables from FDR. Aidmaster and + userinfo metadata events are now always indexed regardless of previous settings. + Metadata enrichment is now handled exclusively by query-time LOOKUP JOIN. + type: breaking-change + link: https://github.com/elastic/integrations/pull/19434 + - description: >- + Aidmaster and userinfo events are now always indexed instead of being dropped after + cache enrichment, providing a reliable source for the LOOKUP JOIN transforms. + type: enhancement + link: https://github.com/elastic/integrations/pull/19434 + - description: Remove metadata file sorting from FDR SQS notification parsing script. + type: enhancement + link: https://github.com/elastic/integrations/pull/19434 + - description: Remove dead-code ingest pipeline processors that read from `crowdstrike.info.*` fields populated by the cache. + type: bugfix + link: https://github.com/elastic/integrations/pull/19434 - version: "3.21.0" changes: - description: Use new `release` field for agentless deployment mode to establish as beta. diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-cspm-iom-evaluation.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-cspm-iom-evaluation.log-expected.json index cd54856e30a..e0598c0f68a 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-cspm-iom-evaluation.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-cspm-iom-evaluation.log-expected.json @@ -36,6 +36,7 @@ }, "created": "2025-10-13T03:59:08.974Z", "crn": "aws|123456789012|global|AWS::Account|123456789012", + "event_simpleName": "CloudSecurityIOMEvaluation", "findings": [ { "name": "Encryption Enabled", @@ -58,8 +59,7 @@ }, "revision": 7, "status": "Unresolved", - "url": "https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Volumes:", - "event_simpleName": "CloudSecurityIOMEvaluation" + "url": "https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Volumes:" }, "event": { "action": "CloudSecurityIOMEvaluation", diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-linux.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-linux.log-expected.json index 6a9ab25ba30..b928549bc37 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-linux.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-linux.log-expected.json @@ -24,9 +24,9 @@ "PolicyRuleSeverity": 3, "RUID": "1000", "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "ca65aa54-f7b9-453b-8ef1-99a5b2c8e3c4", - "name": "FileIntegrityMonitorRuleMatchedLinV9", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedLinV9" }, "device": { "id": "2e3d9c94d9c34764860b1f3b444c6d4d" @@ -186,9 +186,9 @@ "PreviousFileAttributesLinux": "16", "RUID": "0", "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "784c387c-806a-4add-a54f-83bc938d022d", - "name": "FileIntegrityMonitorRuleMatchedLinV9", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedLinV9" }, "device": { "id": "2e3d9c94d9c34764860b1f3b444c6d4d" @@ -346,9 +346,9 @@ "RUID": "1000", "SecurityInformationLinux": "1", "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "48cd83c0-62ba-471c-a6a2-fa5309195dde", - "name": "FileIntegrityMonitorRuleMatchedLinV9", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedLinV9" }, "device": { "id": "2e3d9c94d9c34764860b1f3b444c6d4d" @@ -500,9 +500,9 @@ "PolicyRuleSeverity": 3, "RUID": "1000", "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "54049e9e-d8c2-41c8-8822-98687f7a3608", - "name": "FileIntegrityMonitorRuleMatchedLinV9", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedLinV9" }, "device": { "id": "2e3d9c94d9c34764860b1f3b444c6d4d" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-windows.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-windows.log-expected.json index 17e06fcc9a2..3cf9fbabe04 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-windows.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-fim-rule-matched-windows.log-expected.json @@ -23,9 +23,9 @@ "PolicyRuleSeverity": 3, "RegType": "1", "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "fa2d4a8a-df61-4d4a-b1da-d04140d2faf0", - "name": "FileIntegrityMonitorRuleMatchedV11", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedV11" }, "device": { "id": "05831d09e02c4949a44cf99ffa54f2ed" @@ -170,9 +170,9 @@ }, "PolicyRuleSeverity": 1, "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "a9e7eae2-3f8e-44c9-b847-40cf2af49e2b", - "name": "FileIntegrityMonitorRuleMatchedV11", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedV11" }, "device": { "id": "05831d09e02c4949a44cf99ffa54f2ed" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-geoip-disabled.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-geoip-disabled.log-expected.json index e4662a22a66..1948ac83e87 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-geoip-disabled.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr-geoip-disabled.log-expected.json @@ -26,9 +26,9 @@ "PreviousFileAttributesLinux": "16", "RUID": "0", "cid": "2cc98db1a47b4c98b913c94d43bfab70", + "event_simpleName": "FileIntegrityMonitorRuleMatched", "id": "784c387c-806a-4add-a54f-83bc938d022d", - "name": "FileIntegrityMonitorRuleMatchedLinV9", - "event_simpleName": "FileIntegrityMonitorRuleMatched" + "name": "FileIntegrityMonitorRuleMatchedLinV9" }, "device": { "id": "2e3d9c94d9c34764860b1f3b444c6d4d" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index f69d9d4e118..5e9ed2439d5 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -16,9 +16,9 @@ "SourceThreadId": "0", "SyntheticPR2Flags": "8", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "SyntheticProcessRollup2", "id": "ffffffff-1111-11eb-8dd4-061759968cdf", - "name": "SyntheticProcessRollup2MacV3", - "event_simpleName": "SyntheticProcessRollup2" + "name": "SyntheticProcessRollup2MacV3" }, "device": { "id": "ffffffffa63e404bba4bff7465ab3afb" @@ -132,9 +132,9 @@ "SuspectStackCount": 0, "SuspiciousDnsRequestCount": 0, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "EndOfProcess", "id": "ffffffff-1111-11eb-9d75-02bcf3ade03b", - "name": "EndOfProcessMacV15", - "event_simpleName": "EndOfProcess" + "name": "EndOfProcessMacV15" }, "device": { "id": "ffffffff3c0846978560dbc0048d6555" @@ -212,9 +212,9 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "RawBindIP6", "id": "ffffffff-1111-11eb-ad8d-064c77be2fd1", - "name": "RawBindIP6MacV10", - "event_simpleName": "RawBindIP6" + "name": "RawBindIP6MacV10" }, "destination": { "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", @@ -320,9 +320,9 @@ "SHA256HashData": "f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018", "Timeout": 600, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ProcessRollup2Stats", "id": "ffffffff-1111-11eb-822b-06081a3f0f45", - "name": "ProcessRollup2StatsMacV1", - "event_simpleName": "ProcessRollup2Stats" + "name": "ProcessRollup2StatsMacV1" }, "device": { "id": "ffffffff59fe460783ea45d59e417d6f" @@ -424,9 +424,9 @@ "ProvisionState": "1", "SensorStateBitMap": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "SensorHeartbeat", "id": "ffffffff-1111-11eb-97c6-02fd02aca859", - "name": "SensorHeartbeatMacV4", - "event_simpleName": "SensorHeartbeat" + "name": "SensorHeartbeatMacV4" }, "device": { "id": "ffffffffe1ad47b6b5b44ae9151a6cf3" @@ -500,9 +500,9 @@ "SourceProcessId": "362213307092004097", "SourceThreadId": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-a9ce-02e9216bdbcb", - "name": "ProcessRollup2MacV5", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2MacV5" }, "device": { "id": "ffffffff8be84591864008eb2e484920" @@ -614,9 +614,9 @@ "0.0.0.0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkReceiveAcceptIP4", "id": "ffffffff-1111-11eb-9d7c-02e8a46f51a5", - "name": "NetworkReceiveAcceptIP4LinV5", - "event_simpleName": "NetworkReceiveAcceptIP4" + "name": "NetworkReceiveAcceptIP4LinV5" }, "destination": { "address": "0.0.0.0", @@ -721,9 +721,9 @@ "67.43.156.14" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "RawBindIP4", "id": "ffffffff-1111-11eb-81d4-0282ad9ac82d", - "name": "RawBindIP4MacV10", - "event_simpleName": "RawBindIP4" + "name": "RawBindIP4MacV10" }, "destination": { "address": "0.0.0.0", @@ -826,9 +826,9 @@ "0:0:0:0:0:0:0:0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkConnectIP6", "id": "ffffffff-1111-11eb-97c6-02fd02aca859", - "name": "NetworkConnectIP6MacV10", - "event_simpleName": "NetworkConnectIP6" + "name": "NetworkConnectIP6MacV10" }, "destination": { "address": "127.0.0.1", @@ -922,9 +922,9 @@ "SourceProcessId": "38911774195823", "SourceThreadId": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-bad4-02690d039c6b", - "name": "ProcessRollup2LinV6", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2LinV6" }, "device": { "id": "ffffffffcf45409f87ed463b40c368ec" @@ -1058,9 +1058,9 @@ "0:0:0:0:0:0:0:1" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkConnectIP6", "id": "ffffffff-1111-11eb-9d7c-02e8a46f51a5", - "name": "NetworkConnectIP6LinV5", - "event_simpleName": "NetworkConnectIP6" + "name": "NetworkConnectIP6LinV5" }, "destination": { "address": "0:0:0:0:0:0:0:1", @@ -1146,9 +1146,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "OoxmlFileWritten", "id": "ffffffff-1111-11eb-8ad1-02cfdadef55f", - "name": "OoxmlFileWrittenMacV1", - "event_simpleName": "OoxmlFileWritten" + "name": "OoxmlFileWrittenMacV1" }, "device": { "id": "ffffffff20bd481a98a3d1f6191047ff" @@ -1232,9 +1232,9 @@ "67.43.156.14" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkConnectIP4", "id": "ffffffff-1111-11eb-b727-028bbe41f38d", - "name": "NetworkConnectIP4LinV5", - "event_simpleName": "NetworkConnectIP4" + "name": "NetworkConnectIP4LinV5" }, "destination": { "address": "67.43.156.14", @@ -1346,9 +1346,9 @@ "ConfigStateHash": "1156120155", "ErrorCode": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ChannelVersionRequired", "id": "ffffffff-1111-11eb-b7e0-02332cdcc16d", - "name": "ChannelVersionRequiredLinV2", - "event_simpleName": "ChannelVersionRequired" + "name": "ChannelVersionRequiredLinV2" }, "device": { "id": "ffffffff25b14d4aa96de99e24bad2fa" @@ -1409,9 +1409,9 @@ ], "PhysicalAddressLength": 6, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressIP6", "id": "ffffffff-1111-11eb-92d2-0286f570f8e1", - "name": "LocalIpAddressIP6LinV1", - "event_simpleName": "LocalIpAddressIP6" + "name": "LocalIpAddressIP6LinV1" }, "device": { "id": "ffffffffc9114c1898e79604708955a6" @@ -1496,9 +1496,9 @@ "Entitlements": "15", "ErrorCode": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ChannelVersionRequired", "id": "ffffffff-1111-11eb-8cc5-02c6fb049dd3", - "name": "ChannelVersionRequiredMacV2", - "event_simpleName": "ChannelVersionRequired" + "name": "ChannelVersionRequiredMacV2" }, "device": { "id": "ffffffff2d7b4778a73b2cf58d327e42" @@ -1558,9 +1558,9 @@ "NetworkContainmentState": "0", "SensorStateBitMap": "2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "SensorHeartbeat", "id": "ffffffff-1111-11eb-993f-02b8dc387eb5", - "name": "SensorHeartbeatLinV4", - "event_simpleName": "SensorHeartbeat" + "name": "SensorHeartbeatLinV4" }, "device": { "id": "fffffffff6e146908cbf31d72b94b626" @@ -1626,9 +1626,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "JavaClassFileWritten", "id": "ffffffff-1111-11eb-97c6-02fd02aca859", - "name": "JavaClassFileWrittenMacV1", - "event_simpleName": "JavaClassFileWritten" + "name": "JavaClassFileWrittenMacV1" }, "device": { "id": "ffffffff083845f68a7de3d95cb34361" @@ -1713,9 +1713,9 @@ "0.0.0.0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkConnectIP4", "id": "ffffffff-1111-11eb-9c94-0222a21bbb27", - "name": "NetworkConnectIP4MacV10", - "event_simpleName": "NetworkConnectIP4" + "name": "NetworkConnectIP4MacV10" }, "destination": { "address": "67.43.156.14", @@ -1813,9 +1813,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "DnsRequest", "id": "ffffffff-1111-11eb-9644-060415b1fd87", - "name": "DnsRequestMacV1", - "event_simpleName": "DnsRequest" + "name": "DnsRequestMacV1" }, "device": { "id": "ffffffff7ecf4e61bba14ca5ac5d17b1" @@ -1901,9 +1901,9 @@ "Entitlements": "15", "SHA256HashData": "2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NewScriptWritten", "id": "ffffffff-1111-11eb-b3de-06a53f021cc9", - "name": "NewScriptWrittenMacV2", - "event_simpleName": "NewScriptWritten" + "name": "NewScriptWrittenMacV2" }, "device": { "id": "ffffffffbea440b9aad8b5bf222d303f" @@ -1985,9 +1985,9 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressRemovedIP6", "id": "ffffffff-1111-11eb-b3c1-02ff598b7945", - "name": "LocalIpAddressRemovedIP6LinV1", - "event_simpleName": "LocalIpAddressRemovedIP6" + "name": "LocalIpAddressRemovedIP6LinV1" }, "device": { "id": "ffffffffbfbf4ff5aa56a26ad3c1a942" @@ -2071,9 +2071,9 @@ "UnixMode": "0", "VnodeType": "2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "DirectoryCreate", "id": "ffffffff-1111-11eb-92d2-0286f570f8e1", - "name": "DirectoryCreateMacV1", - "event_simpleName": "DirectoryCreate" + "name": "DirectoryCreateMacV1" }, "device": { "id": "ffffffff24db47799d1a85aae61dc7bc" @@ -2165,9 +2165,9 @@ "67.43.156.14" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkCloseIP4", "id": "ffffffff-1111-11eb-9015-02e89cda7d5f", - "name": "NetworkCloseIP4LinV6", - "event_simpleName": "NetworkCloseIP4" + "name": "NetworkCloseIP4LinV6" }, "destination": { "address": "67.43.156.13", @@ -2306,9 +2306,9 @@ "VolumeType": "APFS", "VolumeUUID": "85400FAD-01F9-0442-8C5D-441F365D4909", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "FsVolumeMounted", "id": "ffffffff-1111-11eb-956a-02748d01bd3d", - "name": "FsVolumeMountedMacV1", - "event_simpleName": "FsVolumeMounted" + "name": "FsVolumeMountedMacV1" }, "device": { "id": "ffffffff8eca418b7a861be9c5f7de1d" @@ -2383,9 +2383,9 @@ ], "PhysicalAddressLength": 6, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressIP4", "id": "ffffffff-1111-11eb-9c94-0222a21bbb27", - "name": "LocalIpAddressIP4LinV1", - "event_simpleName": "LocalIpAddressIP4" + "name": "LocalIpAddressIP4LinV1" }, "device": { "id": "ffffffff190e436aaebc3892bcda5beb" @@ -2472,9 +2472,9 @@ ], "NetLuidIndex": 0, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressRemovedIP6", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "LocalIpAddressRemovedIP6MacV1", - "event_simpleName": "LocalIpAddressRemovedIP6" + "name": "LocalIpAddressRemovedIP6MacV1" }, "device": { "id": "ffffffff44564c2f8d76394cb25c31ab" @@ -2571,9 +2571,9 @@ "OutUcastPkts": "0", "PhysicalAddressLength": 6, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressIP6", "id": "ffffffff-1111-11eb-b88d-06b7cb0d7bd7", - "name": "LocalIpAddressIP6MacV1", - "event_simpleName": "LocalIpAddressIP6" + "name": "LocalIpAddressIP6MacV1" }, "device": { "id": "ffffffff0ad7494e8e817b3903f4eebb" @@ -2660,9 +2660,9 @@ "0.0.0.0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkListenIP4", "id": "ffffffff-1111-11eb-8b36-06a8af5164a9", - "name": "NetworkListenIP4MacV10", - "event_simpleName": "NetworkListenIP4" + "name": "NetworkListenIP4MacV10" }, "destination": { "address": "0.0.0.0", @@ -2747,9 +2747,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ExecutableDeleted", "id": "ffffffff-1111-11eb-8ca0-0231588e8cbb", - "name": "ExecutableDeletedMacV1", - "event_simpleName": "ExecutableDeleted" + "name": "ExecutableDeletedMacV1" }, "device": { "id": "ffffffffa7bf46da689501ce58bd6987" @@ -2827,9 +2827,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "GzipFileWritten", "id": "ffffffff-1111-11eb-9320-06d410e6f705", - "name": "GzipFileWrittenMacV1", - "event_simpleName": "GzipFileWritten" + "name": "GzipFileWrittenMacV1" }, "device": { "id": "fffffffffc2c4e4fa9c08e1a8388e5f9" @@ -2906,9 +2906,9 @@ "IOServiceName": "Touch Bar Backlight", "IOServicePath": "IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "IOServiceRegister", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "IOServiceRegisterMacV1", - "event_simpleName": "IOServiceRegister" + "name": "IOServiceRegisterMacV1" }, "device": { "id": "ffffffff44564c2f8d76394cb25c31ab" @@ -2975,9 +2975,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "PtyCreated", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "PtyCreatedMacV1", - "event_simpleName": "PtyCreated" + "name": "PtyCreatedMacV1" }, "device": { "id": "251658248" @@ -3052,9 +3052,9 @@ ], "NetLuidIndex": 2, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressRemovedIP4", "id": "ffffffff-1111-11eb-b7b7-066cc89bcebf", - "name": "LocalIpAddressRemovedIP4MacV1", - "event_simpleName": "LocalIpAddressRemovedIP4" + "name": "LocalIpAddressRemovedIP4MacV1" }, "device": { "id": "ffffffff5ae3449ab33a1809fe6c5ce2" @@ -3142,9 +3142,9 @@ "0:0:0:0:0:0:0:1" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkCloseIP6", "id": "ffffffff-1111-11eb-8130-02cde7751097", - "name": "NetworkCloseIP6LinV6", - "event_simpleName": "NetworkCloseIP6" + "name": "NetworkCloseIP6LinV6" }, "destination": { "address": "0:0:0:0:0:0:0:1", @@ -3234,9 +3234,9 @@ ], "ConfigStateHash": "1156120155", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ConfigStateUpdate", "id": "ffffffff-1111-11eb-af89-06c111484f9f", - "name": "ConfigStateUpdateLinV2", - "event_simpleName": "ConfigStateUpdate" + "name": "ConfigStateUpdateLinV2" }, "device": { "id": "ffffffffa74a4c89b9984a3a7124bb9d" @@ -3302,9 +3302,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "SuspiciousDnsRequest", "id": "ffffffff-1111-11eb-a4a3-02cbdfb8f529", - "name": "SuspiciousDnsRequestMacV1", - "event_simpleName": "SuspiciousDnsRequest" + "name": "SuspiciousDnsRequestMacV1" }, "device": { "id": "ffffffff0cd64fb78626ab1b6c65ac8c" @@ -3393,9 +3393,9 @@ "Parameter2": "0", "Parameter3": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ErrorEvent", "id": "ffffffff-1111-11eb-bdd3-0681aa29cecb", - "name": "ErrorEventLinV1", - "event_simpleName": "ErrorEvent" + "name": "ErrorEventLinV1" }, "device": { "id": "ffffffffabd047b1a86c1fcd8ef22b59" @@ -3488,9 +3488,9 @@ "EffectiveTransmissionClass": "0", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ConfigStateUpdate", "id": "ffffffff-1111-11eb-8dc4-0234c12f9875", - "name": "ConfigStateUpdateMacV2", - "event_simpleName": "ConfigStateUpdate" + "name": "ConfigStateUpdateMacV2" }, "device": { "id": "ffffffffa15a452190ae454f7d33e07e" @@ -3557,9 +3557,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "KextLoad", "id": "ffffffff-1111-11eb-a2ae-028f6bf89be7", - "name": "KextLoadMacV1", - "event_simpleName": "KextLoad" + "name": "KextLoadMacV1" }, "device": { "id": "ffffffffaa0e47a1b009aef151d6179d" @@ -3630,9 +3630,9 @@ "ChannelVersionRequired": "0", "ConfigStateHash": "3155796140", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ChannelVersionRequired", "id": "ffffffff-1111-11eb-b411-06baeacb7a63", - "name": "ChannelVersionRequiredLinV1", - "event_simpleName": "ChannelVersionRequired" + "name": "ChannelVersionRequiredLinV1" }, "device": { "id": "ffffffff67d54f7daf3d998ffc74d48e" @@ -3693,9 +3693,9 @@ "SuppressType": "3", "Timeout": 60, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ProcessRollup2Stats", "id": "ffffffff-1111-11eb-b34e-063f4cefccb3", - "name": "ProcessRollup2StatsLinV3", - "event_simpleName": "ProcessRollup2Stats" + "name": "ProcessRollup2StatsLinV3" }, "device": { "id": "ffffffffe22549479fbe8293b6747a68" @@ -3787,9 +3787,9 @@ "LoginSessionId": "1138166333440", "UserSid": "S-1-5-21-3852557355-3178143607-2040168074-1530", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "UserIdentity", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "UserIdentityMacV4", - "event_simpleName": "UserIdentity" + "name": "UserIdentityMacV4" }, "device": { "id": "ffffffff44564c2f8d76394cb25c31ab" @@ -3876,9 +3876,9 @@ "PupAdwareDecisionValue": "12384657383358464", "SHA256HashData": "c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "DeliverLocalFXToCloud", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", - "name": "DeliverLocalFXToCloudMacV4", - "event_simpleName": "DeliverLocalFXToCloud" + "name": "DeliverLocalFXToCloudMacV4" }, "device": { "id": "ffffffff45d647e6ae0ba8764a4bd570" @@ -3937,9 +3937,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "CreateProcessArgs", "id": "ffffffff-1111-11eb-8332-020506b18db5", - "name": "CreateProcessArgsMac", - "event_simpleName": "CreateProcessArgs" + "name": "CreateProcessArgsMac" }, "device": { "id": "ffffffffb3a3442585c05abc61e290fc" @@ -4039,9 +4039,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "PdfFileWritten", "id": "ffffffff-1111-11eb-8903-022a1941b91f", - "name": "PdfFileWrittenMacV1", - "event_simpleName": "PdfFileWritten" + "name": "PdfFileWrittenMacV1" }, "device": { "id": "ffffffffc4044541995bffd84b9df003" @@ -4121,9 +4121,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "GroupIdentity", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "GroupIdentityMacV2", - "event_simpleName": "GroupIdentity" + "name": "GroupIdentityMacV2" }, "device": { "id": "ffffffff44564c2f8d76394cb25c31ab" @@ -4197,9 +4197,9 @@ "MachOSubType": "3", "SHA256HashData": "c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "MachOFileWritten", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "MachOFileWrittenMacV3", - "event_simpleName": "MachOFileWritten" + "name": "MachOFileWrittenMacV3" }, "device": { "id": "ffffffff44564c2f8d76394cb25c31ab" @@ -4289,9 +4289,9 @@ "0:0:0:0:0:0:0:0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkListenIP6", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", - "name": "NetworkListenIP6MacV10", - "event_simpleName": "NetworkListenIP6" + "name": "NetworkListenIP6MacV10" }, "destination": { "address": "0:0:0:0:0:0:0:0", @@ -4496,9 +4496,9 @@ "30803505447584" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "CurrentSystemTags", "id": "ffffffff-1111-11eb-b88d-06b7cb0d7bd7", - "name": "CurrentSystemTagsMacV1", - "event_simpleName": "CurrentSystemTags" + "name": "CurrentSystemTagsMacV1" }, "device": { "id": "ffffffff62714a708030d494ca0a7e60" @@ -4566,9 +4566,9 @@ "SHA256HashData": "70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005", "VnodeModificationType": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NewExecutableWritten", "id": "ffffffff-1111-11eb-985c-02152dd35bc1", - "name": "NewExecutableWrittenMacV2", - "event_simpleName": "NewExecutableWritten" + "name": "NewExecutableWrittenMacV2" }, "device": { "id": "ffffffff28414c2293e35c360213e723" @@ -4774,9 +4774,9 @@ ], "UploadId": "8023668629276690295", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LfoUploadDataComplete", "id": "ffffffff-1111-11eb-a2ab-024aafff599f", - "name": "LfoUploadDataCompleteMacV3", - "event_simpleName": "LfoUploadDataComplete" + "name": "LfoUploadDataCompleteMacV3" }, "device": { "id": "fffffffffbea48169985c2c2bae89d1d" @@ -4849,9 +4849,9 @@ "Entitlements": "15", "LightningLatencyState": "3", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LightningLatencyInfo", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", - "name": "LightningLatencyInfoMacV1", - "event_simpleName": "LightningLatencyInfo" + "name": "LightningLatencyInfoMacV1" }, "device": { "id": "ffffffffd452449b8d1eb7d85b146650" @@ -4943,9 +4943,9 @@ "0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NeighborListIP4", "id": "ffffffff-1111-11eb-9dc0-06c6f5278873", - "name": "NeighborListIP4MacV1", - "event_simpleName": "NeighborListIP4" + "name": "NeighborListIP4MacV1" }, "device": { "id": "ffffffff8eb649cf8d82be1e65629a0e" @@ -5012,9 +5012,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ZipFileWritten", "id": "ffffffff-1111-11eb-ab6e-0668ec51180b", - "name": "ZipFileWrittenMacV1", - "event_simpleName": "ZipFileWritten" + "name": "ZipFileWrittenMacV1" }, "device": { "id": "ffffffff2d984e32b702789b54f0f811" @@ -5116,9 +5116,9 @@ "SystemSerialNumber": "C02F649EMD6R", "SystemSku": " ", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "AgentOnline", "id": "ffffffff-1111-11eb-b3de-06a53f021cc9", - "name": "AgentOnlineMacV13", - "event_simpleName": "AgentOnline" + "name": "AgentOnlineMacV13" }, "device": { "id": "ffffffffbea440b9aad8b5bf222d303f" @@ -5198,9 +5198,9 @@ "Entitlements": "15", "UnixMode": "384", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "CriticalFileAccessed", "id": "ffffffff-1111-11eb-956a-02748d01bd3d", - "name": "CriticalFileAccessedMacV1", - "event_simpleName": "CriticalFileAccessed" + "name": "CriticalFileAccessedMacV1" }, "device": { "id": "ffffffff8eca418b7a861be9c5f7de1d" @@ -5292,9 +5292,9 @@ "OSVersionFileName": "/System/Library/CoreServices/SystemVersion.plist", "RFMState": "0", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "OsVersionInfo", "id": "ffffffff-1111-11eb-b3de-06a53f021cc9", - "name": "OsVersionInfoMacV3", - "event_simpleName": "OsVersionInfo" + "name": "OsVersionInfoMacV3" }, "device": { "id": "ffffffffbea440b9aad8b5bf222d303f" @@ -5376,9 +5376,9 @@ ], "ConfigStateHash": "1284133626", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ConfigStateUpdate", "id": "ffffffff-1111-11eb-8e88-068a8894a447", - "name": "ConfigStateUpdateLinV1", - "event_simpleName": "ConfigStateUpdate" + "name": "ConfigStateUpdateLinV1" }, "device": { "id": "ffffffff4f4044b689d6420d303e4ecd" @@ -5442,9 +5442,9 @@ "ConfigStateHash": "1333055909", "DownloadPort": 443, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LFODownloadConfirmation", "id": "ffffffff-1111-11eb-8dee-0201f64cca29", - "name": "LFODownloadConfirmationLinV1", - "event_simpleName": "LFODownloadConfirmation" + "name": "LFODownloadConfirmationLinV1" }, "device": { "id": "ffffffff88b948c6abeeee910f6d8c33" @@ -5530,9 +5530,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "TarFileWritten", "id": "ffffffff-1111-11eb-9497-028a0bfcf603", - "name": "TarFileWrittenMacV1", - "event_simpleName": "TarFileWritten" + "name": "TarFileWrittenMacV1" }, "device": { "id": "ffffffffe6244708bd09a6c111f63f4a" @@ -5621,9 +5621,9 @@ "ProvisionState": "0", "VerifiedCertificate": "7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "AgentConnect", "id": "ffffffff-1111-11eb-ba54-02a3616f6acd", - "name": "AgentConnectMacV5", - "event_simpleName": "AgentConnect" + "name": "AgentConnectMacV5" }, "device": { "id": "ffffffff2977460db2898ece881a9358" @@ -5691,9 +5691,9 @@ "EffectiveTransmissionClass": "0", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LFODownloadConfirmation", "id": "ffffffff-1111-11eb-8b09-069ee8920171", - "name": "LFODownloadConfirmationMacV1", - "event_simpleName": "LFODownloadConfirmation" + "name": "LFODownloadConfirmationMacV1" }, "device": { "id": "ffffffff5e8b4724aa10088c4f71cd9a" @@ -5781,9 +5781,9 @@ "Entitlements": "15", "VnodeModificationType": "6", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "AsepFileChange", "id": "ffffffff-1111-11eb-9e50-064be6e56df7", - "name": "AsepFileChangeMacV1", - "event_simpleName": "AsepFileChange" + "name": "AsepFileChangeMacV1" }, "device": { "id": "fffffffff1a64286a233d09974b1b377" @@ -5862,9 +5862,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "TerminateProcess", "id": "ffffffff-1111-11eb-97d0-02b2813216eb", - "name": "TerminateProcessLinV2", - "event_simpleName": "TerminateProcess" + "name": "TerminateProcessLinV2" }, "device": { "id": "ffffffffdd094539a02b394c69a70aaf" @@ -5935,9 +5935,9 @@ "EffectiveTransmissionClass": "2", "Entitlements": "15", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "FirewallEnabled", "id": "ffffffff-1111-11eb-a9e6-067d21325a03", - "name": "FirewallEnabledMacV1", - "event_simpleName": "FirewallEnabled" + "name": "FirewallEnabledMacV1" }, "device": { "id": "ffffffff70cf4070af024397f25007c7" @@ -6007,9 +6007,9 @@ "VolumeMountPoint": "/private/tmp/KSInstallAction.dn6J5Xa1M4/m", "VolumeName": "Install Google Drive", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "FsVolumeUnmounted", "id": "ffffffff-1111-11eb-8fd9-06866dcbd3d5", - "name": "FsVolumeUnmountedMacV1", - "event_simpleName": "FsVolumeUnmounted" + "name": "FsVolumeUnmountedMacV1" }, "device": { "id": "ffffffffed984e248973f3ada1eb543d" @@ -6080,9 +6080,9 @@ "0.0.0.0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NetworkListenIP4", "id": "ffffffff-1111-11eb-88fd-06a17d0fdc05", - "name": "NetworkListenIP4LinV5", - "event_simpleName": "NetworkListenIP4" + "name": "NetworkListenIP4LinV5" }, "destination": { "address": "0.0.0.0", @@ -6169,9 +6169,9 @@ "Entitlements": "15", "SHA256HashData": "35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ELFFileWritten", "id": "ffffffff-1111-11eb-985c-02152dd35bc1", - "name": "ELFFileWrittenMacV1", - "event_simpleName": "ELFFileWritten" + "name": "ELFFileWrittenMacV1" }, "device": { "id": "ffffffff28414c2293e35c360213e723" @@ -6265,9 +6265,9 @@ "OSVersionFileName": "/etc/os-release", "RFMState": "1", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "OsVersionInfo", "id": "ffffffff-1111-11eb-93d4-0624c36f3a79", - "name": "OsVersionInfoLinV4", - "event_simpleName": "OsVersionInfo" + "name": "OsVersionInfoLinV4" }, "device": { "id": "ffffffff2d1245c0a32d5efcf9351272" @@ -6336,9 +6336,9 @@ "USN": "89566685", "UnixMode": "384", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "CriticalFileModified", "id": "ffffffff-1111-11eb-9262-0268ab613b49", - "name": "CriticalFileModifiedMacV2", - "event_simpleName": "CriticalFileModified" + "name": "CriticalFileModifiedMacV2" }, "device": { "id": "ffffffff761b4a7d9962dd9e7e776044" @@ -6430,9 +6430,9 @@ "0" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NeighborListIP6", "id": "ffffffff-1111-11eb-ac8a-06b5e1186139", - "name": "NeighborListIP6MacV1", - "event_simpleName": "NeighborListIP6" + "name": "NeighborListIP6MacV1" }, "device": { "id": "ffffffff01c7450180352a7c58a28fb4" @@ -6501,9 +6501,9 @@ "IsOnRemovableDisk": "0", "SHA256HashData": "359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "NewScriptWritten", "id": "ffffffff-1111-11eb-9dc1-029257dbe83b", - "name": "NewScriptWrittenMacV3", - "event_simpleName": "NewScriptWritten" + "name": "NewScriptWrittenMacV3" }, "device": { "id": "ffffffffcebd42c0890d59b54279d3d3" @@ -6598,9 +6598,9 @@ "PhysicalCoreCount": 8, "ProcessorPackageCount": 1, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "SystemCapacity", "id": "ffffffff-1111-11eb-b714-066001392751", - "name": "SystemCapacityMacV1", - "event_simpleName": "SystemCapacity" + "name": "SystemCapacityMacV1" }, "device": { "id": "fffffffff2c7432859ff6bbe1a0bd6af" @@ -6670,9 +6670,9 @@ "PciAttachmentState": "65535", "ReasonOfFunctionalityLevel": "3", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "FirmwareAnalysisStatus", "id": "ffffffff-1111-11eb-ba57-0214a0d89bf7", - "name": "FirmwareAnalysisStatusMacV2", - "event_simpleName": "FirmwareAnalysisStatus" + "name": "FirmwareAnalysisStatusMacV2" }, "device": { "id": "ffffffff0d7b4d839912e55b4755e85b" @@ -6754,9 +6754,9 @@ "OutUcastPkts": "0", "PhysicalAddressLength": 0, "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "LocalIpAddressIP4", "id": "ffffffff-1111-11eb-a272-0294ad12fbe7", - "name": "LocalIpAddressIP4MacV1", - "event_simpleName": "LocalIpAddressIP4" + "name": "LocalIpAddressIP4MacV1" }, "device": { "id": "ffffffff557f4b99a0afdea9ce8cd6fa" @@ -6847,9 +6847,9 @@ "SourceProcessId": "321385814512398584", "SourceThreadId": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-ac87-06decddc17a1", - "name": "ProcessRollup2LinV5", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2LinV5" }, "device": { "id": "ffffffff70d140ca9ba97f0dddd14137" @@ -6988,9 +6988,9 @@ "SuspectStackCount": 0, "SuspiciousDnsRequestCount": 0, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "EndOfProcess", "id": "ffffffff-1111-11eb-809e-02fff4e55a49", - "name": "EndOfProcessMacV14", - "event_simpleName": "EndOfProcess" + "name": "EndOfProcessMacV14" }, "device": { "id": "ffffffff75fc48f15cfe5f095e605c4c" @@ -7122,9 +7122,9 @@ "UserMemoryProtectExecutableRemoteCount": 0, "UserTime": 6406250, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "EndOfProcess", "id": "ffffffff-1111-11eb-8726-063418e4a9e7", - "name": "EndOfProcessV15", - "event_simpleName": "EndOfProcess" + "name": "EndOfProcessV15" }, "device": { "id": "ffffffffb5db4b2e7ec89aba537adcc2" @@ -7226,9 +7226,9 @@ "SuspectStackCount": 0, "SuspiciousDnsRequestCount": 0, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "EndOfProcess", "id": "ffffffff-1111-11eb-bc03-065126dd0691", - "name": "EndOfProcessMacV12", - "event_simpleName": "EndOfProcess" + "name": "EndOfProcessMacV12" }, "device": { "id": "ffffffff1aa0482a5ea94f64e08e7b15" @@ -7323,9 +7323,9 @@ "TokenType": "1", "WindowFlags": "384", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-a09e-06f79d630255", - "name": "ProcessRollup2V17", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2V17" }, "device": { "id": "ffffffff3a5a424fa02450da53619745" @@ -7428,9 +7428,9 @@ "Entitlements": "15", "InterfaceIndex": 0, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "DnsRequest", "id": "ffffffff-1111-11eb-8077-0606f7dcf2ed", - "name": "DnsRequestV3", - "event_simpleName": "DnsRequest" + "name": "DnsRequestV3" }, "device": { "id": "ffffffff4f1444bab96568879cb43556" @@ -7512,9 +7512,9 @@ "Entitlements": "15", "UnixMode": "32768", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "CriticalFileAccessed", "id": "ffffffff-1111-11eb-b70d-027f9ced2001", - "name": "CriticalFileAccessedLinV1", - "event_simpleName": "CriticalFileAccessed" + "name": "CriticalFileAccessedLinV1" }, "device": { "id": "ffffffff32ba43a483e76c6f0a4aa26f" @@ -7618,9 +7618,9 @@ "12094627906234" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-bc03-065126dd0691", - "name": "ProcessRollup2MacV3", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2MacV3" }, "device": { "id": "ffffffff1aa0482a5ea94f64e08e7b15" @@ -7740,9 +7740,9 @@ "ShareAccess": "1", "Status": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NewScriptWritten", "id": "ffffffff-1111-11eb-80b5-06e11a66e03d", - "name": "NewScriptWrittenV7", - "event_simpleName": "NewScriptWritten" + "name": "NewScriptWrittenV7" }, "device": { "id": "ffffffff8f1e4b77b4dae5debaa1c8bc" @@ -7826,9 +7826,9 @@ "0.0.0.0" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkConnectIP4", "id": "ffffffff-1111-11eb-aca9-02683aed2a0d", - "name": "NetworkConnectIP4MacV5", - "event_simpleName": "NetworkConnectIP4" + "name": "NetworkConnectIP4MacV5" }, "destination": { "address": "0.0.0.0", @@ -7932,9 +7932,9 @@ "67.43.156.14" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkConnectIP4", "id": "ffffffff-1111-11eb-b0eb-06be7616c211", - "name": "NetworkConnectIP4V5", - "event_simpleName": "NetworkConnectIP4" + "name": "NetworkConnectIP4V5" }, "destination": { "address": "67.43.156.14", @@ -8052,9 +8052,9 @@ "UserFlags": "0", "UserLogonFlags": "12", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserLogon", "id": "ffffffff-1111-11eb-a8cf-0649c95cfa1d", - "name": "UserLogonV8", - "event_simpleName": "UserLogon" + "name": "UserLogonV8" }, "device": { "id": "ffffffff8d2e4b4f9b21b40633a8d579" @@ -8152,9 +8152,9 @@ "SHA256HashData": "d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "PeFileWritten", "id": "ffffffff-1111-11eb-b091-06f6cca0a049", - "name": "PeFileWrittenV14", - "event_simpleName": "PeFileWritten" + "name": "PeFileWrittenV14" }, "device": { "id": "ffffffff2c47454cba360bc404a607bb" @@ -8249,9 +8249,9 @@ "UserLogoffType": "3", "UserLogonFlags": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserLogoff", "id": "ffffffff-1111-11eb-8913-0287fd11c79b", - "name": "UserLogoffV3", - "event_simpleName": "UserLogoff" + "name": "UserLogoffV3" }, "device": { "id": "ffffffffe0104823bd3de859d5bc8bc7" @@ -8345,9 +8345,9 @@ "ShareAccess": "3", "Status": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NewExecutableWritten", "id": "ffffffff-1111-11eb-93cb-067deb43537b", - "name": "NewExecutableWrittenV1", - "event_simpleName": "NewExecutableWritten" + "name": "NewExecutableWrittenV1" }, "device": { "id": "ffffffff425942f58382dbb11350eeda" @@ -8432,9 +8432,9 @@ "127.0.0.1" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkListenIP4", "id": "ffffffff-1111-11eb-8726-063418e4a9e7", - "name": "NetworkListenIP4V5", - "event_simpleName": "NetworkListenIP4" + "name": "NetworkListenIP4V5" }, "destination": { "address": "0.0.0.0", @@ -8528,9 +8528,9 @@ "Status": "3221225581", "SubStatus": "3221225578", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserLogonFailed2", "id": "ffffffff-1111-11eb-a8aa-067029dffccb", - "name": "UserLogonFailed2V2", - "event_simpleName": "UserLogonFailed2" + "name": "UserLogonFailed2V2" }, "destination": { "address": "67.43.156.14", @@ -8635,9 +8635,9 @@ "MinorFunction": "0", "OperationFlags": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ExecutableDeleted", "id": "ffffffff-1111-11eb-b23b-064dea059649", - "name": "ExecutableDeletedV3", - "event_simpleName": "ExecutableDeleted" + "name": "ExecutableDeletedV3" }, "device": { "id": "ffffffff4a0946365161093453e596d4" @@ -8731,9 +8731,9 @@ "SuspectStackCount": 0, "SuspiciousDnsRequestCount": 0, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "EndOfProcess", "id": "ffffffff-1111-11eb-ae31-065d76bec0c3", - "name": "EndOfProcessMacV11", - "event_simpleName": "EndOfProcess" + "name": "EndOfProcessMacV11" }, "device": { "id": "ffffffffcfe84e8c6a52c4001bd83761" @@ -8811,9 +8811,9 @@ "EffectiveTransmissionClass": "3", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "RegisterRawInputDevicesEtw", "id": "ffffffff-1111-11eb-a570-0685ba2a382f", - "name": "RegisterRawInputDevicesEtwV1", - "event_simpleName": "RegisterRawInputDevicesEtw" + "name": "RegisterRawInputDevicesEtwV1" }, "device": { "id": "ffffffff80984ea8b49d9a53f590c566" @@ -8887,9 +8887,9 @@ "EffectiveTransmissionClass": "0", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "LFODownloadConfirmation", "id": "ffffffff-1111-11eb-8ab5-0643392fc75d", - "name": "LFODownloadConfirmationV1", - "event_simpleName": "LFODownloadConfirmation" + "name": "LFODownloadConfirmationV1" }, "device": { "id": "ffffffffffc94c645268f64fc900213f" @@ -8983,9 +8983,9 @@ "OperationFlags": "0", "TargetFileName": "\\Device\\HarddiskVolume3\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\c2579d00f9849413b8b7948dd00ac863\\Microsoft.WSMan.Management.ni.dll", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NewExecutableRenamed", "id": "ffffffff-1111-11eb-8162-0663305b686f", - "name": "NewExecutableRenamedV6", - "event_simpleName": "NewExecutableRenamed" + "name": "NewExecutableRenamedV6" }, "device": { "id": "ffffffff280b41b956a91e816bd9b9b0" @@ -9082,9 +9082,9 @@ "ShareAccess": "3", "Status": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "DirectoryCreate", "id": "ffffffff-1111-11eb-9411-06b7c99be087", - "name": "DirectoryCreateV1", - "event_simpleName": "DirectoryCreate" + "name": "DirectoryCreateV1" }, "device": { "id": "ffffffff2c9f4066b0b5f2f00265503c" @@ -9170,9 +9170,9 @@ "RpcOpNum": "19", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ServiceStarted", "id": "ffffffff-1111-11eb-9c98-02c501fe7d81", - "name": "ServiceStartedV2", - "event_simpleName": "ServiceStarted" + "name": "ServiceStartedV2" }, "device": { "id": "fffffffffcc4413057adc260e99b0774" @@ -9264,9 +9264,9 @@ "0:0:0:0:0:0:0:0" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkConnectIP6", "id": "ffffffff-1111-11eb-81f1-061cdebbd115", - "name": "NetworkConnectIP6MacV5", - "event_simpleName": "NetworkConnectIP6" + "name": "NetworkConnectIP6MacV5" }, "destination": { "address": "0:0:0:0:0:0:0:1", @@ -9363,9 +9363,9 @@ "UserFlags": "32", "UserLogonFlags": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserIdentity", "id": "ffffffff-1111-11eb-86e3-02db1faa1327", - "name": "UserIdentityV2", - "event_simpleName": "UserIdentity" + "name": "UserIdentityV2" }, "device": { "id": "ffffffff73164cfa9656c4caff8a2a38" @@ -9484,9 +9484,9 @@ "TokenType": "2", "WindowFlags": "128", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-b4f9-06e3a7e5503b", - "name": "ProcessRollup2V16", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2V16" }, "device": { "id": "ffffffffbe8a46386afe80c5ef64d0b5" @@ -9600,9 +9600,9 @@ "ShareAccess": "5", "Status": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "RansomwareOpenFile", "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "name": "RansomwareOpenFileV4", - "event_simpleName": "RansomwareOpenFile" + "name": "RansomwareOpenFileV4" }, "device": { "id": "ffffffffac4148947ed68497e89f3308" @@ -9736,9 +9736,9 @@ "UserMemoryProtectExecutableRemoteCount": 0, "UserTime": 781250, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "EndOfProcess", "id": "ffffffff-1111-11eb-b685-0241eaddc553", - "name": "EndOfProcessV14", - "event_simpleName": "EndOfProcess" + "name": "EndOfProcessV14" }, "device": { "id": "fffffffffdab492a5a20cd0417395a73" @@ -9836,9 +9836,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "OoxmlFileWritten", "id": "ffffffff-1111-11eb-9165-067ee18a7975", - "name": "OoxmlFileWrittenV11", - "event_simpleName": "OoxmlFileWritten" + "name": "OoxmlFileWrittenV11" }, "device": { "id": "fffffffffa474d216472f3edb73c75ed" @@ -9924,9 +9924,9 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkListenIP6", "id": "ffffffff-1111-11eb-85f5-02ab029194b9", - "name": "NetworkListenIP6V5", - "event_simpleName": "NetworkListenIP6" + "name": "NetworkListenIP6V5" }, "destination": { "address": "0:0:0:0:0:0:0:0", @@ -10025,9 +10025,9 @@ "SHA256HashData": "e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d", "VnodeModificationType": "10", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "AsepFileChange", "id": "ffffffff-1111-11eb-b9b4-063e98f9b19b", - "name": "AsepFileChangeMacV2", - "event_simpleName": "AsepFileChange" + "name": "AsepFileChangeMacV2" }, "device": { "id": "ffffffff1f32487185fcde66a9dc0528" @@ -10112,9 +10112,9 @@ "Entitlements": "15", "UserLogonFlags": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserLogonFailed", "id": "ffffffff-1111-11eb-aa5a-0207e26418af", - "name": "UserLogonFailedV1", - "event_simpleName": "UserLogonFailed" + "name": "UserLogonFailedV1" }, "device": { "id": "ffffffffa5bd4efaa195a7132c576edc" @@ -10199,9 +10199,9 @@ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkConnectIP6", "id": "ffffffff-1111-11eb-a889-061944805289", - "name": "NetworkConnectIP6V5", - "event_simpleName": "NetworkConnectIP6" + "name": "NetworkConnectIP6V5" }, "destination": { "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", @@ -10307,9 +10307,9 @@ "SHA256HashData": "fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583", "TargetFileName": "/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NewExecutableRenamed", "id": "ffffffff-1111-11eb-8773-06939a2f0915", - "name": "NewExecutableRenamedMacV1", - "event_simpleName": "NewExecutableRenamed" + "name": "NewExecutableRenamedMacV1" }, "device": { "id": "ffffffffc07b49d6b7426e970523671a" @@ -10402,9 +10402,9 @@ "0:0:0:0:0:0:0:0" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkListenIP6", "id": "ffffffff-1111-11eb-9a50-0669ff09604d", - "name": "NetworkListenIP6MacV5", - "event_simpleName": "NetworkListenIP6" + "name": "NetworkListenIP6MacV5" }, "destination": { "address": "0:0:0:0:0:0:0:0", @@ -10491,9 +10491,9 @@ "Entitlements": "15", "InterfaceIndex": 0, "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "SuspiciousDnsRequest", "id": "ffffffff-1111-11eb-885e-02ac336efd4b", - "name": "SuspiciousDnsRequestV2", - "event_simpleName": "SuspiciousDnsRequest" + "name": "SuspiciousDnsRequestV2" }, "device": { "id": "ffffffff6d724d38af99c628fb904626" @@ -10590,9 +10590,9 @@ "VolumeRealDeviceName": "\\Device\\HarddiskVolume4", "VolumeSectorSize": "512", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "FsVolumeMounted", "id": "ffffffff-1111-11eb-9be9-024459b713c5", - "name": "FsVolumeMountedV6", - "event_simpleName": "FsVolumeMounted" + "name": "FsVolumeMountedV6" }, "device": { "id": "ffffffff1990483499a736373600eef7" @@ -10668,9 +10668,9 @@ "127.0.0.1" ], "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "NetworkListenIP4", "id": "ffffffff-1111-11eb-ae74-065212970c5d", - "name": "NetworkListenIP4MacV5", - "event_simpleName": "NetworkListenIP4" + "name": "NetworkListenIP4MacV5" }, "destination": { "address": "0.0.0.0", @@ -10764,9 +10764,9 @@ "TargetThreadId": "22920092479704", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "HostedServiceStarted", "id": "ffffffff-1111-11eb-860c-0606af112d55", - "name": "HostedServiceStartedV2", - "event_simpleName": "HostedServiceStarted" + "name": "HostedServiceStartedV2" }, "device": { "id": "ffffffff59514ea68b4693ddfb9b6643" @@ -10844,9 +10844,9 @@ "Entitlements": "15", "TargetThreadId": "24238019995551", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "HostedServiceStopped", "id": "ffffffff-1111-11eb-9b11-0602a5689467", - "name": "HostedServiceStoppedV1", - "event_simpleName": "HostedServiceStopped" + "name": "HostedServiceStoppedV1" }, "device": { "id": "ffffffff2b5a4bf5afc6682595faa016" @@ -10926,9 +10926,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "PdfFileWritten", "id": "ffffffff-1111-11eb-baea-02dccfbb7779", - "name": "PdfFileWrittenV11", - "event_simpleName": "PdfFileWritten" + "name": "PdfFileWrittenV11" }, "device": { "id": "ffffffff32cb4abc50bc133b31a69946" @@ -11028,9 +11028,9 @@ "TokenType": "2", "WindowFlags": "128", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "ProcessRollup2", "id": "ffffffff-1111-11eb-8462-02ade3b2f949", - "name": "ProcessRollup2V18", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2V18" }, "device": { "id": "ffffffff655344736aca58d17fb570f0" @@ -11131,9 +11131,9 @@ "Entitlements": "15", "UserSid": "S-1-5-21-3629339319-2376021926-2724479216-652382488", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserIdentity", "id": "ffffffff-1111-11eb-b9b4-063e98f9b19b", - "name": "UserIdentityMacV2", - "event_simpleName": "UserIdentity" + "name": "UserIdentityMacV2" }, "device": { "id": "ffffffff1f32487185fcde66a9dc0528" @@ -11216,9 +11216,9 @@ "EffectiveTransmissionClass": "0", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "HostInfo", "id": "ffffffff-1111-11eb-9bbd-061290dcd983", - "name": "HostInfoV2", - "event_simpleName": "HostInfo" + "name": "HostInfoV2" }, "device": { "id": "ffffffffcdb543135e7fcdf8e5a8fbdb" @@ -11294,9 +11294,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "GenericFileWritten", "id": "ffffffff-1111-11eb-800a-06cecfd73923", - "name": "GenericFileWrittenV11", - "event_simpleName": "GenericFileWritten" + "name": "GenericFileWrittenV11" }, "device": { "id": "ffffffff16bf4c7bb5ad755a4722025c" @@ -11380,9 +11380,9 @@ "Entitlements": "15", "VolumeName": "\\Device\\HarddiskVolume27", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "FsVolumeUnmounted", "id": "ffffffff-1111-11eb-9f70-0634389d9ea9", - "name": "FsVolumeUnmountedV2", - "event_simpleName": "FsVolumeUnmounted" + "name": "FsVolumeUnmountedV2" }, "device": { "id": "ffffffff896b43725b83c79aa79959da" @@ -11453,9 +11453,9 @@ "ContextTimeStamp": "2020-11-08T15:58:18.548Z", "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "FirewallDisabled", "id": "ffffffff-1111-11eb-9d4c-02f402df8c1f", - "name": "FirewallDisabledMacV1", - "event_simpleName": "FirewallDisabled" + "name": "FirewallDisabledMacV1" }, "device": { "id": "ffffffff899541b94b9adff8922aa70a" @@ -11606,9 +11606,9 @@ "UserLogoffType": "3", "UserLogonFlags": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserLogoff", "id": "ffffffff-1111-11eb-8913-0287fd11c79b", - "name": "UserLogoffV3", - "event_simpleName": "UserLogoff" + "name": "UserLogoffV3" }, "device": { "id": "ffffffffe0104823bd3de859d5bc8bc7" @@ -11711,9 +11711,9 @@ ], "TokenType": "2", "cid": "1301ac65ae144fbb9689a8472f828c2e", + "event_simpleName": "ProcessRollup2", "id": "9686a6b3-1d39-11ed-9370-0660bfa16adf", - "name": "ProcessRollup2V19", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2V19" }, "device": { "id": "50deaa55144543089a1f463b568cdc53" @@ -11820,9 +11820,9 @@ "StartTime": "2022-12-03T18:42:00.000Z", "VolumeName": "\\Device\\HarddiskVolume27", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "FsVolumeUnmounted", "id": "ffffffff-1111-11eb-9f70-0634389d9ea9", - "name": "FsVolumeUnmountedV2", - "event_simpleName": "FsVolumeUnmounted" + "name": "FsVolumeUnmountedV2" }, "device": { "id": "ffffffff896b43725b83c79aa79959da" @@ -11977,9 +11977,9 @@ "StartTime": "2022-12-03T18:42:00.000Z", "VolumeName": "\\Device\\HarddiskVolume27", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "FsVolumeUnmounted", "id": "ffffffff-1111-11eb-9f70-0634389d9ea9", - "name": "FsVolumeUnmountedV2", - "event_simpleName": "FsVolumeUnmounted" + "name": "FsVolumeUnmountedV2" }, "device": { "id": "ffffffff896b43725b83c79aa79959da" @@ -12061,9 +12061,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "GenericFileWritten", "id": "ffffffff-1111-11eb-800a-06cecfd73923", - "name": "GenericFileWrittenV11", - "event_simpleName": "GenericFileWritten" + "name": "GenericFileWrittenV11" }, "device": { "id": "ffffffff16bf4c7bb5ad755a4722025c" @@ -12151,7 +12151,6 @@ "PasswordLastSet": "1706789855.733", "UserGroupsBitmask": "0", "UserLogonFlags": "6", - "UserName": "user-1", "cid": "1d1d1d1d1d1d1d1d1", "info": { "host": { @@ -12181,6 +12180,7 @@ "LogonTime": "1715076000.000", "LogonType": "Interactive", "PasswordLastSet": "1706789855.733", + "User": "USER-1-MACBOOK-AIR.LOCAL\\USER-1", "UserIsAdmin": "1", "_time": "1715076916.290", "cid": "1d1d1d1d1d1d1d1d1", @@ -12203,11 +12203,7 @@ "hash": [ "821711964" ], - "hosts": [ - "User-1-MacBook-Air.local" - ], "user": [ - "USER-1-MACBOOK-AIR.LOCAL\\USER-1", "user-1", "user-1@User-1-MacBook-Air.local", "S-1-5-21-1111-11111-387821029-2004" @@ -12217,14 +12213,11 @@ "preserve_original_event" ], "user": { - "domain": [ - "USER-1-MACBOOK-AIR.LOCAL", - "User-1-MacBook-Air.local" - ], + "domain": "User-1-MacBook-Air.local", "email": "user-1@User-1-MacBook-Air.local", "full_name": "user-1", "id": "S-1-5-21-1111-11111-387821029-2004", - "name": "USER-1-MACBOOK-AIR.LOCAL\\USER-1", + "name": "user-1", "roles": [ "admin" ] @@ -12275,9 +12268,9 @@ "EventOrigin": "17", "SmbShareName": "C$", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "SmbServerShareOpenedEtw", "id": "5df90d92-3d9f-44e5-a095-428decb3d3f3", - "name": "SmbServerShareOpenedEtwV1", - "event_simpleName": "SmbServerShareOpenedEtw" + "name": "SmbServerShareOpenedEtwV1" }, "destination": { "address": "0:0:0:0:0:0:0:1", @@ -12362,9 +12355,9 @@ "InterfaceIndex": 0, "QueryStatus": "9003", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "DnsRequest", "id": "3d0ef474-fcc3-4f18-9ad6-7130d8ddb407", - "name": "DnsRequestV5", - "event_simpleName": "DnsRequest" + "name": "DnsRequestV5" }, "device": { "id": "31e92a267c044d57b1c1e14109079e89" @@ -12467,9 +12460,9 @@ ], "TokenType": "2", "cid": "1301ac65ae144fbb9689a8472f828c2e", + "event_simpleName": "ProcessRollup2", "id": "9686a6b3-1d39-11ed-9370-0660bfa16adf", - "name": "ProcessRollup2V19", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2V19" }, "device": { "id": "50deaa55144543089a1f463b568cdc53" @@ -12567,7 +12560,7 @@ { "@timestamp": "2025-03-27T17:02:25.000Z", "crowdstrike": { - "AgentTimeOffset": 63878693000.0, + "AgentTimeOffset": 6.3878693E10, "ConfigBuild": "1007.32.20250201.9", "ConfigIDBuild": "20250201", "FirstSeen": "2025-03-20T05:18:57.000Z", @@ -12633,9 +12626,9 @@ "UserLogoffType": "3", "UserLogonFlags": "0", "cid": "ffffffff30a3407dae27d0503611022d", + "event_simpleName": "UserLogoff", "id": "ffffffff-1111-11eb-8913-0287fd11c79b", - "name": "UserLogoffV3", - "event_simpleName": "UserLogoff" + "name": "UserLogoffV3" }, "device": { "id": "ffffffffe0104823bd3de859d5bc8bc7" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json index fe4d00293f6..d874fd1a76f 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-linux.log-expected.json @@ -12,9 +12,9 @@ "EnvironmentVariableValue": "a8afe97c911df877fcbc6f0f3e1f509d3a", "EventOrigin": "45", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "CriticalEnvironmentVariableChanged", "id": "8cb2694b8b910f8a123d27da50bb85401acf", - "name": "12b047f65d9ece84f659a6b3826d14342284b30", - "event_simpleName": "CriticalEnvironmentVariableChanged" + "name": "12b047f65d9ece84f659a6b3826d14342284b30" }, "device": { "id": "63c6b6246300091fe99c69eb0e5f2cf6" @@ -92,9 +92,9 @@ "EventOrigin": "1", "UnixMode": "61960", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "CriticalFileAccessed", "id": "01a3b1d4aa10d5329aef78ba9d3ec56f6d97", - "name": "1532ae7e2a105adcc6ddbcf67", - "event_simpleName": "CriticalFileAccessed" + "name": "1532ae7e2a105adcc6ddbcf67" }, "device": { "id": "37b562b807a27cfb58dda71ec9a7eb22" @@ -199,9 +199,9 @@ "SourceThreadId": "0", "SyntheticPR2Flags": "4", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SyntheticProcessRollup2", "id": "fb9bd5f0314e46ce785f479aed8f3032fcd9", - "name": "4f32166a22f49735247598b45006", - "event_simpleName": "SyntheticProcessRollup2" + "name": "4f32166a22f49735247598b45006" }, "device": { "id": "8c687fb6b1e8231200c77ef5e3175d0e" @@ -323,9 +323,9 @@ "Entitlements": "36", "EventOrigin": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "TerminateProcess", "id": "3e71b26395f4386bcb6602ee6777bb5f3124", - "name": "6b1c662a760f5ed9750d4", - "event_simpleName": "TerminateProcess" + "name": "6b1c662a760f5ed9750d4" }, "device": { "id": "12111f24f25a2a99438b40765c236577" @@ -423,9 +423,9 @@ "212205744162400" ], "cid": "ffffffff15754bcfb5f9152ec7ac90ac", + "event_simpleName": "ProcessRollup2", "id": "1w23e4r-d03e-4003-bc75-71c6e819ca5f", - "name": "ProcessRollup2LinV12", - "event_simpleName": "ProcessRollup2" + "name": "ProcessRollup2LinV12" }, "device": { "id": "ffffffff62714a708030d494ca0a7e60" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-macos.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-macos.log-expected.json index ac525d5056f..3f32bb58a92 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-macos.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-macos.log-expected.json @@ -13,9 +13,9 @@ "FileCategory": "1", "IsOnRemovableDisk": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "BZip2FileWritten", "id": "902e0c3461e5e975df4227b1ce8919630d6d", - "name": "f1facdb9387bd66ffd9ef", - "event_simpleName": "BZip2FileWritten" + "name": "f1facdb9387bd66ffd9ef" }, "device": { "id": "b616fca617fa5819625542d9505100de" @@ -109,9 +109,9 @@ "USN": "150410415", "UnixMode": "905", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "CriticalFileModified", "id": "46dbd0c61a79bcf29fba222797ace5754589", - "name": "0e25074caaed0b54119466642", - "event_simpleName": "CriticalFileModified" + "name": "0e25074caaed0b54119466642" }, "device": { "id": "38d08ba2d7184565619459d87ca92c8a" @@ -202,9 +202,9 @@ "TreeId": "586900090030000484", "UnixMode": "105", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FileCreateInfo", "id": "2e5060ef833ae51492bb2f2feaa9f0a52725", - "name": "b556b2f8c2fcc9d247c", - "event_simpleName": "FileCreateInfo" + "name": "b556b2f8c2fcc9d247c" }, "device": { "id": "f8e97b22125b280e944b0a3e95273005" @@ -293,9 +293,9 @@ "Entitlements": "16", "EventOrigin": "45", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallDisabled", "id": "da89f6e8e51680edc853caf65110cd0b6997", - "name": "d6b45f4ee5e3f0dc22415", - "event_simpleName": "FirewallDisabled" + "name": "d6b45f4ee5e3f0dc22415" }, "device": { "id": "688342f2ec2adb5c7a9da5d3fec0cf70" @@ -366,9 +366,9 @@ "Entitlements": "46", "EventOrigin": "45", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallEnabled", "id": "b6c44348e6ee1e39992118be1c7150fa6a2e", - "name": "07198adb48f191c84a38", - "event_simpleName": "FirewallEnabled" + "name": "07198adb48f191c84a38" }, "device": { "id": "38d08ba2d7184565619459d87ca92c8a" @@ -453,9 +453,9 @@ "NegateRemoteAddress": "0", "RemoteAddressMaskIP4": "7807212067", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallSetRuleIP4", "id": "806ac88ec376c30a3ad5d58a509223d6a681", - "name": "dc265f862d44e408c3e76cd", - "event_simpleName": "FirewallSetRuleIP4" + "name": "dc265f862d44e408c3e76cd" }, "destination": { "address": "216.160.83.56", @@ -583,9 +583,9 @@ "NegateRemoteAddress": "0", "RemoteAddressMaskIP6": "374708fff7719dd5", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallSetRuleIP6", "id": "642c09f791082b5d83a09c110880c78938cf", - "name": "e1d442f5c46bbf234569aea", - "event_simpleName": "FirewallSetRuleIP6" + "name": "e1d442f5c46bbf234569aea" }, "destination": { "address": "2a02:cf40::1", @@ -691,9 +691,9 @@ "Entitlements": "86", "EventOrigin": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "KextLoad", "id": "5f985f71b43f37edc3c06b1c67f8acf263c1", - "name": "3304452f50b3f", - "event_simpleName": "KextLoad" + "name": "3304452f50b3f" }, "device": { "id": "c93c143eed37653b54c326dd22e114b8" @@ -784,9 +784,9 @@ "PhysicalAddressLength": 6, "PrefixLength": "52", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "LocalIpAddressIP4", "id": "f0d3d878ef1a02ab86680075a0eda18b56e9", - "name": "1b1a40a16643c4d9d9ad13", - "event_simpleName": "LocalIpAddressIP4" + "name": "1b1a40a16643c4d9d9ad13" }, "device": { "id": "3bec845649acaaa1eb41d1ad4a804a38" @@ -879,9 +879,9 @@ "LocalIpAddressPipelineSource": "6", "NetLuidIndex": 0, "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "LocalIpAddressRemovedIP4", "id": "a885c0aff4e59afa62b4cfc45dd233f79546", - "name": "4a33a844314cf727f26cb81df45b9", - "event_simpleName": "LocalIpAddressRemovedIP4" + "name": "4a33a844314cf727f26cb81df45b9" }, "device": { "id": "3bec845649acaaa1eb41d1ad4a804a38" @@ -979,9 +979,9 @@ "MachOSubType": "6", "SHA256HashData": "2b364b472958e7471972b9439aa61e8381a54aa38875d77e0462cc7e91137b63", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "MachOFileWritten", "id": "1a8f053397e4f0d36a740347ced0ee4eaad4", - "name": "1148999d786555f3e786e", - "event_simpleName": "MachOFileWritten" + "name": "1148999d786555f3e786e" }, "device": { "id": "9ea510e4d87c4988253c7355515a7081" @@ -1079,9 +1079,9 @@ "SuppressType": "2", "Timeout": 284, "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ProcessRollup2Stats", "id": "9b9091551ef260bfbe2fcbaa991fd216578d", - "name": "53731de338efc268aed79822", - "event_simpleName": "ProcessRollup2Stats" + "name": "53731de338efc268aed79822" }, "device": { "id": "aff97f8b915352339afe79c5a16d76b3" @@ -1178,9 +1178,9 @@ "Entitlements": "96", "EventOrigin": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PtyCreated", "id": "1653ccad055c131c79fb49ce013cfa05fde1", - "name": "a3f9634e8f5cb2a", - "event_simpleName": "PtyCreated" + "name": "a3f9634e8f5cb2a" }, "device": { "id": "506006027" @@ -1288,9 +1288,9 @@ "81.2.69.144" ], "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RawBindIP4", "id": "c842b689fbd78207d195d8c17e3a04a000f6", - "name": "2552bb1c58ae3899", - "event_simpleName": "RawBindIP4" + "name": "2552bb1c58ae3899" }, "destination": { "address": "89.160.20.128", @@ -1413,9 +1413,9 @@ "2a02:cf40::1" ], "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RawBindIP6", "id": "2d87ac61a22522847bc2143b50b4aac12858", - "name": "6be29847ad234f89", - "event_simpleName": "RawBindIP6" + "name": "6be29847ad234f89" }, "destination": { "address": "2a02:cf40::1", @@ -1522,9 +1522,9 @@ "ScriptContent": "77bafa9 -0 ae17b9a73 3d0cf8 -6 97d9424ec100a0d40ca98c4d398ddfb297d0063c672821a92e1e260feceb397c 4 ae17b9a73 0cf6 -6 97d9424ec100a0d40ca98c4d398ddfb297d0063c672821a92e1e260feceb397c", "ScriptContentName": "/51a/89", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScriptControlScanInfo", "id": "18d9d6cd7e98ee9ab79dffed0e5f9e3357b0", - "name": "0a1beccbcea40ac2468a3ee78b", - "event_simpleName": "ScriptControlScanInfo" + "name": "0a1beccbcea40ac2468a3ee78b" }, "device": { "id": "c7fe43754f5b6ebfa566ef25e9ac6ecc" @@ -1601,9 +1601,9 @@ "FileCategory": "1", "IsOnRemovableDisk": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "TarFileWritten", "id": "f6d443ab644ffa64617a90936d6da555f0a2", - "name": "e7ebdc66589c6ae4b87", - "event_simpleName": "TarFileWritten" + "name": "e7ebdc66589c6ae4b87" }, "device": { "id": "3e32d11b9db211e438bf9141dbc31d85" @@ -1694,9 +1694,9 @@ "FileCategory": "1", "IsOnRemovableDisk": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "XarFileWritten", "id": "2633213df12f91013279bef1b12ce10d2c67", - "name": "708df495f98345bf516", - "event_simpleName": "XarFileWritten" + "name": "708df495f98345bf516" }, "device": { "id": "b1e14abeaf9680c3f0b9be1f18550235" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json index 803b4019283..e666be22240 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log-expected.json @@ -18,9 +18,9 @@ "RegOperationType": "5", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "AsepKeyUpdate", "id": "6b69e784610ff3e5da99cb6f884fbb59c197", - "name": "d86b419894d5423", - "event_simpleName": "AsepKeyUpdate" + "name": "d86b419894d5423" }, "device": { "id": "061f50de227f377d5a1cbbcda2493711" @@ -113,9 +113,9 @@ "TargetSHA256HashData": "36e5b125bb636648d267e966435b7e650acf78c002f65d07d282e501838a0906", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "AsepValueUpdate", "id": "1165d56b44df464d4a3dd26905c78ac2c7e5", - "name": "8f3c176fdab74b6c9", - "event_simpleName": "AsepValueUpdate" + "name": "8f3c176fdab74b6c9" }, "device": { "id": "f929742c2e4bd22b1829b6206b1dc84b" @@ -216,9 +216,9 @@ "RpcOpNum": "4", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "BITSJobCreated", "id": "eedef0c0fc042e28949c251e42e913cb3fe6", - "name": "11cf958b636de07e", - "event_simpleName": "BITSJobCreated" + "name": "11cf958b636de07e" }, "device": { "id": "082e3fde13bab854ebe72df7d1543cae" @@ -316,9 +316,9 @@ "ThreadStartContext": "0", "UserThread": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "BrowserInjectedThread", "id": "f6f3399ea7912626def5330fbc430ff02ac2", - "name": "126bc261e48aa7159043700", - "event_simpleName": "BrowserInjectedThread" + "name": "126bc261e48aa7159043700" }, "device": { "id": "1b044c25005f7f866e92ee245376c69e" @@ -401,9 +401,9 @@ "LastAdded": "2", "LastDisplayed": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "CommandHistory", "id": "7f67dc98da59af9b207392dd643b6696521d", - "name": "b42a7420dfe70b77", - "event_simpleName": "CommandHistory" + "name": "b42a7420dfe70b77" }, "device": { "id": "985fa1e64b797b6a5e673a83fdc68828" @@ -482,9 +482,9 @@ "ServiceAccessPropertiesEtw": "f09108f09a58a2500acb1467b469a2482115dae25b82b71b7551ed70600a57e9", "SubjectDomainNameEtw": "61", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DCSyncAttempted", "id": "027ea26f253aa77e2fcf588772b9d2d6f37c", - "name": "68a40a05895ff9a35", - "event_simpleName": "DCSyncAttempted" + "name": "68a40a05895ff9a35" }, "destination": { "address": "2a02:cf40::2", @@ -587,9 +587,9 @@ "ExclusionType": "1", "PatternId": "607", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DetectionExcluded", "id": "01a0844d7700635d462669bbadb475d7dcf1", - "name": "b7f0eea0ced34df529cc", - "event_simpleName": "DetectionExcluded" + "name": "b7f0eea0ced34df529cc" }, "device": { "id": "016ef640d4add7c7c7e72a5bfc4198c0" @@ -690,9 +690,9 @@ "ShareAccess": "3", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DirectoryCreate", "id": "245b89777adfd68f4020de1758e56c4467f6", - "name": "b44ad77e88405a082", - "event_simpleName": "DirectoryCreate" + "name": "b44ad77e88405a082" }, "device": { "id": "cd2ef6603266196efe9f1ac402a1586a" @@ -781,9 +781,9 @@ "ThreadStartAddress": "947500501770690", "ThreadStartContext": "9177300087920", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DllInjection", "id": "92855d0df8f2251c1dfe0bd7d56a97128a25", - "name": "8b6eec62b5f5f7", - "event_simpleName": "DllInjection" + "name": "8b6eec62b5f5f7" }, "device": { "id": "8fb3daf730de8e73c353f0c4137a51b5" @@ -874,9 +874,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DmpFileWritten", "id": "b44b58becebd48898306ffd6600bf3f42c16", - "name": "bf62ca8a93b1c6730", - "event_simpleName": "DmpFileWritten" + "name": "bf62ca8a93b1c6730" }, "device": { "id": "61f77498beebf89847bcda33f8541689" @@ -979,9 +979,9 @@ "QueryStatus": "0", "RespondingDnsServer": "89.160.20.112", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DnsRequest", "id": "77a6567f5ba2f4450eb816e24c5b0258f4b5", - "name": "76e889534419", - "event_simpleName": "DnsRequest" + "name": "76e889534419" }, "device": { "id": "98148f3ab8db6d0cad5ad44fc9f4f5c7" @@ -1075,9 +1075,9 @@ "ThreadStartContext": "60307800056300500065", "UserThread": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DocumentProgramInjectedThread", "id": "14a56745976c34e322ccc9af234e692acf35", - "name": "107f10bd7e2cf68ce87171d8f974b76", - "event_simpleName": "DocumentProgramInjectedThread" + "name": "107f10bd7e2cf68ce87171d8f974b76" }, "device": { "id": "73204dfc79175de6cc76f2ae7674dc76" @@ -1164,9 +1164,9 @@ "ImageTimeStamp": "7506201701", "OriginalFilename": "c11d9e9772e", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DriverLoad", "id": "8f8e5d48a0828ec900552833b592f6bf3137", - "name": "971d60ec4961", - "event_simpleName": "DriverLoad" + "name": "971d60ec4961" }, "device": { "id": "eb87d6ed52531c4d56701eb0f3bdef5d" @@ -1269,9 +1269,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "DwgFileWritten", "id": "1a93966150b37eeb4506fb5d576569366fbe", - "name": "73a9d655524e1b4a5", - "event_simpleName": "DwgFileWritten" + "name": "73a9d655524e1b4a5" }, "device": { "id": "8a519558e0f7e42814948bf046b8e5c8" @@ -1371,9 +1371,9 @@ "SHA256HashData": "f2d9a06bd0492ecb6f4a35bede5270e5171bc007ed72f3ec451b3de842639423", "UserTime": 0, "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "EndOfProcess", "id": "f3b8bd9b2757d9904f845a44ff61827fa755", - "name": "e8d15f653d9c08b", - "event_simpleName": "EndOfProcess" + "name": "e8d15f653d9c08b" }, "device": { "id": "3b473364ed16d25221bdb0b435aac52a" @@ -1470,9 +1470,9 @@ "MinorFunction": "0", "OperationFlags": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ExecutableDeleted", "id": "b43f550a47cfaab7904ddcd4c778b2d7d2e1", - "name": "a1721c8914da805eb47", - "event_simpleName": "ExecutableDeleted" + "name": "a1721c8914da805eb47" }, "device": { "id": "39074f37291ca6f2d189c1e110e04dfc" @@ -1557,9 +1557,9 @@ "EventOrigin": "3", "TreeId": "400800208204", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FileDeleteInfo", "id": "f17c8a57d6ffa5f985caf45f729cb254772a", - "name": "e1326813e53e44b4", - "event_simpleName": "FileDeleteInfo" + "name": "e1326813e53e44b4" }, "device": { "id": "e1a82faad25f1bc57da5f8b7457d9014" @@ -1646,9 +1646,9 @@ "Status": "0", "TreeId": "250760900008", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FileOpenInfo", "id": "46a19a602437699cf4aefb060e91441ba891", - "name": "c4a834c02a00fb", - "event_simpleName": "FileOpenInfo" + "name": "c4a834c02a00fb" }, "device": { "id": "ea08505420aa828a0a52a6eed3c8a196" @@ -1733,9 +1733,9 @@ "TargetFileName": "\\6ba0bd\\539d13bb\\303abfe3\\64211dc1\\4feae\\754cfa0e.TMP", "TreeId": "407060334007", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FileRenameInfo", "id": "2d662aa35187373d94203d08fc2e4e7115c6", - "name": "f4407c8e4882cbdd", - "event_simpleName": "FileRenameInfo" + "name": "f4407c8e4882cbdd" }, "device": { "id": "ca48acb776296fd7a6e35ee8c4bbde6d" @@ -1830,9 +1830,9 @@ "TemplateDisposition": "40", "TemplateInstanceId": "57521", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FileSystemOperationDetectInfo", "id": "ad8c2e5d31cff1e8cdc3892a874ba4927d1a", - "name": "b22ddf4c03b1a8b30f84e33786dd87b", - "event_simpleName": "FileSystemOperationDetectInfo" + "name": "b22ddf4c03b1a8b30f84e33786dd87b" }, "device": { "id": "ca2eedaa43a7333759deb5a0191c5313" @@ -1923,9 +1923,9 @@ "FirewallOptionNumericValue": "1", "FirewallProfile": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallChangeOption", "id": "ee4fea12623693e1e2aaf450974ca9068925", - "name": "bd2f52430b3a6e28fa81dc", - "event_simpleName": "FirewallChangeOption" + "name": "bd2f52430b3a6e28fa81dc" }, "device": { "id": "ee24e7d1ac6add25f7a7969844ad0df3" @@ -2000,9 +2000,9 @@ "EventOrigin": "45", "FirewallRuleId": "{e3b0c442-e3b0-e3b0-e3b0-e3b0c44298fc}", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallDeleteRule", "id": "4ee907bd437184018039dbce46b3b7fb9586", - "name": "73c6cc568a65a7c085e0", - "event_simpleName": "FirewallDeleteRule" + "name": "73c6cc568a65a7c085e0" }, "device": { "id": "ee24e7d1ac6add25f7a7969844ad0df3" @@ -2077,9 +2077,9 @@ "FirewallRule": "fb.26|Action=Allow|Active=TRUE|Dir=In|App=C:\\8027a4f5\\97cf27ba\\bc713e9c\\685ac68f.exe|Name=LaunchPortal|Desc=SOM|", "FirewallRuleId": "{e3b0c442-e3b0-e3b0-e3b0-e3b0c44298fc}", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FirewallSetRule", "id": "b03302898ff47ac683fe0c4e7679c48615d2", - "name": "e6fc8b7f15db47d1f", - "event_simpleName": "FirewallSetRule" + "name": "e6fc8b7f15db47d1f" }, "device": { "id": "ee24e7d1ac6add25f7a7969844ad0df3" @@ -2169,9 +2169,9 @@ "SourceEventUniqueId": "903600070008873043", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "FsPostOpenSnapshotFile", "id": "92f7671f25cc7e1d6c1c2c3958b4a65c9c49", - "name": "c7a00dc61cb10ab411c95598", - "event_simpleName": "FsPostOpenSnapshotFile" + "name": "c7a00dc61cb10ab411c95598" }, "device": { "id": "d3a1c99f621d3d6474555746950ce9b6" @@ -2262,9 +2262,9 @@ "TargetThreadId": "482081070860200", "TokenType": "2", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "HostedServiceStarted", "id": "c7017a5199f1e88eb4a44227da2d1a7c8b0d", - "name": "10e85fd7df0a53c38814f5", - "event_simpleName": "HostedServiceStarted" + "name": "10e85fd7df0a53c38814f5" }, "device": { "id": "22924ad875ce834067bd29857dc11a92" @@ -2346,9 +2346,9 @@ "EventOrigin": "1", "TargetThreadId": "51930000290120", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "HostedServiceStopped", "id": "db2dfa574e4ca1c775249f4fae390c93c57f", - "name": "c503d72ad653c0dc87f730", - "event_simpleName": "HostedServiceStopped" + "name": "c503d72ad653c0dc87f730" }, "device": { "id": "0400bce96c16b71f27978572adb3d4fd" @@ -2429,9 +2429,9 @@ "PatternId": "28450", "TemplateInstanceId": "5008", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "HttpRequestDetect", "id": "5c80fd2a838414022b2f083219c6395b3c6a", - "name": "8d879a136063d7587c6", - "event_simpleName": "HttpRequestDetect" + "name": "8d879a136063d7587c6" }, "device": { "id": "561ee5011fb41796a5d3d22ecc19d681" @@ -2527,9 +2527,9 @@ "PrimaryModule": "1", "SignInfoFlags": "1754009", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ImageHash", "id": "f5638ae317f9e090033436354c7cf5d36549", - "name": "dccbe56e7b3", - "event_simpleName": "ImageHash" + "name": "dccbe56e7b3" }, "device": { "id": "64cded9cf5ef1c609147019ee3184217" @@ -2627,9 +2627,9 @@ "ThreadStartContext": "5177300087920", "UserThread": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "InjectedThread", "id": "5677e0f1c2f59a879c8c966e3f2583d1b374", - "name": "367b7572c21bead4", - "event_simpleName": "InjectedThread" + "name": "367b7572c21bead4" }, "device": { "id": "8fb3daf730de8e73c353f0c4137a51b5" @@ -2721,9 +2721,9 @@ "SHA256HashData": "c2b46dde427de7e0b28c82cdeedc919d8a60e3c8fdcb1565b03b26d576b7f503", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "JarFileWritten", "id": "162ec74e6e37e7616a81feca0a38cbc4e060", - "name": "45bc1cac0e68ad976", - "event_simpleName": "JarFileWritten" + "name": "45bc1cac0e68ad976" }, "device": { "id": "e8709208d980534971098b9a6fb8cf05" @@ -2834,9 +2834,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "JavaClassFileWritten", "id": "f1d9633f3c4c1752450748ee02e070b772d4", - "name": "f5ccfb1a5e748e3a1361b9", - "event_simpleName": "JavaClassFileWritten" + "name": "f5ccfb1a5e748e3a1361b9" }, "device": { "id": "2a5a4e5c2a642c985c06f8a712f54c03" @@ -2937,9 +2937,9 @@ "ThreadStartContext": "7031100880000", "UserThread": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "JavaInjectedThread", "id": "5c016fbc5910db79ac911556c19d9efb88c6", - "name": "cad7121649b58818d895", - "event_simpleName": "JavaInjectedThread" + "name": "cad7121649b58818d895" }, "device": { "id": "2278e50b41a263c2d8421b5135a380a7" @@ -3088,9 +3088,9 @@ "TunnelType": "0", "ValidLifetime": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "LocalIpAddressIP6", "id": "b1ba5664a59d4ed815268b354ba0a8ca20f4", - "name": "a01d5ce18dcbf077bc4", - "event_simpleName": "LocalIpAddressIP6" + "name": "a01d5ce18dcbf077bc4" }, "device": { "id": "8b33228d110f333bb96bb91288f6d8ad" @@ -3180,9 +3180,9 @@ "LocalIpAddressPipelineSource": "6", "NetLuidIndex": 0, "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "LocalIpAddressRemovedIP6", "id": "46389a39e57e9b858db2074d5f94ec7a526d", - "name": "872932933dab2f183b4ce071bd", - "event_simpleName": "LocalIpAddressRemovedIP6" + "name": "872932933dab2f183b4ce071bd" }, "device": { "id": "8b33228d110f333bb96bb91288f6d8ad" @@ -3276,9 +3276,9 @@ "SignInfoFlags": "932000", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "LsassHandleFromUnsignedModule", "id": "6fa27f66ec6a05ff162d3ee4962108a1518e", - "name": "a94954f7ef7b687d2b265ac33c34fe0", - "event_simpleName": "LsassHandleFromUnsignedModule" + "name": "a94954f7ef7b687d2b265ac33c34fe0" }, "device": { "id": "84bd7271911c13b227952666802a3e71" @@ -3364,9 +3364,9 @@ "ServiceStart": "3", "ServiceType": "840", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ModifyServiceBinary", "id": "f65e6994cc640f2778a1b7af2c40ba921473", - "name": "381f30fed8ec4c276ba29", - "event_simpleName": "ModifyServiceBinary" + "name": "381f30fed8ec4c276ba29" }, "device": { "id": "c82cce517ab3200fde3ca362e648c993" @@ -3452,9 +3452,9 @@ "ShareSecurity": "1c31d/825bda18", "ShareSecuritySddl": "1c31d/aeb465b9", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetShareSecurityModify", "id": "c805aeef64230eaf7cd53c8a881aa4e8405a", - "name": "e6b491ccab8fa73b85131f75", - "event_simpleName": "NetShareSecurityModify" + "name": "e6b491ccab8fa73b85131f75" }, "device": { "id": "3daf1fabea580837c4adcda08036d084" @@ -3543,9 +3543,9 @@ ], "RemoteAddressString": "3b0cf5a207bde73b", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetworkConnectIP4", "id": "0fc45c7ed982785c2b6da8717ddcefdcd273", - "name": "13f26050a8e2372ba812", - "event_simpleName": "NetworkConnectIP4" + "name": "13f26050a8e2372ba812" }, "destination": { "address": "89.160.20.128", @@ -3675,9 +3675,9 @@ ], "RemoteAddressString": "2a02:cf40::1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetworkConnectIP6", "id": "473484e6b33fdbe4e7274bc98a2365ad9e88", - "name": "f35a9bcaa84e44df3194", - "event_simpleName": "NetworkConnectIP6" + "name": "f35a9bcaa84e44df3194" }, "destination": { "address": "2a02:cf40::1", @@ -3793,9 +3793,9 @@ "89.160.20.128" ], "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetworkListenIP4", "id": "414d7d4c948639bd127ede963b8cd7f205d5", - "name": "3e63bd7ad348fcf149d", - "event_simpleName": "NetworkListenIP4" + "name": "3e63bd7ad348fcf149d" }, "destination": { "address": "216.160.83.56", @@ -3926,9 +3926,9 @@ "2a02:cf40::1" ], "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetworkListenIP6", "id": "6571a795f2d49a994f8fc3840f9780f9a9d8", - "name": "32e9d89e356847ad161", - "event_simpleName": "NetworkListenIP6" + "name": "32e9d89e356847ad161" }, "destination": { "address": "2a02:cf40::2", @@ -4045,9 +4045,9 @@ "216.160.83.56" ], "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetworkReceiveAcceptIP4", "id": "6944305135f71ae54b685de925bc80d24162", - "name": "4ccf568bd7cda1587d77b69c3f", - "event_simpleName": "NetworkReceiveAcceptIP4" + "name": "4ccf568bd7cda1587d77b69c3f" }, "destination": { "address": "216.160.83.56", @@ -4180,9 +4180,9 @@ "2a02:cf40::1" ], "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NetworkReceiveAcceptIP6", "id": "2de192320bb03a0e9990059a2895376d0213", - "name": "0f701c259d2d9d9e15dbcf1339", - "event_simpleName": "NetworkReceiveAcceptIP6" + "name": "0f701c259d2d9d9e15dbcf1339" }, "destination": { "address": "2a02:cf40::1", @@ -4300,9 +4300,9 @@ "OperationFlags": "0", "TargetFileName": "\\6ba0bd\\447b992c\\d598026\\dc9ec376\\a715181\\b169fe25\\40a20853\\b19eb57e.exe\\b62491c6\\6ffbd0fe.exe", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NewExecutableRenamed", "id": "3576a8f1eee99ef99a90b644fac69ef96052", - "name": "b64d07a4710e4a075cd1f1", - "event_simpleName": "NewExecutableRenamed" + "name": "b64d07a4710e4a075cd1f1" }, "device": { "id": "39074f37291ca6f2d189c1e110e04dfc" @@ -4406,9 +4406,9 @@ "ShareAccess": "3", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NewExecutableWritten", "id": "159069fcc959600bb67b1d499fbba75e246f", - "name": "df0d670fd6fc4521a6c960", - "event_simpleName": "NewExecutableWritten" + "name": "df0d670fd6fc4521a6c960" }, "device": { "id": "e4a077554af537da06f56e39976d4420" @@ -4508,9 +4508,9 @@ "ShareAccess": "1", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "NewScriptWritten", "id": "182d52dbecaca7970cb63c42addda760f512", - "name": "af0673bdd782d244e9c", - "event_simpleName": "NewScriptWritten" + "name": "af0673bdd782d244e9c" }, "device": { "id": "d6c18cb814c9100d81bedd3b4290407f" @@ -4610,9 +4610,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "OleFileWritten", "id": "50b4564705009d4d899b257c4f60806debaf", - "name": "52f49e17cbb3258ec", - "event_simpleName": "OleFileWritten" + "name": "52f49e17cbb3258ec" }, "device": { "id": "e4a077554af537da06f56e39976d4420" @@ -4721,9 +4721,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "OoxmlFileWritten", "id": "fa7433e86a344c7c471c159189a5d9e46b61", - "name": "7233ba49d5aea975e9d", - "event_simpleName": "OoxmlFileWritten" + "name": "7233ba49d5aea975e9d" }, "device": { "id": "4274e60578e437f258cd288fc421c898" @@ -4817,9 +4817,9 @@ "FileSubType": "1", "SHA256HashData": "73954d484337197445100e89a7fac5e25964f5f3da4024f8c7d07dd840d4f4e1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PackedExecutableWritten", "id": "46fbd2ea624c1d37a02f228b5e07a641ba5d", - "name": "e1363774d0bedd151e540a3f0", - "event_simpleName": "PackedExecutableWritten" + "name": "e1363774d0bedd151e540a3f0" }, "device": { "id": "827afde25ba0eeda5d204a68ff612048" @@ -4917,9 +4917,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PdfFileWritten", "id": "e3b7d2a5cd6687e005e8d8440762de1a5cba", - "name": "0ae43bcd866d0651b", - "event_simpleName": "PdfFileWritten" + "name": "0ae43bcd866d0651b" }, "device": { "id": "972c7871709024649af8a061337fe15f" @@ -5035,9 +5035,9 @@ "SHA256HashData": "897ccaabed714b068888234743972924e15aee167c3cbc68f3c64a10751e73f0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PeFileWritten", "id": "d5f767539bfcb8d8aede98bf95736a049e78", - "name": "5f323af958b5a344", - "event_simpleName": "PeFileWritten" + "name": "5f323af958b5a344" }, "device": { "id": "e8709208d980534971098b9a6fb8cf05" @@ -5142,9 +5142,9 @@ "SHA256HashData": "ac64229aee8b0f73735a2170025a9b3e58dc0f6ea348b80405e8e0f43a137a78", "VersionInfo": "67a713f637126c54cd13f593d789edab1bc1ef0908babbc9d9ee992e1cfb9937", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PeVersionInfo", "id": "51fdaf250bbe8ba7a3d2f76e5160dbcf2719", - "name": "510aa45e1032311", - "event_simpleName": "PeVersionInfo" + "name": "510aa45e1032311" }, "device": { "id": "f5f8341524ed1dd257646890be631aee" @@ -5233,9 +5233,9 @@ "SignInfoFlags": "932000", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PrivilegedProcessHandleFromUnsignedModule", "id": "9c458f0ddfe1293cd356445b2c473d0a0ef4", - "name": "891d960d630f07080d2bbd00503c6ca04d9007b20af", - "event_simpleName": "PrivilegedProcessHandleFromUnsignedModule" + "name": "891d960d630f07080d2bbd00503c6ca04d9007b20af" }, "device": { "id": "6b6c287c6e8ce2041ce47a740e621689" @@ -5318,9 +5318,9 @@ "FileSubType": "4", "SHA256HashData": "d35fbba9f5b92147dbbdaffc79120d2a372b34ec964cfba4e5eaf6d9aed27c3d", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ProcessExecOnPackedExecutable", "id": "17ef479f49727073c1afd6d8d3ede95a561e", - "name": "deb18e9d761c09c713b0634dc553304", - "event_simpleName": "ProcessExecOnPackedExecutable" + "name": "deb18e9d761c09c713b0634dc553304" }, "device": { "id": "2aff58e38d0a0bf09e91cfee7bcb819e" @@ -5400,9 +5400,9 @@ "EventOrigin": "1", "PatternId": "459", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ProcessExecOnSMBFile", "id": "0b8735c9a332451c9040cce79b716849ed11", - "name": "8f744680ad930347c854bf", - "event_simpleName": "ProcessExecOnSMBFile" + "name": "8f744680ad930347c854bf" }, "destination": { "address": "81.2.69.144", @@ -5529,9 +5529,9 @@ "TokenType": "1", "WindowFlags": "274", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ProcessRollup2", "id": "36f0bb29be278fc8322806730ffa12e53207", - "name": "f9ba95e9061aae4be", - "event_simpleName": "ProcessRollup2" + "name": "f9ba95e9061aae4be" }, "device": { "id": "40b756af7c1d76ef66cb380d94090915" @@ -5648,9 +5648,9 @@ "SHA256HashData": "0c0316087f441fce70d1cf8e6c086571503bb8b6043f9e864f6bee0a2e873a87", "SourceProcessId": "8020239020790", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ProcessSelfDeleted", "id": "37ea1966fb73e596eaceeeda74969e0cf6fe", - "name": "1a4daccccece9ef5ba96", - "event_simpleName": "ProcessSelfDeleted" + "name": "1a4daccccece9ef5ba96" }, "device": { "id": "4a13114d95ed726004929f3de3863e97" @@ -5738,9 +5738,9 @@ ], "TargetFileName": "\\6ba0bd\\76648b42\\d598026\\c7bac469.NET\\c70281ee\\aca7.30319\\4820dd5a.sql", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RansomwareFileAccessPattern", "id": "791f3434f4eb1f2494635bfa6c51a2855d12", - "name": "678e528c681bbe14db4667945d920", - "event_simpleName": "RansomwareFileAccessPattern" + "name": "678e528c681bbe14db4667945d920" }, "device": { "id": "ce205ce972e1ec0b34c552d96f46397a" @@ -5844,9 +5844,9 @@ "ShareAccess": "7", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RansomwareOpenFile", "id": "13e038874f0490733a5191031434b8657382", - "name": "4c8f7117e5d227bf9ddc", - "event_simpleName": "RansomwareOpenFile" + "name": "4c8f7117e5d227bf9ddc" }, "device": { "id": "ea08505420aa828a0a52a6eed3c8a196" @@ -5940,9 +5940,9 @@ "RegValueName": "ee0bc2006c367f53b607da1122e", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RegGenericValueUpdate", "id": "2e723341d059eefec4c8ff3c9062764c68e3", - "name": "0e92d5a77de501c1f1c9064", - "event_simpleName": "RegGenericValueUpdate" + "name": "0e92d5a77de501c1f1c9064" }, "device": { "id": "52cf03e6cbd930e0081ab561b4366e03" @@ -6037,9 +6037,9 @@ "TemplateDisposition": "40", "TemplateInstanceId": "10229", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RegistryOperationDetectInfo", "id": "46ae86d862c2856f051da60792378c9a659e", - "name": "ac9954e67836781b8f5b89ec31d8d", - "event_simpleName": "RegistryOperationDetectInfo" + "name": "ac9954e67836781b8f5b89ec31d8d" }, "device": { "id": "8b6270fbf7dd1d35cb564438ccd92475" @@ -6134,9 +6134,9 @@ "RegValueName": "{e3b0c442-e3b0-e3b0-e3b0-e3b0c44298fc}", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RegSystemConfigValueUpdate", "id": "8f2302b7d2a07c5d5568941494e0368e0144", - "name": "24ba14f1e5840e900e581616a2fe", - "event_simpleName": "RegSystemConfigValueUpdate" + "name": "24ba14f1e5840e900e581616a2fe" }, "device": { "id": "be027d4cbada339f804f9c19f5a2d5a6" @@ -6227,9 +6227,9 @@ "PatternId": "200", "TotalCount": 4051, "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RemoteBruteForceDetectInfo", "id": "2e41e2c0447e07249a69dbdc70a72aec40d4", - "name": "35b635ba0a924203f13f0a9f8f7d", - "event_simpleName": "RemoteBruteForceDetectInfo" + "name": "35b635ba0a924203f13f0a9f8f7d" }, "device": { "id": "a72936ae0acff156c05af8238b6a10eb" @@ -6324,9 +6324,9 @@ "VolumeSectorSize": "940", "VolumeSessionUUID": "c8838ad8-1da8-43ae-8c85-3c2309eab164", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RemovableMediaVolumeMounted", "id": "5762ba1aab05fd80cadfb13f146bc3ce868c", - "name": "b47570143699a945cde3e5764a9843", - "event_simpleName": "RemovableMediaVolumeMounted" + "name": "b47570143699a945cde3e5764a9843" }, "device": { "id": "6d58dee7855f7a94dc887ec52805de46" @@ -6422,9 +6422,9 @@ "OperationFlags": "0", "TokenType": "2", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RtfFileWritten", "id": "a6c319e36889013fd1a9cb1e28db73a2d47b", - "name": "e5968210c929a23b0", - "event_simpleName": "RtfFileWritten" + "name": "e5968210c929a23b0" }, "device": { "id": "827afde25ba0eeda5d204a68ff612048" @@ -6531,9 +6531,9 @@ "SignInfoFlags": "107067", "Status": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SAMHashDumpFromUnsignedModule", "id": "4cd0f3ad236f3d16670462b9d7b5bb5c129a", - "name": "cece108ee2dfd89f1ac8e4648ab61ed", - "event_simpleName": "SAMHashDumpFromUnsignedModule" + "name": "cece108ee2dfd89f1ac8e4648ab61ed" }, "device": { "id": "1085124e43b788dc1142faa8282f3160" @@ -6623,9 +6623,9 @@ "TaskName": "bd3d6bea\\9af0ff\\29eab3a3", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScheduledTaskDeleted", "id": "6df4383ea32ec03f3e4d828c8771350c6861", - "name": "4996adce55e68cf01c05c7", - "event_simpleName": "ScheduledTaskDeleted" + "name": "4996adce55e68cf01c05c7" }, "device": { "id": "4b4df0f0e24c600fcc98e7444c1af658" @@ -6717,9 +6717,9 @@ "TaskXml": "4a199d96.com/windows/2004/02/mit/task\">\r\n \r\n FSSB0930$\r\n \\c7bac469\\d598026\\1f6f4b17\\7e6a0826", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScheduledTaskModified", "id": "43b952c0225cd04c3a42b9e4b7264eecca9d", - "name": "569b2099134ca0f589a09d0", - "event_simpleName": "ScheduledTaskModified" + "name": "569b2099134ca0f589a09d0" }, "device": { "id": "096a526846b73e64ffebbc72ded8f018" @@ -6811,9 +6811,9 @@ "TaskXml": "3398d363\\c7bac469\\9e380d\\96aef033\\9134161b\\42955da6\\3c5c8318\\27b5ee41\\deaf1acb.exe\r\n /checkin\r\n \r\n \r\n", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScheduledTaskRegistered", "id": "c7674af79959a3dacc5f7ca39360a5e76431", - "name": "2a8048a7af2ffa0cde48ccc43", - "event_simpleName": "ScheduledTaskRegistered" + "name": "2a8048a7af2ffa0cde48ccc43" }, "device": { "id": "4b4df0f0e24c600fcc98e7444c1af658" @@ -6896,9 +6896,9 @@ "RawThreadId": "9080", "ScreenshotType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScreenshotTakenEtw", "id": "3e6d517e7aca78f0cf93da20fe86adf5f9ab", - "name": "a476a54b92f13dc913cf", - "event_simpleName": "ScreenshotTakenEtw" + "name": "a476a54b92f13dc913cf" }, "device": { "id": "24840a73a08a136ac2e3a204a6371f8f" @@ -6990,9 +6990,9 @@ "Parameter64_3": "0", "ScriptControlErrorCode": "3", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScriptControlErrorEvent", "id": "7e63b76986f72b1aa2e6038707b440ac2bd2", - "name": "345e60fd50e3d887337d0b2b9", - "event_simpleName": "ScriptControlErrorEvent" + "name": "345e60fd50e3d887337d0b2b9" }, "device": { "id": "5646c890ca4b0ac33c1cfa27264240b6" @@ -7079,9 +7079,9 @@ "ScriptContentName": "\\e2\\82\\6b0cc\\9d0fa317\\0f51ad6\\8c31e\\d62f\\d41e7ee1\\6d70c65f.vbs", "ScriptingLanguageId": "4", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ScriptControlScanTelemetry", "id": "42432e4ab526161b012bf9090bfa8e7f7c50", - "name": "da8c933b9d11428ed052d2d5eb4c", - "event_simpleName": "ScriptControlScanTelemetry" + "name": "da8c933b9d11428ed052d2d5eb4c" }, "device": { "id": "ec58958430d6e12f5dfa327cad790e06" @@ -7172,9 +7172,9 @@ "WmiNamespaceName": "4813\\155e1", "WmiQuery": "8d8f8ea22b6bfbe801ecaaba1425c6a9d7", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SensitiveWmiQuery", "id": "272b6e237d25b3c937239259405719619f9c", - "name": "887f1bbf3206d18c959", - "event_simpleName": "SensitiveWmiQuery" + "name": "887f1bbf3206d18c959" }, "device": { "id": "cfe278fcd1e293c7afdf3f1753b2d89e" @@ -7263,9 +7263,9 @@ "RpcOpNum": "94", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ServiceStarted", "id": "8b25e606b146b0ecb0d734dc9eedcd5ef49f", - "name": "e9599fcf8f9c5676", - "event_simpleName": "ServiceStarted" + "name": "e9599fcf8f9c5676" }, "device": { "id": "8fb3daf730de8e73c353f0c4137a51b5" @@ -7371,9 +7371,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SevenZipFileWritten", "id": "1c2cb8d06c607d68fcb2877b0e000a683739", - "name": "d4fd2d5cb305a8abdd140a", - "event_simpleName": "SevenZipFileWritten" + "name": "d4fd2d5cb305a8abdd140a" }, "device": { "id": "61cace3ec102dbde6e5eb08963b52e9c" @@ -7466,9 +7466,9 @@ "EventOrigin": "45", "SmbShareName": "967ec0f7", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SmbClientShareClosedEtw", "id": "56cb5eb3321a430b24ba0bebef0335c0abf6", - "name": "0e883005214e1c97be512a900", - "event_simpleName": "SmbClientShareClosedEtw" + "name": "0e883005214e1c97be512a900" }, "device": { "id": "f7e49d5e0a65ac9907089989782717df" @@ -7542,9 +7542,9 @@ "EventOrigin": "45", "SmbShareName": "a4d268", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SmbClientShareOpenedEtw", "id": "be306cd8d3b6946b7798e88271cbf77dee2b", - "name": "d226521607b20089974fab726", - "event_simpleName": "SmbClientShareOpenedEtw" + "name": "d226521607b20089974fab726" }, "device": { "id": "e7e98921e91425b34501d7e91f6906b7" @@ -7617,9 +7617,9 @@ "EventOrigin": "45", "SmbShareName": "d1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SmbServerShareOpenedEtw", "id": "73dd5ae007d4fa5b059b77f3a112dd87b35f", - "name": "e1b2ed2cbfccda3de1aa6adee", - "event_simpleName": "SmbServerShareOpenedEtw" + "name": "e1b2ed2cbfccda3de1aa6adee" }, "destination": { "address": "2a02:cf40::1", @@ -7710,9 +7710,9 @@ "EventOrigin": "45", "SmbClientName": "43194ec065b", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SmbServerV1AuditEtw", "id": "295a131e9dc1f5ef17daa6595049d55e40cf", - "name": "ba4a423304abd0ff28e43", - "event_simpleName": "SmbServerV1AuditEtw" + "name": "ba4a423304abd0ff28e43" }, "device": { "id": "c3ecc304b2ebc8216508373e45b2b7c6" @@ -7795,9 +7795,9 @@ "VolumeSnapshotName": "\\6ba0bd\\447b992c", "VolumeSnapshotTimeStamp": "1748508106.387", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SnapshotVolumeMounted", "id": "42736e4684d2a23274632e48769919984ae5", - "name": "2ab84c7f9e501a2854c7e357", - "event_simpleName": "SnapshotVolumeMounted" + "name": "2ab84c7f9e501a2854c7e357" }, "device": { "id": "7bf30749173dbd091654e80c365263d2" @@ -7876,9 +7876,9 @@ "SymbolicLinkName": "\\ae81c232\\6b8a", "SymbolicLinkTarget": "\\f92fc8\\85d8d803\\f6dcb\\73d\\e8f27fd4", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SuspiciousCreateSymbolicLink", "id": "c5355e5f32b043d778a5628a9817ed603fe9", - "name": "6a8d935023cdc21ff9cca3537d2780", - "event_simpleName": "SuspiciousCreateSymbolicLink" + "name": "6a8d935023cdc21ff9cca3537d2780" }, "device": { "id": "c82cce517ab3200fde3ca362e648c993" @@ -7961,9 +7961,9 @@ "EventOrigin": "1", "InterfaceIndex": 0, "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SuspiciousDnsRequest", "id": "8d4c70642deafa7c185dae1766913cc2b684", - "name": "cecd6d00633889a0e5140e", - "event_simpleName": "SuspiciousDnsRequest" + "name": "cecd6d00633889a0e5140e" }, "device": { "id": "e0391be8776b91e27451ffc78839341a" @@ -8062,9 +8062,9 @@ "TargetCommandLineParameters": "8 829462947afcd60b102 5385ab5330ba103afe7", "TargetSHA256HashData": "61f2a019c0fa12f061b4fed2c5d10a4a7165db190bbaf218fc58560b7d926462", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "SuspiciousRegAsepUpdate", "id": "6a3e0c317c79a163daff6f7ff43b0f8b638f", - "name": "d6768a557290bddc8f464a531", - "event_simpleName": "SuspiciousRegAsepUpdate" + "name": "d6768a557290bddc8f464a531" }, "device": { "id": "f7e49d5e0a65ac9907089989782717df" @@ -8175,9 +8175,9 @@ "ParentAuthenticationId": "221030", "PatternId": "830", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "TokenImpersonated", "id": "d1330c5a8472345299901dcafcb6e741c04f", - "name": "4b8f55f326fbe33b3cf", - "event_simpleName": "TokenImpersonated" + "name": "4b8f55f326fbe33b3cf" }, "device": { "id": "8ac4bf42d697d6476a2087a305f0a8a7" @@ -8271,9 +8271,9 @@ "SignatureErrorState": "36", "SignatureState": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UnsignedModuleLoad", "id": "fbdd0412d2d062a8e7f05ca768974728fd13", - "name": "7218b6fd46f62d142cab", - "event_simpleName": "UnsignedModuleLoad" + "name": "7218b6fd46f62d142cab" }, "device": { "id": "748b16033ae2f04b415a38442969be05" @@ -8364,9 +8364,9 @@ "RpcOpNum": "30", "UserRid": "04f8c66f", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserAccountAddedToGroup", "id": "4c0cf1755eaa94d6f52251e3d52f5ff6902f", - "name": "6f757290de34b1b1afde18238", - "event_simpleName": "UserAccountAddedToGroup" + "name": "6f757290de34b1b1afde18238" }, "device": { "id": "822724472847066e07121bc67f0675c0" @@ -8442,9 +8442,9 @@ "RpcOpNum": "70", "UserRid": "90dd1c44", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserAccountCreated", "id": "bd490a761a3f397c1a778b589441993b3091", - "name": "92d863b43efb433535db", - "event_simpleName": "UserAccountCreated" + "name": "92d863b43efb433535db" }, "device": { "id": "ea33b281ab769f0d09855298c2b43f40" @@ -8527,9 +8527,9 @@ "RpcOpNum": "90", "UserRid": "77bd1eaf", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserAccountDeleted", "id": "3229287b6fe92ef5336c913502cf9ef8fdf3", - "name": "0b8f5280c9729fa19531", - "event_simpleName": "UserAccountDeleted" + "name": "0b8f5280c9729fa19531" }, "device": { "id": "bae5bafaeb93295d398bf55b8ba1cf01" @@ -8612,9 +8612,9 @@ "ExceptionInformation0": "8", "FullExceptionRecord": "5d14ed407e29b2a4faf1a84e5b18504d02c670a34dee3f51a7fa3fc95ff8d263", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserExceptionDEP", "id": "5829a31e854865b7f675feb7d878b239adc2", - "name": "709aee1e8c3c110bf8", - "event_simpleName": "UserExceptionDEP" + "name": "709aee1e8c3c110bf8" }, "device": { "id": "c98cd5436ddf270308dd9d267fd914a0" @@ -8698,9 +8698,9 @@ "FontFileName": "\\e2\\82\\6b0cc\\15dad1a2\\0f51ad6\\8c31e\\c7bac469\\a39f4a16\\4\\6ad6049f\\51833\\fce70f15.ttf", "FontLoadOperation": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserFontLoad", "id": "3b3a10fec73cc70efcba7d10700c60647a00", - "name": "be33367389afc8", - "event_simpleName": "UserFontLoad" + "name": "be33367389afc8" }, "device": { "id": "30fcb474d1c19854928cfea68625715f" @@ -8785,9 +8785,9 @@ "UserFlags": "0", "UserLogonFlags": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserIdentity", "id": "ffafe1a8278f88b8c976d452dc465830bd1c", - "name": "6843b5d61bb2e5", - "event_simpleName": "UserIdentity" + "name": "6843b5d61bb2e5" }, "device": { "id": "443de0bbc349316f0d394439c57beaba" @@ -8883,9 +8883,9 @@ "UserLogoffType": "3", "UserLogonFlags": "6", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserLogoff", "id": "d42b0220749ccf3c12046d08207cd42e3e36", - "name": "035509012de2", - "event_simpleName": "UserLogoff" + "name": "035509012de2" }, "device": { "id": "e4b4d652bb68d0b6eaf25c3a357bd566" @@ -8976,9 +8976,9 @@ "Status": "7810500605", "SubStatus": "2782800370", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserLogonFailed2", "id": "abcd637574e3e621a022d447ce47204dcb70", - "name": "ed7b4a3a01737761db", - "event_simpleName": "UserLogonFailed2" + "name": "ed7b4a3a01737761db" }, "destination": { "address": "216.160.83.56", @@ -9087,9 +9087,9 @@ "TreeId": "929834768029", "UserLogonFlags": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserLogonFailed", "id": "498499842694e5b09e8a1c4abfe2eb414696", - "name": "9d199e1f177dd175a", - "event_simpleName": "UserLogonFailed" + "name": "9d199e1f177dd175a" }, "device": { "id": "82e84213f5e5ad2820ee7b0f905b8f43" @@ -9186,9 +9186,9 @@ "UserGroupsBitmask": "8043300404", "UserLogonFlags": "0", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "UserLogon", "id": "064eb67301d3224008ad7aee62c85ce3b9f2", - "name": "184e1f7f8f1", - "event_simpleName": "UserLogon" + "name": "184e1f7f8f1" }, "device": { "id": "43efa5759b9c618d8565a64ba39b729c" @@ -9293,9 +9293,9 @@ "RpcOpNum": "8", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "VolumeSnapshotCreated", "id": "f6b9775ac6046bae94a4121496a6896a86f6", - "name": "20c2ece111ed142fd2567b9", - "event_simpleName": "VolumeSnapshotCreated" + "name": "20c2ece111ed142fd2567b9" }, "device": { "id": "3dc8ee79410457af4c28499efe37b5bc" @@ -9395,9 +9395,9 @@ "VolumeName": "\\6ba0bd\\257d4e13", "VolumeSnapshotName": "\\6ba0bd\\8536f344", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "VolumeSnapshotDeleted", "id": "00d920a4c248b10173113fc4155a74b4b655", - "name": "1523f0687a552764e446cf1", - "event_simpleName": "VolumeSnapshotDeleted" + "name": "1523f0687a552764e446cf1" }, "device": { "id": "10ee42b0c65b014b6197f3d92782c4ad" @@ -9492,9 +9492,9 @@ "RpcClientThreadId": "5500404207604", "TokenType": "2", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "WmiCreateProcess", "id": "4fd1a6718f8c7a25e6af1b5af89b5565a443", - "name": "4d986d3e22110751d0", - "event_simpleName": "WmiCreateProcess" + "name": "4d986d3e22110751d0" }, "device": { "id": "8bba3f79ae72c48db0721bce1cc23f47" @@ -9585,9 +9585,9 @@ "WmiProviderName": "\\c\\4813\\155e1\\63acf3b8.Name=\\6c12b79e.0\\8", "WmiProviderType": "425f2336", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "WmiProviderRegistrationEtw", "id": "08b4a44cd2f229eadaa6f64169deb30db7f7", - "name": "256ae77a9371219d15d0ae429aae", - "event_simpleName": "WmiProviderRegistrationEtw" + "name": "256ae77a9371219d15d0ae429aae" }, "device": { "id": "fe88182661659af8a192fac5db624574" @@ -9677,9 +9677,9 @@ "Entitlements": "16", "EventOrigin": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "WroteExeAndGeneratedServiceEvent", "id": "b2cdcff3f1ec7958dd0f0d3b83d51360bfa4", - "name": "993018c29291eaa31ad975c11fbbae3390", - "event_simpleName": "WroteExeAndGeneratedServiceEvent" + "name": "993018c29291eaa31ad975c11fbbae3390" }, "device": { "id": "945a25b2d8f219a0693641fa5daeb3c4" @@ -9766,9 +9766,9 @@ "OperationFlags": "0", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ZipFileWritten", "id": "2b0434b299dc23d3e66d5af40855f712e176", - "name": "736782612c55c54fc", - "event_simpleName": "ZipFileWritten" + "name": "736782612c55c54fc" }, "device": { "id": "3e64efce7e8a490b018d335f25b68760" @@ -9881,9 +9881,9 @@ "PrimaryModule": "0", "SignInfoFlags": "932000", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ClassifiedModuleLoad", "id": "b44b58becebd48898306ffd6600bf3f42c16", - "name": "ClassifiedModuleLoadV5", - "event_simpleName": "ClassifiedModuleLoad" + "name": "ClassifiedModuleLoadV5" }, "device": { "id": "827afde25ba0eeda5d204a68ff612048" @@ -10034,9 +10034,9 @@ "PrimaryModule": "0", "SignInfoFlags": "932000", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ClassifiedModuleLoad", "id": "b44b58becebd48898306ffd6600bf3f42c16", - "name": "ClassifiedModuleLoadV5", - "event_simpleName": "ClassifiedModuleLoad" + "name": "ClassifiedModuleLoadV5" }, "device": { "id": "827afde25ba0eeda5d204a68ff612048" @@ -10187,9 +10187,9 @@ "PrimaryModule": "0", "SignInfoFlags": "932000", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "ClassifiedModuleLoad", "id": "b44b58becebd48898306ffd6600bf3f42c16", - "name": "ClassifiedModuleLoadV5", - "event_simpleName": "ClassifiedModuleLoad" + "name": "ClassifiedModuleLoadV5" }, "device": { "id": "827afde25ba0eeda5d204a68ff612048" @@ -10330,9 +10330,9 @@ "RegValueName": "{aaaaaaaaaaaaaa-aaaaaaaaaaaa-aaaaaaaaaa}", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RegSystemConfigValueUpdate", "id": "8f2302b7d2a07c5d5568941494e0368e0144", - "name": "24ba14f1e5840e900e581616a2fe", - "event_simpleName": "RegSystemConfigValueUpdate" + "name": "24ba14f1e5840e900e581616a2fe" }, "device": { "id": "be027d4cbada339f804f9c19f5a2d5a6" @@ -10431,9 +10431,9 @@ "RpcOpNum": "19", "TokenType": "1", "cid": "22222bbbbbbbbbbbbbdddddddddd1233", + "event_simpleName": "ServiceStarted", "id": "aaaaaaaaaa-c6b5-499a-a494-cccccccccc", - "name": "ServiceStartedV2", - "event_simpleName": "ServiceStarted" + "name": "ServiceStartedV2" }, "device": { "id": "11111aaaaaaaaaaaaacccccccccddddd" @@ -10567,9 +10567,9 @@ "RpcClientProcessId": "000000000000", "RpcClientThreadId": "1908581779603", "cid": "22222bbbbbbbbbbbbbdddddddddd1233", + "event_simpleName": "DriverLoad", "id": "aaaaaaaa-3328-4c62-b151-bbbbbbbbbbb", - "name": "DriverLoadV6", - "event_simpleName": "DriverLoad" + "name": "DriverLoadV6" }, "device": { "id": "11111aaaaaaaaaaaaacccccccccddddd" @@ -10704,9 +10704,9 @@ "RegValueName": "{aaaaaaaaaaaaaa-aaaaaaaaaaaa-aaaaaaaaaa}", "TokenType": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "RegCrowdstrikeValueUpdate", "id": "8f2302b7d2a07c5d5568941494e0368e0144", - "name": "RegCrowdstrikeValueUpdateV1", - "event_simpleName": "RegCrowdstrikeValueUpdate" + "name": "RegCrowdstrikeValueUpdateV1" }, "device": { "id": "be027d4cbada339f804f9c19f5a2d5a6" @@ -10834,9 +10834,9 @@ "OperationFlags": "0", "TokenType": "2", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "PngFileWritten", "id": "9c458f0ddfe1293cd356445b2c473d0a0ef4", - "name": "PngFileWrittenV3", - "event_simpleName": "PngFileWritten" + "name": "PngFileWrittenV3" }, "device": { "id": "bae5bafaeb93295d398bf55b8ba1cf01" @@ -10965,9 +10965,9 @@ "Entitlements": "15", "EventOrigin": "1", "cid": "4092825518eaf67377a6e4492ae44577", + "event_simpleName": "MotwWritten", "id": "9c458f-ddfe1293cd-56445b2c4-3d0a0ef4", - "name": "MotwWrittenV2", - "event_simpleName": "MotwWritten" + "name": "MotwWrittenV2" }, "device": { "id": "bae5bafaeb93295d398bf55b8ba1cf01" @@ -11057,9 +11057,9 @@ "VolumeRealDeviceName": "\\Device\\HarddiskVolume4", "VolumeSectorSize": "512", "VolumeSessionUUID": "BA6553C6-EA71-4F58-ADF2-EB7C71401657", + "event_simpleName": "MountedVolume", "id": "4a10cafe-7a95-4659-80c0-9b670b2308c1", - "name": "MountedVolumeV1", - "event_simpleName": "MountedVolume" + "name": "MountedVolumeV1" }, "device": { "id": "bae5bafaeb93295d398bf55b8ba1cf01" @@ -11139,9 +11139,9 @@ "TargetProcessImageFileName": "\\Device\\HarddiskVolume4\\Program Files\\CrowdStrike\\CSFalconService.exe", "TemplateDisposition": "10", "TemplateInstanceId": "20587", + "event_simpleName": "FalconProcessHandleOpDetectInfo", "id": "da53cef8-72b1-4ca8-af19-2ae8f9c30fbf", - "name": "FalconProcessHandleOpDetectInfoV1", - "event_simpleName": "FalconProcessHandleOpDetectInfo" + "name": "FalconProcessHandleOpDetectInfoV1" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11211,9 +11211,9 @@ "EventOrigin": "1", "IsHosted": "0", "SourceProcessId": "111822186970", + "event_simpleName": "ServiceStopped", "id": "e9e1ae71-7b21-4260-9891-f1dd497a7ea9", - "name": "ServiceStoppedV2", - "event_simpleName": "ServiceStopped" + "name": "ServiceStoppedV2" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11286,9 +11286,9 @@ "ImageBaseName": "WdNisDrv.sys", "RpcClientProcessId": "111754267474", "RpcClientThreadId": "1985175578964", + "event_simpleName": "KernelServiceStarted", "id": "664425be-9ed3-4b41-8790-5bd12a9889e8", - "name": "KernelServiceStartedV3", - "event_simpleName": "KernelServiceStarted" + "name": "KernelServiceStartedV3" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11360,9 +11360,9 @@ "Entitlements": "15", "EventOrigin": "17", "UpdateFlag": "1", + "event_simpleName": "InstalledBrowserExtension", "id": "0eaf2b81-3888-446f-99ba-e38ff8249b25", - "name": "InstalledBrowserExtensionV2", - "event_simpleName": "InstalledBrowserExtension" + "name": "InstalledBrowserExtensionV2" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11428,9 +11428,9 @@ "EffectiveTransmissionClass": "0", "Entitlements": "15", "EventOrigin": "17", + "event_simpleName": "SensorAntiTamperState", "id": "8bee55a5-f768-48b9-ab4c-614a1283a58a", - "name": "SensorAntiTamperStateV1", - "event_simpleName": "SensorAntiTamperState" + "name": "SensorAntiTamperStateV1" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11482,9 +11482,9 @@ "EventOrigin": "17", "Flags": "0", "RTRState": "1", + "event_simpleName": "SensorSettingsUpdate", "id": "c188e104-d940-46af-aed8-acf5086fc187", - "name": "SensorSettingsUpdateV1", - "event_simpleName": "SensorSettingsUpdate" + "name": "SensorSettingsUpdateV1" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11536,9 +11536,9 @@ "ErrorCode": "0", "EventOrigin": "17", "ServiceCurrentState": "4", + "event_simpleName": "ServicesStatusInfo", "id": "37ddccdf-594d-4224-97de-e784822466f4", - "name": "ServicesStatusInfoV1", - "event_simpleName": "ServicesStatusInfo" + "name": "ServicesStatusInfoV1" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11604,9 +11604,9 @@ "EventOrigin": "1", "FileEcpBitmask": "0", "ShannonEntropy": "932", + "event_simpleName": "FileWrittenWithEntropyHigh", "id": "fc10d190-e98f-45fc-bb2a-ca60d3534a2a", - "name": "FileWrittenWithEntropyHighV2", - "event_simpleName": "FileWrittenWithEntropyHigh" + "name": "FileWrittenWithEntropyHighV2" }, "device": { "id": "bae5bafaeb93295d398bf55b8ba1cf01" @@ -11690,9 +11690,9 @@ "EventOrigin": "1", "ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "ModuleILPath": "vezhsq1h", + "event_simpleName": "ReflectiveDotnetModuleLoad", "id": "b089f099-ffac-44fd-9efe-e1bc148214ee", - "name": "ReflectiveDotnetModuleLoadV2", - "event_simpleName": "ReflectiveDotnetModuleLoad" + "name": "ReflectiveDotnetModuleLoadV2" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" @@ -11756,9 +11756,9 @@ "IntegrityLevel": "16384", "TargetAuthenticationId": "996", "TargetIntegrityLevel": "16384", + "event_simpleName": "SuspiciousPrivilegedProcessHandle", "id": "87902694-15af-4692-b1e2-bf7fba80b272", - "name": "SuspiciousPrivilegedProcessHandleV2", - "event_simpleName": "SuspiciousPrivilegedProcessHandle" + "name": "SuspiciousPrivilegedProcessHandleV2" }, "device": { "id": "cdbfd7c3bab5478d935db9969b5886cc" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/policy/test-default.expected b/packages/crowdstrike/data_stream/fdr/_dev/test/policy/test-default.expected index dcc377b702e..8e2ef30b581 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/policy/test-default.expected +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/policy/test-default.expected @@ -22,68 +22,6 @@ inputs: number_of_workers: 5 processors: - add_locale: null - - decode_json_fields: - fields: message - target: crowdstrike - - else: - - else: - - cache: - backend: - file: - id: aidmaster - get: - ignore_missing: true - key_field: crowdstrike.aid - target_field: metadata.host - - cache: - backend: - file: - id: userinfo - get: - ignore_missing: true - key_field: crowdstrike.UserSid - target_field: metadata.user - if: - contains: - log.file.path: userinfo - then: - - cache: - backend: - capacity: 0 - file: - id: userinfo - write_interval: 0 - put: - ignore_missing: true - key_field: crowdstrike.UserSid_readable - ttl: 168h - value_field: crowdstrike - - drop_event: - when: - contains: - log.file.path: userinfo - if: - contains: - log.file.path: aidmaster - then: - - cache: - backend: - capacity: 0 - file: - id: aidmaster - write_interval: 0 - put: - ignore_missing: true - key_field: crowdstrike.aid - ttl: 168h - value_field: crowdstrike - - drop_event: - when: - contains: - log.file.path: aidmaster - - drop_fields: - fields: - - crowdstrike publisher_pipeline.disable_host: true queue_url: "" sqs.notification_parsing_script.source: | @@ -145,27 +83,6 @@ inputs: } } else { // FDR queue - files.sort(function(a, b) { - var isMetadata = function(a) { - return a.path && ((a.path.indexOf("aidmaster") !== -1) || (a.path.indexOf("userinfo") !== -1)); - }; - var cmp = function(a, b) { - if (a < b) { - return -1; - } - if (a > b) { - return 1; - } - return 0; - }; - if (isMetadata(a) === isMetadata(b)) { - return cmp(a.path, b.path); - } - if (isMetadata(a)) { - return -1; - } - return 1; - }); files.forEach(function(f){ var evt = new S3EventV2(); evt.SetS3BucketName(bucket); @@ -177,19 +94,19 @@ inputs: } function test() { // Test FDR queue - var fdrEvents = parse("{\"bucket\":\"fdrBucket\",\"files\":[{\"path\":\"prefix/aidmaster\",\"size\":89118480,\"checksum\":\"d0f566f37295e46f28c75f71ddce9422\"},{\"path\":\"prefix/data\"}]}"); + var fdrEvents = parse("{\"bucket\":\"fdrBucket\",\"files\":[{\"path\":\"prefix/data\",\"size\":89118480,\"checksum\":\"d0f566f37295e46f28c75f71ddce9422\"},{\"path\":\"prefix/aidmaster\"}]}"); if (fdrEvents.length !== 2) { throw "expecting two events"; } if (fdrEvents[0].S3.Bucket.Name !== "fdrBucket") { throw "expected bucket === fdrBucket"; } - if (fdrEvents[0].S3.Object.Key !== "prefix/aidmaster") { - throw "expected object key === prefix/aidmaster"; - } - if (fdrEvents[1].S3.Object.Key !== "prefix/data") { + if (fdrEvents[0].S3.Object.Key !== "prefix/data") { throw "expected object key === prefix/data"; } + if (fdrEvents[1].S3.Object.Key !== "prefix/aidmaster") { + throw "expected object key === prefix/aidmaster"; + } // Test S3 -> SQS var sqsEvents = parse("{\"Records\":[{\"eventVersion\":\"2.1\",\"eventSource\":\"aws:s3\",\"awsRegion\":\"us-west-2\",\"eventTime\":\"2025-05-27T11:38:32.511Z\",\"eventName\":\"ObjectCreated:Put\",\"userIdentity\":{\"principalId\":\"AWS:DKASHW31673218\"},\"requestParameters\":{\"sourceIPAddress\":\"81.2.69.142\"},\"responseElements\":{\"x-amz-request-id\":\"adqw312EASDS\",\"x-amz-id-2\":\"SD312ESDAD/ASDASDQX1E21XE/6aeP0eHq4aYCvF\"},\"s3\":{\"s3SchemaVersion\":\"1.0\",\"configurationId\":\"test-sqs-cs-s3-evt-notif-sqs\",\"bucket\":{\"name\":\"test-sqs-cs-s3\",\"ownerIdentity\":{\"principalId\":\"321DSAVDW2E1\"},\"arn\":\"arn:aws:s3:::test-sqs-cs-s3\"},\"object\":{\"key\":\"fdr-sample.log\",\"size\":114782,\"eTag\":\"41cdbd1843a4c49ef0255e2ccd48cb9d\",\"sequencer\":\"006835A4387B4406AF\"}}}]}"); if (sqsEvents.length !== 1) { diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml index 843b013b51b..a3f997679a1 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-default-config.yml @@ -1,8 +1,3 @@ -# Default FDR aws-s3 uses keep_metadata=false, so aidmaster/userinfo events are -# dropped after cache enrichment (see agent/stream/aws-s3.yml.hbs). The -# latest_aidmaster transform only has source documents when those blobs are -# indexed; transform validation is covered by test-keep-metadata-config.yml. -skip_transform_validation: true input: aws-s3 skip_ignored_fields: - crowdstrike.ConfigStateData @@ -18,4 +13,4 @@ data_stream: preserve_original_event: true enable_deduplication: true assert: - hit_count: 127 + hit_count: 133 diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml b/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml deleted file mode 100644 index c9d09c60dab..00000000000 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/system/test-keep-metadata-config.yml +++ /dev/null @@ -1,17 +0,0 @@ -input: aws-s3 -skip_ignored_fields: - - crowdstrike.ConfigStateData - - crowdstrike.FeatureVector - - crowdstrike.OSVersionFileData - - process.command_line -data_stream: - vars: - access_key_id: "{{AWS_ACCESS_KEY_ID}}" - secret_access_key: "{{AWS_SECRET_ACCESS_KEY}}" - session_token: "{{AWS_SESSION_TOKEN}}" - queue_url: "{{TF_OUTPUT_queue_url}}" - preserve_original_event: true - keep_metadata: true - enable_deduplication: true -assert: - hit_count: 133 diff --git a/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs index 8e15a681c4a..ff9c00b97cc 100644 --- a/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs +++ b/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs @@ -100,27 +100,6 @@ sqs.notification_parsing_script.source: | } } else { // FDR queue - files.sort(function(a, b) { - var isMetadata = function(a) { - return a.path && ((a.path.indexOf("aidmaster") !== -1) || (a.path.indexOf("userinfo") !== -1)); - }; - var cmp = function(a, b) { - if (a < b) { - return -1; - } - if (a > b) { - return 1; - } - return 0; - }; - if (isMetadata(a) === isMetadata(b)) { - return cmp(a.path, b.path); - } - if (isMetadata(a)) { - return -1; - } - return 1; - }); files.forEach(function(f){ var evt = new S3EventV2(); evt.SetS3BucketName(bucket); @@ -132,19 +111,19 @@ sqs.notification_parsing_script.source: | } function test() { // Test FDR queue - var fdrEvents = parse("{\"bucket\":\"fdrBucket\",\"files\":[{\"path\":\"prefix/aidmaster\",\"size\":89118480,\"checksum\":\"d0f566f37295e46f28c75f71ddce9422\"},{\"path\":\"prefix/data\"}]}"); + var fdrEvents = parse("{\"bucket\":\"fdrBucket\",\"files\":[{\"path\":\"prefix/data\",\"size\":89118480,\"checksum\":\"d0f566f37295e46f28c75f71ddce9422\"},{\"path\":\"prefix/aidmaster\"}]}"); if (fdrEvents.length !== 2) { throw "expecting two events"; } if (fdrEvents[0].S3.Bucket.Name !== "fdrBucket") { throw "expected bucket === fdrBucket"; } - if (fdrEvents[0].S3.Object.Key !== "prefix/aidmaster") { - throw "expected object key === prefix/aidmaster"; - } - if (fdrEvents[1].S3.Object.Key !== "prefix/data") { + if (fdrEvents[0].S3.Object.Key !== "prefix/data") { throw "expected object key === prefix/data"; } + if (fdrEvents[1].S3.Object.Key !== "prefix/aidmaster") { + throw "expected object key === prefix/aidmaster"; + } // Test S3 -> SQS var sqsEvents = parse("{\"Records\":[{\"eventVersion\":\"2.1\",\"eventSource\":\"aws:s3\",\"awsRegion\":\"us-west-2\",\"eventTime\":\"2025-05-27T11:38:32.511Z\",\"eventName\":\"ObjectCreated:Put\",\"userIdentity\":{\"principalId\":\"AWS:DKASHW31673218\"},\"requestParameters\":{\"sourceIPAddress\":\"81.2.69.142\"},\"responseElements\":{\"x-amz-request-id\":\"adqw312EASDS\",\"x-amz-id-2\":\"SD312ESDAD/ASDASDQX1E21XE/6aeP0eHq4aYCvF\"},\"s3\":{\"s3SchemaVersion\":\"1.0\",\"configurationId\":\"test-sqs-cs-s3-evt-notif-sqs\",\"bucket\":{\"name\":\"test-sqs-cs-s3\",\"ownerIdentity\":{\"principalId\":\"321DSAVDW2E1\"},\"arn\":\"arn:aws:s3:::test-sqs-cs-s3\"},\"object\":{\"key\":\"fdr-sample.log\",\"size\":114782,\"eTag\":\"41cdbd1843a4c49ef0255e2ccd48cb9d\",\"sequencer\":\"006835A4387B4406AF\"}}}]}"); if (sqsEvents.length !== 1) { @@ -213,74 +192,6 @@ fields: enable_geoip_destination_ip: {{enable_geoip_destination_ip}} processors: - add_locale: ~ -{{#if enrich_metadata}} -- decode_json_fields: - fields: message - target: crowdstrike -- if: - contains: - log.file.path: aidmaster - then: - - cache: - backend: - capacity: {{metadata_cache_capacity}} - file: - id: aidmaster - write_interval: {{metadata_cache_write_interval}} - put: - ttl: {{metadata_ttl}} - key_field: crowdstrike.aid - value_field: crowdstrike - ignore_missing: true -{{#unless keep_metadata}} - - drop_event: - when: - contains: - log.file.path: aidmaster -{{/unless}} - else: - - if: - contains: - log.file.path: userinfo - then: - - cache: - backend: - capacity: {{metadata_cache_capacity}} - file: - id: userinfo - write_interval: {{metadata_cache_write_interval}} - put: - ttl: {{metadata_ttl}} - key_field: crowdstrike.UserSid_readable - value_field: crowdstrike - ignore_missing: true -{{#unless keep_metadata}} - - drop_event: - when: - contains: - log.file.path: userinfo -{{/unless}} - else: - - cache: - backend: - file: - id: aidmaster - get: - key_field: crowdstrike.aid - target_field: metadata.host - ignore_missing: true - - cache: - backend: - file: - id: userinfo - get: - key_field: crowdstrike.UserSid - target_field: metadata.user - ignore_missing: true -- drop_fields: - fields: - - crowdstrike -{{/if}} {{#if processors}} {{processors}} {{/if}} diff --git a/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs index c7c101a84c6..864a0445552 100644 --- a/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs +++ b/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs @@ -34,74 +34,6 @@ fields: enable_geoip_destination_ip: {{enable_geoip_destination_ip}} processors: - add_locale: ~ -{{#if enrich_metadata}} -- decode_json_fields: - fields: message - target: crowdstrike -- if: - contains: - log.file.path: aidmaster - then: - - cache: - backend: - capacity: {{metadata_cache_capacity}} - file: - id: aidmaster - write_interval: {{metadata_cache_write_interval}} - put: - ttl: {{metadata_ttl}} - key_field: crowdstrike.aid - value_field: crowdstrike - ignore_missing: true -{{#unless keep_metadata}} - - drop_event: - when: - contains: - log.file.path: aidmaster -{{/unless}} - else: - - if: - contains: - log.file.path: userinfo - then: - - cache: - backend: - capacity: {{metadata_cache_capacity}} - file: - id: userinfo - write_interval: {{metadata_cache_write_interval}} - put: - ttl: {{metadata_ttl}} - key_field: crowdstrike.UserSid_readable - value_field: crowdstrike - ignore_missing: true -{{#unless keep_metadata}} - - drop_event: - when: - contains: - log.file.path: userinfo -{{/unless}} - else: - - cache: - backend: - file: - id: aidmaster - get: - key_field: crowdstrike.aid - target_field: metadata.host - ignore_missing: true - - cache: - backend: - file: - id: userinfo - get: - key_field: crowdstrike.UserSid - target_field: metadata.user - ignore_missing: true -- drop_fields: - fields: - - crowdstrike -{{/if}} {{#if processors}} {{processors}} {{/if}} diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 6176d0271e4..4114abc1155 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -43,22 +43,6 @@ processors: tag: append_error_message_4ef54c75 field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - remove: - tag: remove_metadata_host_aid_and_user_sid_a4bf7be9 - field: - - metadata.host.aid - - metadata.user.UserSid_readable - ignore_missing: true - - rename: - tag: rename_metadata_to_crowdstrike_info_4a121644 - field: metadata - target_field: crowdstrike.info - ignore_missing: true - on_failure: - - append: - tag: append_error_message_d5092d94 - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: tag: convert_crowdstrike_UTCTimestamp_to_long_into__temp_utc_timestamp_a18a1c5b field: crowdstrike.UTCTimestamp @@ -773,18 +757,6 @@ processors: copy_from: host.hostname ignore_empty_value: true ignore_failure: true - - append: - tag: append_related_hosts_369b21b5 - if: ctx.crowdstrike?.info?.host?.ComputerName != null - field: related.hosts - value: '{{{crowdstrike.info.host.ComputerName}}}' - allow_duplicates: false - - rename: - tag: rename_crowdstrike_info_host_ComputerName_to_host_name_a1ee7f6f - if: ctx.host?.name == null - field: crowdstrike.info.host.ComputerName - target_field: host.name - ignore_missing: true - append: tag: append_related_hosts_452ef445 if: ctx.host?.name != null @@ -821,31 +793,6 @@ processors: target_field: host.domain ignore_missing: true ignore_failure: true - - convert: - tag: convert_crowdstrike_info_host_aip_to_ip_into__temp_aip_21b40f31 - if: ctx.crowdstrike?.info?.host?.aip != null && ctx.crowdstrike.info.host.aip != "" - field: crowdstrike.info.host.aip - type: ip - target_field: _temp.aip - ignore_failure: true - - remove: - tag: remove_crowdstrike_info_host_aip_0b8e5e7f - if: ctx._temp?.aip != null - field: - - crowdstrike.info.host.aip - - append: - tag: append_host_ip_1dd81f5c - if: ctx._temp?.aip != null - field: host.ip - value: '{{{_temp.aip}}}' - allow_duplicates: false - - append: - tag: append_related_ip_a3fbf481 - if: ctx._temp?.aip != null - field: related.ip - value: '{{{_temp.aip}}}' - allow_duplicates: false - # OS fields. - set: tag: set_host_os_type_c07526d4 @@ -1482,31 +1429,6 @@ processors: field: crowdstrike.UID target_field: user.id ignore_missing: true - - rename: - tag: rename_crowdstrike_info_user_UserName_to_user_name_cc930c2f - if: ctx.crowdstrike?.info?.user?.UserName != null && ctx.user?.name == null - field: crowdstrike.info.user.UserName - target_field: user.name - ignore_missing: true - - split: - tag: split_crowdstrike_info_user_User_into__temp_info_user_parts_dee4af27 - if: ctx.crowdstrike?.info?.user?.User != null - field: crowdstrike.info.user.User - separator: \\{1,2} - target_field: _temp.info_user_parts - - set: - tag: set_user_domain_6f97903f - if: ctx._temp?.info_user_parts != null && ctx._temp.info_user_parts.size() == 2 - field: user.domain - value: '{{{_temp.info_user_parts.0}}}' - ignore_empty_value: true - ignore_failure: true - - rename: - tag: rename_crowdstrike_info_user_User_to_user_name_6ec3ffdd - if: ctx.crowdstrike?.info?.user?.User != null && ctx.user?.name == null - field: crowdstrike.info.user.User - target_field: user.name - ignore_missing: true - rename: tag: rename_crowdstrike_GID_to_user_group_id_5c9b8998 field: crowdstrike.GID @@ -1686,13 +1608,6 @@ processors: value: '{{{user.name}}}' allow_duplicates: false ignore_failure: true - - append: - tag: append_related_user_f49500fe - if: ctx.crowdstrike?.info?.user?.User != null - field: related.user - value: '{{{crowdstrike.info.user.User}}}' - allow_duplicates: false - ignore_failure: true - append: tag: append_related_user_a621a20e if: ctx.user?.full_name != null @@ -2599,13 +2514,6 @@ processors: field: related.hosts value: '{{{crowdstrike.ClientComputerName}}}' allow_duplicates: false - - append: - tag: append_related_hosts_2d2dc803 - if: ctx.crowdstrike?.info?.user?.LastLoggedOnHost != null - field: related.hosts - value: '{{{crowdstrike.info.user.LastLoggedOnHost}}}' - allow_duplicates: false - - script: description: Remove long fields based on user input stored in _conf.long_fields*. tag: script_remove_long_fields_90516c2a diff --git a/packages/crowdstrike/data_stream/fdr/manifest.yml b/packages/crowdstrike/data_stream/fdr/manifest.yml index c3f669e4c77..1f5fb39950d 100644 --- a/packages/crowdstrike/data_stream/fdr/manifest.yml +++ b/packages/crowdstrike/data_stream/fdr/manifest.yml @@ -42,46 +42,6 @@ streams: required: true show_user: true description: URL of the AWS SQS queue that messages will be received from. - - name: enrich_metadata - required: true - show_user: true - title: Enrich Host and User Metadata - description: Uses data in aidmaster and userinfo to add host and user information to events. The aidmaster blob must contain the string "aidmaster" in its path and the userinfo blob path must contain "userinfo", and the FDR Notification Parsing Script must sort events so that aidmaster and userinfo events appear first in the stream. - type: bool - multi: false - default: true - - name: keep_metadata - required: true - show_user: false - title: Keep Original Host and User Metadata - description: Keep the aidmaster and userinfo documents after they have been used for event enrichment. - type: bool - multi: false - default: false - - name: metadata_ttl - required: true - show_user: true - title: Metadata TTL - description: The period of time that metadata is considered valid for. Valid time units are h, m, s, ms, us/µs and ns. - type: text - multi: false - default: 168h - - name: metadata_cache_capacity - required: true - show_user: false - title: Metadata cache capacity - description: "The maximum amount of metadata objects to cache. Operations that would cause the capacity to be exceeded will result in evictions of the oldest elements. The capacity should not be lower than the number of elements that are expected to be referenced when processing the input as evicted elements are lost. Values at or below zero indicate no limit. \nWARNING: This setting needs to be set only if the amount of metadata elements is known beforehand, otherwise it might lead to enrichment data loss. If you are not sure, leave it untouched.\n" - type: text - multi: false - default: 0 - - name: metadata_cache_write_interval - required: true - show_user: false - title: Metadata cache write interval - description: The interval between periodic cache writes to the backing file. Valid time units are h, m, s, ms, us/µs and ns. The contents are always written out to the backing file when the processor is closed. Default is zero, no periodic writes. - type: text - multi: false - default: 0 - name: long_fields title: Long Fields description: Choose to `Index` or `Delete` long fields. Fields longer than 1024 bytes (except `event.original`) will be kept (indexed) or deleted based on this option. @@ -260,30 +220,6 @@ streams: default: - /var/log/falcon_data_replicator.log show_user: true - - name: enrich_host_metadata - required: true - show_user: true - title: Enrich Host and User Metadata - description: Uses data in aidmaster and userinfo to add host and user information to events. The aidmaster file must be included in the paths configuration, include the string "aidmaster" in the path host information file path and "userinfo" in the user information file path, and have a file paths that sorts before the FDR log file paths. - type: bool - multi: false - default: true - - name: keep_metadata - required: true - show_user: false - title: Keep Original Host and User Metadata - description: Keep the aidmaster and userinfo documents after they have been used for event enrichment. - type: bool - multi: false - default: false - - name: metadata_ttl - required: true - show_user: true - title: Metadata TTL - description: The period of time that host metadata is considered valid for. Valid time units are h, m, s, ms, us/µs and ns. - type: text - multi: false - default: 168h - name: preserve_original_event required: true show_user: true diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index d1630a4eb49..3512e84ba93 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -352,12 +352,8 @@ FROM logs-crowdstrike.fdr-* | LIMIT 20 ``` -**Elasticsearch 8.19+** is required for `LOOKUP JOIN` to resolve an alias. Use `crowdstrike_lookup.aidmaster` as in the example above. On **releases before 8.19**, `LOOKUP JOIN` must target the concrete transform destination index instead: in Kibana go to **Stack Management** → **Transforms**, open the CrowdStrike latest aidmaster transform, and use the **destination_index** name shown there (that name can change with the integration version). - **Using enriched fields:** Enrichment from the lookup is under the `crowdstrike.info.host.*` namespace (e.g. `crowdstrike.info.host.hostname` for hostname, `crowdstrike.info.host.cid` for customer ID). Use these fields in dashboards and detection rules when building on query-time enrichment. -**Ingest-time versus query-time:** The FDR integration’s **Enrich Host and User Metadata** option (`enrich_metadata`, on by default) uses the Elastic Agent (Filebeat) metadata cache to attach `aidmaster` and `userinfo` to events at ingest time. If you rely on query-time host enrichment only (transform + `LOOKUP JOIN` above), set **Enrich Host and User Metadata** to **Off** so host metadata is not applied twice. Turning it off also disables ingest-time enrichment from `userinfo`; if you still need user fields from `userinfo` on every document, keep ingest-time enrichment enabled or supplement with a separate query pattern. Disabling **Enrich Host and User Metadata** automatically makes **Keep Original Host and User Metadata** option (`keep_metadata`) ineffective and the metadata events are retained. - ### Query-time user metadata enrichment (LOOKUP JOIN) A second transform maintains the latest user metadata per host-user pair from `UserIdentity` and `UserLogon` sensor events in a lookup index. Unlike `userinfo` directory data (which requires [Falcon Discover](https://www.crowdstrike.com/platform/exposure-management/falcon-discover/) and covers only Windows), sensor events are available to all FDR customers on all platforms (Windows, macOS, Linux, ChromeOS). You can enrich FDR events with user metadata at query time using ES|QL [`LOOKUP JOIN`](https://www.elastic.co/docs/reference/query-languages/esql/commands/lookup-join). @@ -393,11 +389,7 @@ FROM logs-crowdstrike.fdr-* | LIMIT 20 ``` -**Elasticsearch 8.19+** is required for `LOOKUP JOIN` to resolve an alias. Use `crowdstrike_lookup.userinfo` as in the examples above. On **releases before 8.19**, `LOOKUP JOIN` must target the concrete transform destination index instead: in Kibana go to **Stack Management** → **Transforms**, open the CrowdStrike latest userinfo transform, and use the **destination_index** name shown there (that name can change with the integration version). If you use both host and user lookups on releases before 8.19, you will need two concrete destination index names — one for aidmaster and one for userinfo — both obtainable from **Stack Management** → **Transforms**. - -**Using enriched fields:** Enrichment from the user lookup is under the `crowdstrike.info.user.*` namespace (e.g. `crowdstrike.info.user.name` for username, `crowdstrike.info.user.domain` for UPN domain, `crowdstrike.info.user.logon_type` for logon type). Use these fields in dashboards and ES|QL detection rules when building on query-time enrichment. Note that detection rules using EQL, threshold, or KQL operate on stored documents and cannot use `LOOKUP JOIN` — those rule types continue to rely on ingest-time cache enrichment for user metadata. - -**Ingest-time versus query-time:** The same **Enrich Host and User Metadata** option (`enrich_metadata`) that controls ingest-time host enrichment also controls ingest-time user enrichment from `userinfo` directory data. Query-time user enrichment via the transform is additive — it works regardless of whether ingest-time enrichment is enabled. If you rely on query-time enrichment only, set **Enrich Host and User Metadata** to **Off** so metadata is not applied twice. If both are active, user metadata may appear under `crowdstrike.info.user.*` from both the ingest-time cache and the query-time lookup; the values should be consistent but the ingest-time cache is populated from `userinfo` while the query-time lookup uses sensor events, so field availability may differ. +**Using enriched fields:** Enrichment from the user lookup is under the `crowdstrike.info.user.*` namespace (e.g. `crowdstrike.info.user.name` for username, `crowdstrike.info.user.domain` for UPN domain, `crowdstrike.info.user.logon_type` for logon type). Use these fields in dashboards and ES|QL detection rules when building on query-time enrichment. #### ES|QL dashboard panels diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 9ad54abc42a..5a49ec83b35 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "3.21.0" +version: "4.0.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.4.0"