diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a29f3f21322..275ccc09166 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -374,6 +374,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Cisco ASA parser for message 722051. {pull}24410[24410] - Fix `google_workspace` pagination. {pull}24668[24668] - Fix Cisco ASA parser for message 302022. {issue}24405[24405] {pull}24697[24697] +- Fix Cisco AMP `@metadata._id` calculation {issue}24717[24717] {pull}24718[24718] - Fix gcp/vpcflow module error where input type was defaulting to file. {pull}24719[24719] - Fix date parsing in GSuite/login and Google Workspace/login filesets. {issue}24694[24694] - Fix date parsing in GSuite/login fileset. {issue}24694[24694] diff --git a/x-pack/filebeat/module/cisco/amp/config/config.yml b/x-pack/filebeat/module/cisco/amp/config/config.yml index bd5f93f7a90..47b061b4e4b 100644 --- a/x-pack/filebeat/module/cisco/amp/config/config.yml +++ b/x-pack/filebeat/module/cisco/amp/config/config.yml @@ -64,16 +64,16 @@ processors: - decode_json_fields: fields: [message] target: json - - if: - has_fields: ["json.data.detection_id"] - then: - - fingerprint: - fields: ["json.data.detection_id"] - target_field: "@metadata._id" - else: - - fingerprint: - fields: ["json.data.timestamp", "json.data.timestamp_nanoseconds", "json.data.event_type_id", "json.data.connector_guid"] - target_field: "@metadata._id" + - fingerprint: + fields: + - "json.data.timestamp" + - "json.data.timestamp_nanoseconds" + - "json.data.event_type_id" + - "json.data.connector_guid" + - "json.data.id" + - "json.data.detection_id" + target_field: "@metadata._id" + ignore_missing: true - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json index 4a602ba1c2b..6f6bb95e97a 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp1.ndjson.log-expected.json @@ -179,6 +179,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T10:06:39.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533241347137077251", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 657000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241347137077000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 3885, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T10:05:52.000Z", "cisco.amp.computer.active": true, @@ -307,6 +360,128 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Overdrive.RET", + "cisco.amp.detection_id": "6533241145273614337", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 525000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "file.name": "BIT4BBF.tmp", + "file.path": "\\\\?\\C:\\BIT4BBF.tmp", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 7800, + "process.hash.md5": "54a47f6b5e09a77e61649109c6a08866", + "process.hash.sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878", + "process.hash.sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2", + "process.name": "svchost.exe", + "process.pid": 896, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T10:05:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "24:78:d8:fd:c4:75" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6533241145273614338", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "24:78:d8:fd:c4:75" + ], + "cisco.amp.timestamp_nanoseconds": 619000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533241145273614000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Threat_Quarantined", + "host.name": "Demo_AMP_Threat_Quarantined", + "input.type": "log", + "log.offset": 9301, + "related.hash": [ + "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850" + ], + "related.hosts": [ + "Demo_AMP_Threat_Quarantined" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T10:05:50.000Z", "cisco.amp.cloud_ioc.description": "The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.", @@ -1228,6 +1403,128 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.0B965CA8AF-95.SBX.TG", + "cisco.amp.detection_id": "6411132837046517762", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 684000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "file.name": "11179468.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 38602, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T15:36:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.0B965CA8AF-95.SBX.TG", + "cisco.amp.detection_id": "6411132837046517761", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 682000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411132837046518000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "84b6f7be5370c1998886214790c6892b", + "file.hash.sha1": "5faebef3bb880489195e80e6656ccf442ff7123b", + "file.hash.sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 39856, + "related.hash": [ + "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960", + "84b6f7be5370c1998886214790c6892b", + "5faebef3bb880489195e80e6656ccf442ff7123b" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-13T10:37:33.000Z", "cisco.amp.computer.active": true, @@ -1771,6 +2068,59 @@ "forwarded" ] }, + { + "@timestamp": "2020-12-25T05:49:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6525520937264087041", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 661000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525520937264087000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 53947, + "related.hash": [ + "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2020-12-25T05:30:44.000Z", "cisco.amp.computer.active": true, @@ -1844,6 +2194,59 @@ "forwarded" ] }, + { + "@timestamp": "2020-12-25T05:30:44.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "e6:44:a0:56:f3:9a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6525516191325224961", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "e6:44:a0:56:f3:9a" + ], + "cisco.amp.timestamp_nanoseconds": 500000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6525516191325225000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Intel", + "host.name": "Demo_AMP_Intel", + "input.type": "log", + "log.offset": 56674, + "related.hash": [ + "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117" + ], + "related.hosts": [ + "Demo_AMP_Intel" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2020-12-25T05:30:41.000Z", "cisco.amp.cloud_ioc.description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.", diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json index fb066a1b337..3fb89dbd615 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp4.ndjson.log-expected.json @@ -228,6 +228,75 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626319", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "28242311.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 4969, + "process.hash.md5": "b5ede95ec8bc4ad6984758be42b152bd", + "process.hash.sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64", + "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "process.name": "QuotaGroup.exe", + "process.pid": 7120, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T20:18:05.000Z", "cisco.amp.computer.active": true, @@ -295,6 +364,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.E4FCCBFA69-95.SBX.TG", + "cisco.amp.detection_id": "6412680266518626317", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 494000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "file.name": "28242311.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 7890, + "process.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "process.name": "28242311.exe", + "process.pid": 4788, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T20:18:05.000Z", "cisco.amp.computer.active": true, @@ -362,6 +498,112 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626318", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 587000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 10708, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T20:18:05.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412680266518626316", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 494000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412680266518626000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 11817, + "related.hash": [ + "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, @@ -1254,8 +1496,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", - "cisco.amp.detection_id": "6419303574240493595", + "cisco.amp.detection": "W32.2CA2D550E6-100.SBX.VIOC", + "cisco.amp.detection_id": "6419303574240493599", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.file.parent.disposition": "Malicious", @@ -1265,7 +1507,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 327000000, + "cisco.amp.timestamp_nanoseconds": 461000000, "event.action": "Threat Detected", "event.category": [ "file", @@ -1276,11 +1518,9 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", - "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "file.name": "u.wnry", - "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "file.name": "taskse.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", @@ -1288,14 +1528,12 @@ "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 34828, + "log.offset": 31923, "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1325,8 +1563,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", - "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.detection": "W32.4A468603FD.04426d77.auto.Talos", + "cisco.amp.detection_id": "6419303574240493597", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.file.parent.disposition": "Malicious", @@ -1336,7 +1574,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 313000000, + "cisco.amp.timestamp_nanoseconds": 430000000, "event.action": "Threat Detected", "event.category": [ "file", @@ -1347,11 +1585,9 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", - "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "file.name": "@WanaDecryptor@.exe", - "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "file.name": "taskdl.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", @@ -1359,14 +1595,12 @@ "host.os.platform": "windows", "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 36357, + "log.offset": 33372, "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "process.name": "tasksche.exe", "process.pid": 2920, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", - "7bf2b57f2a205768755c07f238fb32cc", - "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1396,18 +1630,21 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303569945526290", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493595", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 664000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 327000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1415,14 +1652,26 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 40152, + "log.offset": 34828, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, "related.hash": [ - "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1431,6 +1680,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1449,18 +1701,21 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303569945526289", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 664000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 313000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1468,14 +1723,26 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "@WanaDecryptor@.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 41272, + "log.offset": 36357, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, "related.hash": [ - "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1484,6 +1751,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1502,7 +1772,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.detection_id": "6419303574240493595", "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1521,14 +1791,14 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 42392, + "log.offset": 37912, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1544,7 +1814,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1555,10 +1825,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558982", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303574240493594", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1566,24 +1834,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 782000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 43512, + "log.offset": 39032, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1599,7 +1867,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1610,10 +1878,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558980", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303569945526290", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1621,24 +1887,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 44698, + "log.offset": 40152, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1654,7 +1920,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1665,10 +1931,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558979", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303569945526289", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1676,24 +1940,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 45884, + "log.offset": 41272, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1709,7 +1973,7 @@ ] }, { - "@timestamp": "2021-01-14T19:29:10.000Z", + "@timestamp": "2021-01-14T19:29:11.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1720,10 +1984,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558978", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1731,24 +1993,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 664000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419303569945526000, + "event.id": 6419303574240494000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 47070, + "log.offset": 42392, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1775,8 +2037,10 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558981", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection_id": "6419303565650558982", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1785,7 +2049,7 @@ "53:74:31:cb:37:50" ], "cisco.amp.timestamp_nanoseconds": 782000000, - "event.action": "Threat Quarantined", + "event.action": "Quarantine Failure", "event.category": [ "malware" ], @@ -1799,7 +2063,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 51525, + "log.offset": 43512, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1828,8 +2092,10 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419303565650558977", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection_id": "6419303565650558980", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1838,7 +2104,7 @@ "53:74:31:cb:37:50" ], "cisco.amp.timestamp_nanoseconds": 751000000, - "event.action": "Threat Quarantined", + "event.action": "Quarantine Failure", "event.category": [ "malware" ], @@ -1852,7 +2118,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 52645, + "log.offset": 44698, "related.hash": [ "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], @@ -1870,38 +2136,49 @@ ] }, { - "@timestamp": "2021-01-14T19:10:32.000Z", + "@timestamp": "2021-01-14T19:29:10.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 553648130, + "cisco.amp.detection_id": "6419303565650558979", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" ], - "cisco.amp.timestamp_nanoseconds": 199000000, - "event.action": "Policy Update", "event.dataset": "cisco.amp", - "event.id": 6412662859016176000, + "event.id": 6419303569945526000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 0, + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 65285, + "log.offset": 45884, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -1914,38 +2191,49 @@ ] }, { - "@timestamp": "2021-01-14T19:10:31.000Z", + "@timestamp": "2021-01-14T19:29:10.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.event_type_id": 553648130, + "cisco.amp.detection_id": "6419303565650558978", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" ], - "cisco.amp.timestamp_nanoseconds": 856000000, - "event.action": "Policy Update", "event.dataset": "cisco.amp", - "event.id": 6412662854721208000, + "event.id": 6419303569945526000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 0, + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 66208, + "log.offset": 47070, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -1958,49 +2246,2038 @@ ] }, { - "@timestamp": "2021-01-14T19:10:30.000Z", + "@timestamp": "2021-01-14T19:29:10.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412662850426241035", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.2CA2D550E6-100.SBX.VIOC", + "cisco.amp.detection_id": "6419303569945526290", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 580000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "8495400f199ac77853c53b5a3f278f3e", + "file.hash.sha1": "be5d6279874da315e3080b06083757aad9b32c23", + "file.hash.sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "file.name": "taskse.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 48256, + "process.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "process.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d", + "8495400f199ac77853c53b5a3f278f3e", + "be5d6279874da315e3080b06083757aad9b32c23" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.4A468603FD.04426d77.auto.Talos", + "cisco.amp.detection_id": "6419303569945526289", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 564000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "4fef5e34143e646dbf9907c4374276f5", + "file.hash.sha1": "47a9ad4125b6bd7c55e4e7da251e23f089407b8f", + "file.hash.sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "file.name": "taskdl.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 49887, + "process.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "process.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2920, + "related.hash": [ + "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79", + "4fef5e34143e646dbf9907c4374276f5", + "47a9ad4125b6bd7c55e4e7da251e23f089407b8f" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558981", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 782000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 51525, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:10.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419303565650558977", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303569945526000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 52645, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558984", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 791000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 53765, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558983", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 783000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 55136, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558982", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 727000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 56507, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 7144, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558981", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 721000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 58030, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 7144, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558980", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 646000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 59553, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419303565650558979", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 504000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 60814, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-95.SBX.TG", + "cisco.amp.detection_id": "6419303565650558978", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 426000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 62075, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 768, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:29:09.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-95.SBX.TG", + "cisco.amp.detection_id": "6419303565650558977", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 399000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419303565650559000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 63680, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 768, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 199000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662859016176000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 65285, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:31.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.event_type_id": 553648130, + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 856000000, + "event.action": "Policy Update", + "event.dataset": "cisco.amp", + "event.id": 6412662854721208000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 0, + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 66208, + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241035", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 233000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 67131, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241034", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 68332, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412662850426241033", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 69533, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412662850426241035", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "el2j9fcqj.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 70734, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412662850426241034", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "kepv86368.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 71990, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T19:10:30.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", + "cisco.amp.detection_id": "6412662850426241033", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 218000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412662850426241000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "uqlq0o884.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 73246, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419281601187807332", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281601187807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 74502, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:55.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-95.SBX.TG", + "cisco.amp.detection_id": "6419281601187807332", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281601187807000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 75695, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419281588302905443", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 396000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281588302905000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 77209, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T18:03:52.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419281588302905443", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 927000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419281588302905000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 78808, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068995", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 79928, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068994", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 81129, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411538569722068993", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 82330, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.BAC7BC5281.in10.tht.Talos", + "cisco.amp.detection_id": "6411538569722068995", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "igvj$vN.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 83443, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.BAC7BC5281.in10.tht.Talos", + "cisco.amp.detection_id": "6411538569722068994", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "6951045.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 84690, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:51:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "Auto.BAC7BC5281.in10.tht.Talos", + "cisco.amp.detection_id": "6411538569722068993", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 495000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411538569722069000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "dc41e47ebba549ec5e616ed9e88a0376", + "file.hash.sha1": "99fffe78e0cbd7b508eed13a8633903dd89ed5f1", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 85948, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "dc41e47ebba549ec5e616ed9e88a0376", + "99fffe78e0cbd7b508eed13a8633903dd89ed5f1" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031906", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 87312, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031905", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 88505, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275399255031904", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 89691, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], - "cisco.amp.timestamp_nanoseconds": 233000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 297000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6412662850426241000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 67131, + "log.offset": 90884, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2013,49 +4290,214 @@ ] }, { - "@timestamp": "2021-01-14T19:10:30.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412662850426241034", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 218000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6412662850426241000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 68332, + "log.offset": 92070, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064607", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 93256, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064604", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 94442, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:51.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275394960064603", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275399255032000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 95628, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2068,49 +4510,49 @@ ] }, { - "@timestamp": "2021-01-14T19:10:30.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "02:2f:e0:10:03:5d" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412662850426241033", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419275394960064602", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "02:2f:e0:10:03:5d" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 218000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6412662850426241000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_3", - "host.name": "Demo_Qakbot_3", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 69533, + "log.offset": 96814, "related.hash": [ - "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_3" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2123,7 +4565,7 @@ ] }, { - "@timestamp": "2021-01-14T18:03:55.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2134,9 +4576,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419281601187807332", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, + "cisco.amp.detection_id": "6419275394960064601", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -2145,24 +4587,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 891000000, + "cisco.amp.timestamp_nanoseconds": 281000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419281601187807000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 74502, + "log.offset": 98000, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2178,7 +4620,7 @@ ] }, { - "@timestamp": "2021-01-14T18:03:52.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2189,50 +4631,35 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6419281588302905443", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection_id": "6419275394960064598", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 396000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419281588302905000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 77209, - "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", - "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", - "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", - "process.name": "lsass.exe", - "process.pid": 708, + "log.offset": 99186, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2241,9 +4668,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2251,49 +4675,49 @@ ] }, { - "@timestamp": "2021-01-14T17:51:19.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411538569722068995", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419275394960064600", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, + "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 495000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411538569722069000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 79928, + "log.offset": 100372, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -2306,54 +4730,68 @@ ] }, { - "@timestamp": "2021-01-14T17:51:19.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411538569722068994", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275399255031906", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 495000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 812000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411538569722069000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 81129, + "log.offset": 101558, + "process.hash.md5": "ad7b9c14083b52bc532fba5948342b98", + "process.hash.sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5", + "process.hash.sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae", + "process.name": "cmd.exe", + "process.pid": 3200, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2361,52 +4799,70 @@ ] }, { - "@timestamp": "2021-01-14T17:51:19.000Z", + "@timestamp": "2021-01-14T17:39:51.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411538569722068993", - "cisco.amp.event_type_id": 553648155, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275399255031905", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 495000000, - "event.action": "Retrospective Quarantine", + "cisco.amp.timestamp_nanoseconds": 235000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411538569722069000, + "event.id": 6419275399255032000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 3, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 82330, + "log.offset": 103091, + "process.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "process.name": "tasksche.exe", + "process.pid": 2708, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2425,10 +4881,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275399255031906", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275399255031904", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2436,9 +4891,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 812000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 172000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -2447,11 +4903,16 @@ "event.module": "cisco", "event.severity": 2, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 87312, + "log.offset": 104633, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -2462,6 +4923,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2480,10 +4944,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275399255031905", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection_id": "6419275394960064599", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2491,8 +4953,8 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 297000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 281000000, + "event.action": "Threat Quarantined", "event.category": [ "malware" ], @@ -2506,7 +4968,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 88505, + "log.offset": 105894, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -2524,7 +4986,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2535,9 +4997,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275399255031904", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, + "cisco.amp.detection_id": "6419275394960064597", + "cisco.amp.error.description": "Delete pending", + "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -2546,13 +5008,13 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 297000000, + "cisco.amp.timestamp_nanoseconds": 423000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, @@ -2561,7 +5023,7 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 89691, + "log.offset": 107014, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -2579,7 +5041,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2590,7 +5052,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.detection_id": "6419275394960064596", "cisco.amp.error.description": "Delete pending", "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, @@ -2601,24 +5063,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 297000000, + "cisco.amp.timestamp_nanoseconds": 377000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 90884, + "log.offset": 108200, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2634,7 +5096,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2645,7 +5107,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.detection_id": "6419275394960064594", "cisco.amp.error.description": "Delete pending", "cisco.amp.error.error_code": 3221225558, "cisco.amp.event_type_id": 2164260880, @@ -2656,24 +5118,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, + "cisco.amp.timestamp_nanoseconds": 33000000, "event.action": "Quarantine Failure", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 92070, + "log.offset": 109386, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2689,7 +5151,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2700,10 +5162,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064607", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064606", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2711,24 +5172,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 907000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 93256, + "log.offset": 110571, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2737,6 +5208,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2744,7 +5218,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2755,10 +5229,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064604", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064605", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2766,24 +5239,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 907000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 94442, + "log.offset": 111942, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2792,6 +5275,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2799,7 +5285,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2810,10 +5296,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064603", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064607", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2821,24 +5306,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 907000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 95628, + "log.offset": 113313, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2847,6 +5342,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2854,7 +5352,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2865,10 +5363,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064602", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064604", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2876,24 +5373,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 891000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 96814, + "log.offset": 114684, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2902,6 +5409,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2909,7 +5419,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2920,10 +5430,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064601", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064603", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2931,24 +5440,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 876000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 98000, + "log.offset": 116055, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -2957,6 +5476,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2964,7 +5486,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -2975,10 +5497,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064598", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064602", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -2986,24 +5507,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 845000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 99186, + "log.offset": 117426, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3012,6 +5543,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3019,7 +5553,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -3030,10 +5564,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064600", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064601", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3041,24 +5574,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 798000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 100372, + "log.offset": 118797, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3067,6 +5610,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3074,7 +5620,7 @@ ] }, { - "@timestamp": "2021-01-14T17:39:51.000Z", + "@timestamp": "2021-01-14T17:39:50.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -3085,8 +5631,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064599", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064598", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3094,24 +5641,34 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 281000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 767000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275399255032000, + "event.id": 6419275394960065000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 105894, + "log.offset": 120168, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3120,6 +5677,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3138,10 +5698,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064597", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064600", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3149,9 +5708,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 423000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 751000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -3159,14 +5719,23 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 107014, + "log.offset": 121539, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3175,6 +5744,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3193,10 +5765,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064596", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064599", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -3204,9 +5775,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 377000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 735000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -3214,14 +5786,23 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 108200, + "log.offset": 122910, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3230,6 +5811,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -3248,20 +5832,21 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419275394960064594", - "cisco.amp.error.description": "Delete pending", - "cisco.amp.error.error_code": 3221225558, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419275394960064597", + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 33000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 423000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -3269,14 +5854,22 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 109386, + "log.offset": 124281, + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 6404, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -3285,6 +5878,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json index 546e93300ef..7f5499ebf3c 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp5.ndjson.log-expected.json @@ -180,6 +180,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419275390665097297", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 831000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 3893, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T17:39:49.000Z", "cisco.amp.computer.active": true, @@ -196,46 +259,694 @@ "cisco.amp.detection_id": "6419275390665097296", "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", - "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 706000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 5147, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419275390665097295", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 643000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 6745, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T17:39:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419275390665097296", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 721000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419275390665097000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 8343, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411525251028484105", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260880, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Quarantine Failure", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 9463, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411525251028484105", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 214000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 10645, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411525251028484104", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 183000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 12021, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:59:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411525251028484104", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 698000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411525251028484000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "input.type": "log", + "log.offset": 13397, + "related.hash": [ + "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501262", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 14506, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 779000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 15718, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 716000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 16930, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419264043361501261", + "cisco.amp.event_type_id": 553648155, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Quarantine", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264043361501000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 18142, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:47.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419264043361501262", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 706000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 872000000, + "event.action": "Retrospective Detection", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419275390665097000, + "event.id": 6419264043361501000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 5147, - "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", - "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", - "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", - "process.name": "lsass.exe", - "process.pid": 708, + "log.offset": 19266, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -244,9 +955,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -254,49 +962,57 @@ ] }, { - "@timestamp": "2021-01-14T16:59:38.000Z", + "@timestamp": "2021-01-14T16:55:47.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6411525251028484105", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260880, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419264043361501261", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 698000000, - "event.action": "Quarantine Failure", + "cisco.amp.timestamp_nanoseconds": 872000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411525251028484000, + "event.id": 6419264043361501000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", + "event.severity": 3, + "file.hash.md5": "7bf2b57f2a205768755c07f238fb32cc", + "file.hash.sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10", + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "@WanaDecryptor@.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 9463, + "log.offset": 20509, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "7bf2b57f2a205768755c07f238fb32cc", + "45356a9dd616ed7161a3b9192e2f318d0ab5ad10" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", @@ -309,66 +1025,58 @@ ] }, { - "@timestamp": "2021-01-14T16:59:38.000Z", + "@timestamp": "2021-01-14T16:55:47.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "f9:65:da:22:2a:41" + "mac": "53:74:31:cb:37:50" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.File.MalParent", - "cisco.amp.detection_id": "6411525251028484104", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419229331435814969", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "f9:65:da:22:2a:41" + "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 183000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 763000000, + "event.action": "Retrospective Detection", "event.category": [ "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6411525251028484000, + "event.id": 6419264043361501000, "event.kind": "alert", "event.module": "cisco", - "event.severity": 2, - "file.hash.md5": "6894b3834bd541fa85df79e44568acac", - "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", - "file.hash.sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", - "file.name": "MspthrdHash.exe", - "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "event.severity": 3, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", - "host.hostname": "Demo_Qakbot_1", - "host.name": "Demo_Qakbot_1", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 12021, + "log.offset": 21869, "related.hash": [ - "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff", - "6894b3834bd541fa85df79e44568acac", - "8cf0ca99a8f5019d8583133b9a9379299c45470c" + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], "related.hosts": [ - "Demo_Qakbot_1" + "Demo_WannaCry_Ransomware" ], "related.ip": [ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -387,10 +1095,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419264043361501262", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Ransom:Gen.20gl.1201", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -398,9 +1105,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 716000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -409,11 +1117,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.name": "u.wnry", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 14506, + "log.offset": 23112, "related.hash": [ "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" ], @@ -431,7 +1143,7 @@ ] }, { - "@timestamp": "2021-01-14T16:55:47.000Z", + "@timestamp": "2021-01-14T16:55:46.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -442,9 +1154,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419229331435814969", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.error.description": "Cannot delete", + "cisco.amp.error.error_code": 3221225761, "cisco.amp.event_type_id": 2164260893, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -453,24 +1165,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 779000000, + "cisco.amp.timestamp_nanoseconds": 718000000, "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264043361501000, + "event.id": 6419264039066534000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 15718, + "log.offset": 24355, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -486,7 +1198,7 @@ ] }, { - "@timestamp": "2021-01-14T16:55:47.000Z", + "@timestamp": "2021-01-14T16:55:46.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -497,10 +1209,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419204905956802579", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection_id": "6419264039066533964", + "cisco.amp.event_type_id": 553648155, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -508,24 +1218,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 716000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 765000000, + "event.action": "Retrospective Quarantine", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264043361501000, + "event.id": 6419264039066534000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 16930, + "log.offset": 25559, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -541,7 +1251,7 @@ ] }, { - "@timestamp": "2021-01-14T16:55:47.000Z", + "@timestamp": "2021-01-14T16:55:46.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -552,8 +1262,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419264043361501261", - "cisco.amp.event_type_id": 553648155, + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419264039066533964", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -561,24 +1272,96 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, - "event.action": "Retrospective Quarantine", + "cisco.amp.timestamp_nanoseconds": 749000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264043361501000, + "event.id": 6419264039066534000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "file.hash.md5": "54a116ff80df6e6031059fc3036464df", + "file.hash.sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 18142, + "log.offset": 26683, "related.hash": [ - "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "54a116ff80df6e6031059fc3036464df", + "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T16:55:46.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 702000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419264039066534000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "54a116ff80df6e6031059fc3036464df", + "file.hash.sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 28003, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "54a116ff80df6e6031059fc3036464df", + "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -594,49 +1377,49 @@ ] }, { - "@timestamp": "2021-01-14T16:55:46.000Z", + "@timestamp": "2021-01-14T16:35:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "53:74:31:cb:37:50" + "mac": "02:2f:e0:10:03:5d" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419229322845880359", - "cisco.amp.error.description": "Cannot delete", - "cisco.amp.error.error_code": 3221225761, + "cisco.amp.detection_id": "6412622782676336648", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, "cisco.amp.event_type_id": 2164260893, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "53:74:31:cb:37:50" + "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 718000000, + "cisco.amp.timestamp_nanoseconds": 729000000, "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264039066534000, + "event.id": 6412622782676337000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "fileset.name": "amp", - "host.hostname": "Demo_WannaCry_Ransomware", - "host.name": "Demo_WannaCry_Ransomware", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", "input.type": "log", - "log.offset": 24355, + "log.offset": 29323, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "related.hosts": [ - "Demo_WannaCry_Ransomware" + "Demo_Qakbot_3" ], "related.ip": [ "8.8.8.8", @@ -649,47 +1432,49 @@ ] }, { - "@timestamp": "2021-01-14T16:55:46.000Z", + "@timestamp": "2021-01-14T16:35:01.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", "cisco.amp.computer.network_addresses": [ { "ip": "10.10.10.10", - "mac": "53:74:31:cb:37:50" + "mac": "02:2f:e0:10:03:5d" } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419264039066533964", - "cisco.amp.event_type_id": 553648155, + "cisco.amp.detection_id": "6412622782676336647", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ - "53:74:31:cb:37:50" + "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 765000000, - "event.action": "Retrospective Quarantine", + "cisco.amp.timestamp_nanoseconds": 729000000, + "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419264039066534000, + "event.id": 6412622782676337000, "event.kind": "alert", "event.module": "cisco", "event.severity": 3, - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", "fileset.name": "amp", - "host.hostname": "Demo_WannaCry_Ransomware", - "host.name": "Demo_WannaCry_Ransomware", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", "input.type": "log", - "log.offset": 25559, + "log.offset": 30524, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], "related.hosts": [ - "Demo_WannaCry_Ransomware" + "Demo_Qakbot_3" ], "related.ip": [ "8.8.8.8", @@ -713,7 +1498,7 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6412622782676336648", + "cisco.amp.detection_id": "6412622782676336646", "cisco.amp.error.description": "Object name not found", "cisco.amp.error.error_code": 3221225524, "cisco.amp.event_type_id": 2164260893, @@ -724,7 +1509,7 @@ "cisco.amp.related.mac": [ "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 729000000, + "cisco.amp.timestamp_nanoseconds": 713000000, "event.action": "Retrospective Quarantine Attempt Failed", "event.category": [ "malware" @@ -739,7 +1524,7 @@ "host.hostname": "Demo_Qakbot_3", "host.name": "Demo_Qakbot_3", "input.type": "log", - "log.offset": 29323, + "log.offset": 31725, "related.hash": [ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], @@ -768,10 +1553,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", "cisco.amp.detection_id": "6412622782676336647", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -779,9 +1563,10 @@ "cisco.amp.related.mac": [ "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 729000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 198000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -790,11 +1575,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "kepv86368.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe", "fileset.name": "amp", "host.hostname": "Demo_Qakbot_3", "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 30524, + "log.offset": 32926, "related.hash": [ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], @@ -823,10 +1612,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D177E09A9A-95.SBX.TG", "cisco.amp.detection_id": "6412622782676336646", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -834,9 +1622,10 @@ "cisco.amp.related.mac": [ "02:2f:e0:10:03:5d" ], - "cisco.amp.timestamp_nanoseconds": 713000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 198000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -845,11 +1634,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "uqlq0o884.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe", "fileset.name": "amp", "host.hostname": "Demo_Qakbot_3", "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 31725, + "log.offset": 34182, "related.hash": [ "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" ], @@ -1241,7 +2034,176 @@ "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "input.type": "log", - "log.offset": 69603, + "log.offset": 69603, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419229327140847665", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 686000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 70815, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204897366867977", + "cisco.amp.error.description": "Object name not found", + "cisco.amp.error.error_code": 3221225524, + "cisco.amp.event_type_id": 2164260893, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 639000000, + "event.action": "Retrospective Quarantine Attempt Failed", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 72027, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T15:50:23.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831755", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419247189909832000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 73239, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1270,10 +2232,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419229327140847665", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831754", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1281,9 +2242,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 686000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 888000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1292,11 +2254,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 70815, + "log.offset": 74476, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1325,10 +2291,9 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection_id": "6419204897366867977", - "cisco.amp.error.description": "Object name not found", - "cisco.amp.error.error_code": 3221225524, - "cisco.amp.event_type_id": 2164260893, + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419247189909831753", + "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1336,9 +2301,10 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 639000000, - "event.action": "Retrospective Quarantine Attempt Failed", + "cisco.amp.timestamp_nanoseconds": 873000000, + "event.action": "Retrospective Detection", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", @@ -1347,11 +2313,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "qeriuwjhrf", + "file.path": "\\\\?\\C:\\Windows\\qeriuwjhrf", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", "input.type": "log", - "log.offset": 72027, + "log.offset": 75732, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1381,7 +2351,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419247189909831755", + "cisco.amp.detection_id": "6419229327140847658", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1390,7 +2360,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, + "cisco.amp.timestamp_nanoseconds": 732000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1410,7 +2380,7 @@ "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 73239, + "log.offset": 76965, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1440,7 +2410,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419247189909831754", + "cisco.amp.detection_id": "6419204897366867969", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1449,7 +2419,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 888000000, + "cisco.amp.timestamp_nanoseconds": 717000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1462,14 +2432,14 @@ "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "file.name": "tasksche.exe", - "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 74476, + "log.offset": 78202, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1499,7 +2469,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419247189909831753", + "cisco.amp.detection_id": "6419179204872503298", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1508,7 +2478,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 873000000, + "cisco.amp.timestamp_nanoseconds": 686000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1520,15 +2490,15 @@ "event.module": "cisco", "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", - "file.name": "qeriuwjhrf", - "file.path": "\\\\?\\C:\\Windows\\qeriuwjhrf", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 75732, + "log.offset": 79439, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1558,7 +2528,7 @@ ], "cisco.amp.connector_guid": "test_connector_guid", "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", - "cisco.amp.detection_id": "6419229327140847658", + "cisco.amp.detection_id": "6419204897366867977", "cisco.amp.event_type_id": 553648147, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ @@ -1567,7 +2537,7 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 732000000, + "cisco.amp.timestamp_nanoseconds": 639000000, "event.action": "Retrospective Detection", "event.category": [ "file", @@ -1580,14 +2550,14 @@ "event.severity": 3, "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "file.name": "tasksche.exe", - "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", "host.os.family": "windows", "host.os.platform": "windows", "input.type": "log", - "log.offset": 76965, + "log.offset": 80676, "related.hash": [ "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], @@ -1659,6 +2629,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6412604589194870787", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 573000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "32c9e6737dbdcbfb7563a3f27e2b1571", + "file.hash.sha1": "f5a171c879b90e77861daf19741b373646d791ff", + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "file.name": "QuotaGroup.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 83114, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "32c9e6737dbdcbfb7563a3f27e2b1571", + "f5a171c879b90e77861daf19741b373646d791ff" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T15:24:25.000Z", "cisco.amp.computer.active": true, @@ -1787,6 +2824,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T15:24:25.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "02:2f:e0:10:03:5d" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6412604589194870785", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "02:2f:e0:10:03:5d" + ], + "cisco.amp.timestamp_nanoseconds": 994000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6412604589194871000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_3", + "host.name": "Demo_Qakbot_3", + "input.type": "log", + "log.offset": 87059, + "related.hash": [ + "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446" + ], + "related.hosts": [ + "Demo_Qakbot_3" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T15:18:49.000Z", "cisco.amp.computer.active": true, @@ -1842,6 +2932,75 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T15:18:49.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419239055241773128", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 242000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419239055241773000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 89361, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T15:18:48.000Z", "cisco.amp.computer.active": true, diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json index 2dcd9193111..a8bcab1df6e 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp6.ndjson.log-expected.json @@ -1024,6 +1024,79 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T14:41:03.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Gen.20gl.1201", + "cisco.amp.detection_id": "6419229322845880359", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Clean", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 950000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419229322845880000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 21793, + "process.hash.md5": "4e568dbe3fff1a0025eb432dc929b78f", + "process.hash.sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf", + "process.hash.sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71", + "process.name": "lsass.exe", + "process.pid": 708, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T14:37:40.000Z", "cisco.amp.computer.active": true, @@ -1187,6 +1260,187 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DD6D4FEDD3-100.SBX.TG", + "cisco.amp.detection_id": "6411488666497056775", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 398000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "qYf.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 26906, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DD6D4FEDD3-100.SBX.TG", + "cisco.amp.detection_id": "6411488666497056774", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 398000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "4191700.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 28140, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T14:37:40.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.DD6D4FEDD3-100.SBX.TG", + "cisco.amp.detection_id": "6411488666497056773", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 398000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411488666497057000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "6894b3834bd541fa85df79e44568acac", + "file.hash.sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c", + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 29393, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "6894b3834bd541fa85df79e44568acac", + "8cf0ca99a8f5019d8583133b9a9379299c45470c" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T14:09:00.000Z", "cisco.amp.cloud_ioc.description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.", @@ -1299,6 +1553,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:46:00.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "df:d1:ed:2d:c8:fc" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.D5221F6847-100.SBX.TG", + "cisco.amp.detection_id": "6264772016730013699", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "df:d1:ed:2d:c8:fc" + ], + "cisco.amp.timestamp_nanoseconds": 65000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6264772016730014000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "48a0bf05b9706a00d2a0ff6260412f11", + "file.hash.sha1": "5058b16a86beee96927371210b9a9f682976a50a", + "file.hash.sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "file.name": "report.pdf.exe", + "file.path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Low_Prev_Retro", + "host.name": "Demo_Low_Prev_Retro", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 33628, + "related.hash": [ + "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b", + "48a0bf05b9706a00d2a0ff6260412f11", + "5058b16a86beee96927371210b9a9f682976a50a" + ], + "related.hosts": [ + "Demo_Low_Prev_Retro" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:45:59.000Z", "cisco.amp.computer.active": true, @@ -1413,6 +1730,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741862", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 366000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 37453, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:43:32.000Z", "cisco.amp.computer.active": true, @@ -1632,9 +2016,140 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", - "cisco.amp.detection_id": "6419214500913741857", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741857", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 178000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 43279, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", + "cisco.amp.detection_id": "6419214500913741856", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 163000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419214500913742000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "file.name": "mssecsvc.exe", + "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 44631, + "related.hash": [ + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "db349b97c37d22f5ea1d1841e3c89eb4", + "e889544aff85ffaf8b0d0da705105dee7c97fe26" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:43:32.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419214500913741856", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1642,10 +2157,9 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 178000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 709000000, + "event.action": "Threat Quarantined", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", @@ -1653,23 +2167,14 @@ "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "\\\\?\\C:\\Windows\\mssecsvc.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", - "host.os.family": "windows", - "host.os.platform": "windows", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 43279, + "log.offset": 45976, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1678,9 +2183,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1688,7 +2190,7 @@ ] }, { - "@timestamp": "2021-01-14T13:43:32.000Z", + "@timestamp": "2021-01-14T13:43:30.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1699,9 +2201,8 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", - "cisco.amp.detection": "W32.24D004A104-100.SBX.TG", - "cisco.amp.detection_id": "6419214500913741856", - "cisco.amp.event_type_id": 1090519054, + "cisco.amp.detection_id": "6419214488028839966", + "cisco.amp.event_type_id": 553648143, "cisco.amp.file.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" @@ -1709,32 +2210,24 @@ "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 163000000, - "event.action": "Threat Detected", + "cisco.amp.timestamp_nanoseconds": 447000000, + "event.action": "Threat Quarantined", "event.category": [ - "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419214500913742000, + "event.id": 6419214492323807000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, - "file.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", - "file.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", - "file.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "file.name": "mssecsvc.exe", - "file.path": "C:\\WINDOWS\\mssecsvc.exe", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", - "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 44631, + "log.offset": 47096, "related.hash": [ - "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", - "db349b97c37d22f5ea1d1841e3c89eb4", - "e889544aff85ffaf8b0d0da705105dee7c97fe26" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1743,9 +2236,6 @@ "8.8.8.8", "10.10.10.10" ], - "related.user": [ - "user@testdomain.com" - ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -1753,7 +2243,7 @@ ] }, { - "@timestamp": "2021-01-14T13:43:30.000Z", + "@timestamp": "2021-01-14T13:43:29.000Z", "cisco.amp.computer.active": true, "cisco.amp.computer.connector_guid": "test_connector_guid", "cisco.amp.computer.external_ip": "8.8.8.8", @@ -1764,33 +2254,50 @@ } ], "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", "cisco.amp.detection_id": "6419214488028839966", - "cisco.amp.event_type_id": 553648143, + "cisco.amp.event_type_id": 1090519054, "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", "cisco.amp.group_guids": [ "test_group_guid" ], "cisco.amp.related.mac": [ "53:74:31:cb:37:50" ], - "cisco.amp.timestamp_nanoseconds": 447000000, - "event.action": "Threat Quarantined", + "cisco.amp.timestamp_nanoseconds": 916000000, + "event.action": "Threat Detected", "event.category": [ + "file", "malware" ], "event.dataset": "cisco.amp", - "event.id": 6419214492323807000, + "event.id": 6419214488028840000, "event.kind": "alert", "event.module": "cisco", "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\Windows\\tasksche.exe", "fileset.name": "amp", "host.hostname": "Demo_WannaCry_Ransomware", "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", "input.type": "log", - "log.offset": 47096, + "log.offset": 48216, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 5580, "related.hash": [ - "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" ], "related.hosts": [ "Demo_WannaCry_Ransomware" @@ -1799,6 +2306,9 @@ "8.8.8.8", "10.10.10.10" ], + "related.user": [ + "user@testdomain.com" + ], "service.type": "cisco", "tags": [ "cisco-amp", @@ -2021,6 +2531,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:06:19.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204910251769881", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 34000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204910251770000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 54407, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:06:18.000Z", "cisco.amp.computer.active": true, @@ -2367,6 +2940,122 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419204905956802580", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 286000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 63166, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-14T13:06:18.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419204905956802579", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 800000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419204905956803000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 64439, + "related.hash": [ + "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T13:06:17.000Z", "cisco.amp.computer.active": true, diff --git a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json index b1d52f25c8a..3e3f7423594 100644 --- a/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json +++ b/x-pack/filebeat/module/cisco/amp/test/cisco_amp7.ndjson.log-expected.json @@ -475,6 +475,73 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T12:57:45.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "f9:65:da:22:2a:41" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6411462918168117252", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "f9:65:da:22:2a:41" + ], + "cisco.amp.timestamp_nanoseconds": 573000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411462918168117000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "a97fb86da4e010974860e5024137b56b", + "file.hash.sha1": "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12", + "file.hash.sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "file.name": "MspthrdHash.exe", + "file.path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_1", + "host.name": "Demo_Qakbot_1", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 9881, + "related.hash": [ + "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91", + "a97fb86da4e010974860e5024137b56b", + "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12" + ], + "related.hosts": [ + "Demo_Qakbot_1" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T12:32:14.000Z", "cisco.amp.computer.active": true, @@ -884,6 +951,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T12:02:58.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d1:e2:b6:61:ef:7a" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6411444887895408641", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d1:e2:b6:61:ef:7a" + ], + "cisco.amp.timestamp_nanoseconds": 772000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6411444887895409000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62", + "fileset.name": "amp", + "host.hostname": "Demo_Qakbot_2", + "host.name": "Demo_Qakbot_2", + "input.type": "log", + "log.offset": 20427, + "related.hash": [ + "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62" + ], + "related.hosts": [ + "Demo_Qakbot_2" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:58:57.000Z", "cisco.amp.computer.active": true, @@ -939,6 +1059,75 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:58:57.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.Variant:Gen.20gl.1201", + "cisco.amp.detection_id": "6419187549993959449", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 193000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187549993959000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 22729, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 2980, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:58:54.000Z", "cisco.amp.computer.active": true, @@ -1012,6 +1201,59 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:58:54.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection_id": "6419187537109057560", + "cisco.amp.event_type_id": 553648143, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 884000000, + "event.action": "Threat Quarantined", + "event.category": [ + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419187537109058000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "input.type": "log", + "log.offset": 25859, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:49:08.000Z", "cisco.amp.computer.active": true, @@ -1221,6 +1463,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:28:45.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "d2:78:15:4a:f4:a2" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.FCE5B6784D-100.SBX.TG", + "cisco.amp.detection_id": "6533671595485954049", + "cisco.amp.event_type_id": 553648147, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "d2:78:15:4a:f4:a2" + ], + "cisco.amp.timestamp_nanoseconds": 899000000, + "event.action": "Retrospective Detection", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6533671595485954000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 3, + "file.hash.md5": "5df0c4ebca109779dc8afc745d612637", + "file.hash.sha1": "bdb11107a33eaeded6a838eb2a0e6167637dbe9c", + "file.hash.sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", + "file.name": "pp32.exe", + "file.path": "\\\\?\\C:\\pp32.exe", + "fileset.name": "amp", + "host.hostname": "Demo_AMP_Exploit_Prevention_Audit", + "host.name": "Demo_AMP_Exploit_Prevention_Audit", + "host.os.family": "windows", + "host.os.platform": "windows", + "input.type": "log", + "log.offset": 31671, + "related.hash": [ + "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79", + "5df0c4ebca109779dc8afc745d612637", + "bdb11107a33eaeded6a838eb2a0e6167637dbe9c" + ], + "related.hosts": [ + "Demo_AMP_Exploit_Prevention_Audit" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:26:38.000Z", "cisco.amp.computer.active": true, @@ -1276,6 +1581,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:26:38.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179222052372503", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 437000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179222052372000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 34184, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:26:37.000Z", "cisco.amp.computer.active": true, @@ -1441,6 +1809,69 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:26:37.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.File.MalParent", + "cisco.amp.detection_id": "6419179217757405206", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 797000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179217757405000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 39029, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T11:26:37.000Z", "cisco.amp.computer.active": true, @@ -1931,6 +2362,79 @@ "forwarded" ] }, + { + "@timestamp": "2021-01-14T11:26:35.000Z", + "cisco.amp.computer.active": true, + "cisco.amp.computer.connector_guid": "test_connector_guid", + "cisco.amp.computer.external_ip": "8.8.8.8", + "cisco.amp.computer.network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "53:74:31:cb:37:50" + } + ], + "cisco.amp.connector_guid": "test_connector_guid", + "cisco.amp.detection": "W32.ED01EBFBC9-100.SBX.TG", + "cisco.amp.detection_id": "6419179204872503300", + "cisco.amp.event_type_id": 1090519054, + "cisco.amp.file.disposition": "Malicious", + "cisco.amp.file.parent.disposition": "Malicious", + "cisco.amp.group_guids": [ + "test_group_guid" + ], + "cisco.amp.related.mac": [ + "53:74:31:cb:37:50" + ], + "cisco.amp.timestamp_nanoseconds": 894000000, + "event.action": "Threat Detected", + "event.category": [ + "file", + "malware" + ], + "event.dataset": "cisco.amp", + "event.id": 6419179209167471000, + "event.kind": "alert", + "event.module": "cisco", + "event.severity": 2, + "file.hash.md5": "84c82835a5d21bbcf75a61706d8ab549", + "file.hash.sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467", + "file.hash.sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "file.name": "tasksche.exe", + "file.path": "\\\\?\\C:\\WINDOWS\\tasksche.exe", + "fileset.name": "amp", + "host.hostname": "Demo_WannaCry_Ransomware", + "host.name": "Demo_WannaCry_Ransomware", + "host.os.family": "windows", + "host.os.platform": "windows", + "host.user.name": "user@testdomain.com", + "input.type": "log", + "log.offset": 50398, + "process.hash.md5": "db349b97c37d22f5ea1d1841e3c89eb4", + "process.hash.sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26", + "process.hash.sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c", + "process.name": "mssecsvc.exe", + "process.pid": 3020, + "related.hash": [ + "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa", + "84c82835a5d21bbcf75a61706d8ab549", + "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467" + ], + "related.hosts": [ + "Demo_WannaCry_Ransomware" + ], + "related.ip": [ + "8.8.8.8", + "10.10.10.10" + ], + "related.user": [ + "user@testdomain.com" + ], + "service.type": "cisco", + "tags": [ + "cisco-amp", + "forwarded" + ] + }, { "@timestamp": "2021-01-14T10:59:33.000Z", "cisco.amp.computer.active": true,