diff --git a/parsers/corelight-investigator.yaml b/parsers/corelight-investigator.yaml
new file mode 100644
index 0000000..b4ba87c
--- /dev/null
+++ b/parsers/corelight-investigator.yaml
@@ -0,0 +1,92 @@
+name: corelight-investigator
+fieldsToBeRemovedBeforeParsing: []
+$schema: https://schemas.humio.com/parser/v0.3.0
+script: |
+ // CrowdStrike Falcon Complete LogScale
+ // Corelight Parser
+ // Copyright: CrowdStrike 2024
+
+ // #region PREPARSE
+ /************************************************************
+ ****** Parse timestamp and log headers
+ ****** Extract message field for parsing
+ ****** Parse structured data
+ ************************************************************/
+
+ // Documentation: ADD Investigator Info HERE
+
+ | parseJson(prefix="Vendor.", excludeEmpty=true, handleNull=discard)
+ | parseTimestamp("unixtime", field=Vendor.alert_timestamp.observed, timezone="UTC")
+
+
+ // #endregion
+
+ // #region METADATA
+ /************************************************************
+ ****** Static Metadata Definitions
+ ************************************************************/
+ | Parser.version:="0.0.4"
+ | Cps.version := "1.0.0"
+ | Vendor:="Corelight - Investigator"
+ | ecs.version:="8.16.0"
+
+ // #endregion
+
+ // #region NORMALIZATION
+ /************************************************************
+ ****** Parse unstructured data (i.e. message field)
+ ****** Normalize fields to data model
+ ************************************************************/
+
+ // Event Fields
+ | event.module:=Vendor.alert_info.alert_type
+ | event.action := rename(Vendor.operation)
+ | format(format="investigator.%s", field=["Vendor.alert_info.alert_type"], as="event.dataset")
+ | event.reason := rename(Vendor.alert_info.alert_name)
+ | event.outcome := "unknown"
+ | event.kind := "alert"
+ | event.category[0] := "network"
+ | event.type[0] := "info"
+
+ // Observer fields
+ | observer.type := "Corelight - Investigator"
+
+ // Alert type specific values
+ | case {
+ // Notice Fields
+ Vendor.alert_info.alert_type = "notice" | event.id := rename(Vendor.notice.uid) | observer.name := rename(Vendor.notice.system_name) | network.transport := rename(Vendor.notice.proto) | source.ip := rename(Vendor.notice.orig_h) | source.port := rename(Vendor.notice.orig_p) | destination.ip := rename(Vendor.notice.resp_h) | destination.port := rename(Vendor.notice.resp_p);
+ // Suricata Fields
+ Vendor.alert_info.alert_type = "suricata_corelight" | event.id := rename(Vendor.suricata_corelight.uid) | network.transport := rename(Vendor.suricata_corelight.proto) | source.ip := rename(Vendor.suricata_corelight.source_ip) | source.port := rename(Vendor.suricata_corelight.source_port) | destination.ip := rename(Vendor.suricata_corelight.destination_ip) | destination.port := rename(Vendor.suricata_corelight.destination_port);
+ // Custom Search Rule Fields
+ Vendor.alert_info.alert_type = "custom_search_rule" | event.id := Vendor.alert_id | source.ip := if(Vendor.related_alert_entities[0].entity_category == "source", then=Vendor.related_alert_entities[0].entity_name, else=if(Vendor.related_alert_entities[1].entity_name != "", then=Vendor.related_alert_entities[1].entity_name, else=*)) | source.port := * | destination.ip := if(Vendor.related_alert_entities[0].entity_category == "destination", then=Vendor.related_alert_entities[0].entity_name, else=if(Vendor.related_alert_entities[1].entity_name != "", then=Vendor.related_alert_entities[1].entity_name, else=*)) | destination.port := *;
+ // ML Fields
+ Vendor.alert_info.alert_type = "ml" | event.id := Vendor.alert_id | source.ip := rename(Vendor.notice.orig_h) | source.port := rename(Vendor.notice.orig_p) | destination.ip := rename(Vendor.notice.resp_h) | destination.port := rename(Vendor.notice.resp_p);
+ *;
+ }
+
+ // Set Client and Server Fields for notice and suricata alerts
+ | Vendor.alert_info.alert_type match {
+ in(values=["notice", "suricata_corelight"]) => client.ip := source.ip | client.port := source.port | server.ip := destination.ip | server.port := destination.port;
+ * => *;
+ }
+
+ // CrowdStrike Detection name
+ | rule.name := event.reason
+
+ // CrowdStrike severity
+ | event.severity := Vendor.score * 10
+
+ // CrowdStrike tactic & technique
+ | threat.framework := if(Vendor.mitre_tactics[0] != "", then="MITRE ATT&CK", else=*)
+ | objectArray:eval(array="Vendor.mitre_tactics[]", asArray="threat.tactic.name[]", var=x, function={threat.tactic.name := x})
+ | objectArray:eval(array="Vendor.mitre_techniques[]", asArray="threat.technique.name[]", var=x, function={threat.technique.name := splitString(field=x, by=" :: ", index=1)})
+
+ // #endregion
+
+ // #region POST-NORMALIZATION
+ /************************************************************
+ ****** Post Normalization
+ ****** Custom parser logic needed after normalization
+ ************************************************************/
+
+ // #endregion
diff --git a/parsers/corelight-sensor.yaml b/parsers/corelight-sensor.yaml
index 9add435..52878bb 100644
--- a/parsers/corelight-sensor.yaml
+++ b/parsers/corelight-sensor.yaml
@@ -1,10 +1,378 @@
name: corelight-sensor
fieldsToBeRemovedBeforeParsing: []
+testCases:
+- event:
+ rawString: '{"_path":"weird_agg","_system_name":"Lab-AP200","_write_ts":"2025-04-17T19:35:56.972173Z","count":8,"id.orig_h":"192.168.9.104","id.orig_p":39138,"id.resp_h":"192.168.10.1","id.resp_p":8080,"name":"data_before_established","notice":false,"peer":"worker-02","source":"TCP","ts":"2025-04-17T19:30:55.005232Z","ts_last":"2025-04-17T19:35:53.468792Z","uids":["CvTB154LqmWlEWQWhl","CtutYK2SOMMqGjR1Jf","Cn4mUAkK9bJ9qlYHh","CzkGId3wQp9eYwKoqa","CVdZdl2fdCn24ge1q6","CXdhHx2KxlLBC542Kh","CaXFXctwywtoYQid6","CHoVoD4achuJmK1oP9"]}'
+- event:
+ rawString: '{"_path":"dns_agg","_system_name":"Lab-AP200","_write_ts":"2025-04-17T19:35:52.856767Z","answers":["www.google.com"],"count":1,"icann_domain":"chronicle.security","icann_host_subdomain":"backstory","icann_tld":"security","id.orig_h":"192.168.12.10","id.resp_p":53,"id.vlan":12,"is_trusted_domain":false,"qtype":1,"qtype_name":"A","query":"backstory.chronicle.security","rcode":0,"rcode_name":"NOERROR","rejected":[false],"ts":"2025-04-17T19:30:50.630164Z","ts_last":"2025-04-17T19:30:50.630164Z","uids":["CZWs1h2bKynwW7wmmi"]}'
+- event:
+ rawString: '{"_path":"files_agg","_system_name":"Lab-AP200","_write_ts":"2025-04-17T19:35:02.892942Z","analyzers":["SHA256","MD5","DATA_EVENT","SHA1"],"count":1,"duration":0.09296107292175292,"fuid":"F851bk3qgexyNyylT","id.orig_h":"192.168.20.115","id.resp_h":"172.172.47.79","is_orig":false,"local_orig":false,"md5":"7e4e7299f7923879c1cf3d30d40c3e47","mime_types":["text/json"],"missing_bytes":0,"overflow_bytes":0,"seen_bytes":3531,"sha1":"c98bc2d00d032c669a9b0ae00360e4565573a843","sha256":"1a84d0034492526fa4deb96b6ce5cedf59ecc576db9f125bcf91d65db3b2d64a","source":"HTTP","timedouts":[false],"total_bytes":3531,"ts":"2025-04-17T19:30:00.806151Z","ts_last":"2025-04-17T19:30:00.806151Z","uids":["CR69442D1saHBjScel"]}'
+- event:
+ rawString: '{"_path":"conn_agg","_system_name":"Lab-AP200","_write_ts":"2025-04-17T19:34:30.800768Z","community_ids":["1:pnYGhqnrGelHglimJaWQtfWiZDc="],"conn_state":"S0","corelight_shunted":[false],"count":1,"history":"S","id.orig_h":"35.203.211.23","id.resp_h":"96.35.155.226","id.resp_p":49830,"local_orig":false,"local_resp":true,"missed_bytes":0,"orig_ip_bytes":44,"proto":"tcp","resp_ip_bytes":0,"ts":"2025-04-17T19:29:23.835216Z","ts_last":"2025-04-17T19:29:23.835216Z","uids":["CdDQ0sAF1BnEl0Xua"]}'
+- event:
+ rawString: '{"_path":"http_agg","_system_name":"Lab-AP200","_write_ts":"2025-04-17T19:34:01.914513Z","count":1,"host":"192.168.10.1","id.orig_h":"192.168.10.178","id.resp_h":"192.168.10.1","method":"POST","orig_fuids":["FbFsyn23z1twD7JjJb"],"orig_mime_types":["text/json"],"post_body":"{
+ \"jsonrpc\": \"2.0\", \"id\": 1, \"method\": \"call\", \"params\": [ \"00000000000000000000000000000000\",
+ \"uci\", \"get\", { \"config\": \"krouter\" } ] }","request_body_len":136,"resp_fuids":["FNktoU149A5FsOeZ85"],"resp_mime_types":["text/html"],"response_body_len":162,"status_code":301,"status_msg":"Moved
+ Permanently","tags":[],"ts":"2025-04-17T19:28:59.486139Z","ts_last":"2025-04-17T19:28:59.486139Z","uids":["CJd99H3sp8fPhCAw8c"],"uri":"/ubus","versions":["1.1"]}'
+- event:
+ rawString: '{"_path":"ssl_agg","_system_name":"Lab-AP200","_write_ts":"2025-04-17T19:33:09.956089Z","cert_chain_fps":["1494370aca64d759c73072d199a5aea941741b1cd524e842f5713e1b586a64ab","c8025f9fc65fdfc95b3ca8cc7867b9a587b5277973957917463fc813d0b625a9","cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f"],"cipher":"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","client_cert_chain_fps":[],"count":5,"established":true,"id.orig_h":"192.168.10.5","id.resp_h":"44.233.168.176","ja3":"3ed8bccd9c2e89f8a38994c7f89369f6","ja3s":"adc06261ef82c2e4688b3cf08c1b2f24","resumeds":[false],"ssl_history":"CsxknGIi","ts":"2025-04-17T19:28:08.206144Z","ts_last":"2025-04-17T19:31:55.390430Z","uids":["CDPC0hvpi3YCUxSi4","C0HIiOt4ftyLWwLU4","CiCI6J1f5BO6RnxLX2","CzhP6Y49U2SWQk5ab","CYt4DX36Dy8z2ej3og"],"validation_status":"ok","version":"TLSv12"}'
+- event:
+ rawString: '{"_path":"generic_dns_tunnels","_system_name":"Lab-AP200","_write_ts":"2025-04-17T18:19:27.213542Z","ts":"2025-04-17T18:19:27.403586Z","dns_client":"96.35.155.226","domain":"sentinelone.net","bytes":4768,"capture_secs":86399.22099995613}'
+- event:
+ rawString: '{"_path":"corelight_burst","_system_name":"Lab-AP200","_write_ts":"2025-04-17T10:00:15.241550Z","ts":"2025-04-17T10:00:15.241550Z","uid":"CGro5t4kDMCQjlfOZj","id.orig_h":"96.35.155.226","id.orig_p":37074,"id.resp_h":"75.103.223.41","id.resp_p":8888,"proto":"tcp","orig_size":558,"resp_size":307139469,"mbps":196.61712988873384,"age_of_conn":11.916560888290405}'
+- event:
+ rawString: '{"_path":"encrypted_dns","_system_name":"Lab-AP200","_write_ts":"2025-04-17T18:01:29.146043Z","ts":"2025-04-17T18:01:28.825275Z","uid":"CIdq6l138e3JxT4FI9","resp_h":"64.78.200.1","sni":"doh.dns.apple.com","match":"K"}'
+- event:
+ rawString: '{"_path":"syslog","_system_name":"Lab-AP200","_write_ts":"2025-04-17T12:44:04.133622Z","ts":"2025-04-17T12:44:04.133622Z","uid":"CqaaRq4YF26EhqxQl7","id.orig_h":"129.146.110.127","id.orig_p":56270,"id.resp_h":"96.35.155.239","id.resp_p":514,"proto":"udp","facility":"AUTH","severity":"EMERG","message":"1
+ 2025-04-13T07:00:15.481854 - - - - vxor.vv loves dragons a bit too much. Really
+ good dragon porn image btw (you have been warned) e621.net/posts/4681316. Also
+ this is a friendly reminder that you should fix your security. ughh i gotta
+ go to bed it''s 5am here."}'
+- event:
+ rawString: '{"_path":"etc_viz","_system_name":"Lagermann-vSensor3","_write_ts":"2025-04-17T15:09:02.670956Z","ts":"2025-04-17T15:08:57.116729Z","uid":"CMY5Kt3KbaZwXsfl8j","server_a":"192.168.13.20","server_p":80,"service":[],"viz_stat":"c","c2s_viz.size":239,"c2s_viz.enc_dev":-1.0,"c2s_viz.enc_frac":0.0,"c2s_viz.pdu1_enc":false,"c2s_viz.clr_frac":0.5,"s2c_viz.size":495,"s2c_viz.enc_dev":-1.0,"s2c_viz.enc_frac":0.0,"s2c_viz.pdu1_enc":false,"s2c_viz.clr_frac":1.0,"s2c_viz.clr_ex":"Apache/2.4.29
+ (Ubuntu) Server at LAMP1.aacfirearms.com Port 80"}'
+- event:
+ rawString: '{"_path":"stun_nat","_system_name":"Lab-AP200","_write_ts":"2025-04-17T15:18:34.720683Z","ts":"2025-04-17T15:18:34.720683Z","uid":"C0nJp04rpHv228ohdf","id.orig_h":"192.168.10.175","id.orig_p":63443,"id.resp_h":"34.203.251.225","id.resp_p":3478,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.vlan":1,"proto":"udp","is_orig":false,"wan_addrs":["96.35.155.226","96.35.155.226"],"wan_ports":[63443,63443],"lan_addrs":["192.168.10.175","192.168.10.175"]}'
+- event:
+ rawString: '{"_path":"radius","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:01:00.400818Z","ts":"2025-04-17T16:00:00.395897Z","uid":"CPA2i1OugHyWfG9Ng","id.orig_h":"147.185.132.19","id.orig_p":15676,"id.resp_h":"96.35.155.236","id.resp_p":1812,"result":"unknown"}'
+- event:
+ rawString: '{"_path":"traceroute","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:56:30.117191Z","ts":"2025-04-17T16:56:30.117191Z","src":"96.35.155.226","dst":"26.0.0.1","proto":"icmp"}'
+- event:
+ rawString: "\t\n{\"_path\":\"tunnel\",\"_system_name\":\"Lab-AP200\",\"\
+ _write_ts\":\"2025-04-17T17:08:15.462987Z\",\"ts\":\"2025-04-17T17:08:15.462987Z\"\
+ ,\"uid\":\"CHrsgn3krDTHYE05Hl\",\"id.orig_h\":\"49.86.38.11\",\"id.orig_p\"\
+ :0,\"id.resp_h\":\"96.35.155.239\",\"id.resp_p\":0,\"tunnel_type\":\"Tunnel::GRE\"\
+ ,\"action\":\"Tunnel::DISCOVER\"}"
+- event:
+ rawString: '{"_path":"ssh","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:34:31.105023Z","ts":"2025-04-17T17:34:26.103603Z","uid":"Cmkj3t2oHJitbHPwq","id.orig_h":"192.168.10.175","id.orig_p":55726,"id.resp_h":"192.168.10.199","id.resp_p":22,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.resp_ep_status":"Unsecured","id.resp_ep_uid":"2081027202239115292","id.resp_ep_name":"xigmanas","id.resp_ep_source":"SentinelOne
+ Network Discovery","auth_attempts":0,"server":"SSH-2.0-OpenSSH_9.3 FreeBSD-20230719","inferences":["SP"],"hasshVersion":"1.0"}'
+- event:
+ rawString: '{"_path":"bacnet_property","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:19:02.883084Z","ts":"2025-04-17T17:19:02.883084Z","uid":"CWb9ay4A2tI0bcs5c5","id.orig_h":"162.142.125.94","id.orig_p":33888,"id.resp_h":"96.35.155.232","id.resp_p":47807,"is_orig":true,"invoke_id":1,"pdu_service":"read-property-request","object_type":"device","instance_number":4194303,"property":"object-identifier"}'
+- event:
+ rawString: '{"_path":"kerberos","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:18:04.231103Z","ts":"2025-04-17T17:17:04.214542Z","uid":"Cj6w1N31fV2uvjdjJ1","id.orig_h":"8.211.47.177","id.orig_p":15555,"id.resp_h":"96.35.155.230","id.resp_p":88,"request_type":"AS","client":"/NM","service":"krbtgt/NM","till":"1970-01-01T00:00:00.000000Z","forwardable":true,"renewable":true}'
+- event:
+ rawString: "\t\n{\"_path\":\"known_certs\",\"_system_name\":\"Lab-AP200\"\
+ ,\"_write_ts\":\"2025-04-17T17:29:59.758517Z\",\"ts\":\"2025-04-17T17:13:54.591441Z\"\
+ ,\"duration\":900.1126811504364,\"kuid\":\"KfHu9e17eit7k\",\"host_ip\":\"192.168.12.32\"\
+ ,\"host_vlan\":12,\"hash\":\"420dd88a275dfbbc61a4d51d1d0b86d8ce63eba8\",\"port\"\
+ :8089,\"protocol\":\"tcp\",\"serial\":\"B7011F246D7CB3F8\",\"subject\":\"O=SplunkUser,CN=SplunkServerDefaultCert\"\
+ ,\"issuer_subject\":\"emailAddress=support@splunk.com,CN=SplunkCommonCA,O=Splunk,L=San\
+ \ Francisco,ST=CA,C=US\",\"num_conns\":16,\"long_conns\":0,\"annotations\":[],\"\
+ last_active_session\":\"KfEinM917m0u8\",\"last_active_interval\":960.1192860603333}"
+- event:
+ rawString: '{"_path":"enip","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:29:53.052058Z","ts":"2025-04-17T17:29:53.052058Z","uid":"Cm9sPY2OsPIXxRxMsj","id.orig_h":"193.163.125.214","id.orig_p":22901,"id.resp_h":"96.35.155.225","id.resp_p":44818,"is_orig":true,"enip_command_code":"0x63","enip_command":"List
+ Identity","length":0,"session_handle":"0x00000000","enip_status":"Success","sender_context":"0x0000000000000000","options":"0x00000000"}'
+- event:
+ rawString: '{"_path":"pe","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:17:23.133237Z","ts":"2025-04-17T17:17:21.883082Z","id":"FRlky8QUzq3SPoFPb","machine":"AMD64","compile_ts":"2025-04-17T09:04:12.000000Z","os":"Windows
+ 10","subsystem":"WINDOWS_GUI","is_exe":true,"is_64bit":true,"uses_aslr":true,"uses_dep":true,"uses_code_integrity":false,"uses_seh":true,"has_import_table":true,"has_export_table":false,"has_cert_table":true,"has_debug_data":true,"section_names":[".text",".rdata",".data",".pdata",".rsrc",".reloc"]}'
+- event:
+ rawString: '{"_path":"dpd","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:28:18.156266Z","ts":"2025-04-17T17:28:18.156266Z","uid":"CF4SIJ2lxDqnNX3Lxa","id.orig_h":"192.168.10.178","id.orig_p":52301,"id.resp_h":"172.217.4.206","id.resp_p":443,"id.vlan":1,"proto":"udp","analyzer":"QUIC","failure_reason":"unhandled
+ frame type FrameType::STOP_SENDING in 0 (/zeek/src/analyzer/protocol/quic/QUIC.spicy:290:7-290:95)
+ [\\xc7\\x00\\x00\\x00\\x01\\x00\b\\xfdYF\\x1e\\x95\\x12\\xac/\\x00D\\xd0sy\\xb2\r{\\x8b\\xd0\\xe7A-\\xc8\\xee@\\xa8[i\\xd8\\x80\\xb2]\\xb8m...]"}'
+- event:
+ rawString: '{"_path":"dhcp","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:28:21.726465Z","ts":"2025-04-17T17:28:11.695821Z","uids":["CQ8ISlYfqJylCBvWh"],"client_addr":"192.168.10.175","server_addr":"192.168.10.1","mac":"04:d9:f5:82:72:c0","host_name":"James-Desktop","client_fqdn":"James-Desktop.lagermann.net","domain":"lagermann.net","assigned_addr":"192.168.10.175","lease_time":86400.0,"msg_types":["REQUEST","ACK"],"duration":0.00025391578674316406}'
+- event:
+ rawString: '{"_path":"ldap_search","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:27:36.728019Z","ts":"2025-04-17T17:26:36.726754Z","uid":"C5RlVi438rFngGyDf8","id.orig_h":"204.76.203.80","id.orig_p":33127,"id.resp_h":"96.35.155.239","id.resp_p":389,"message_id":1,"scope":"base","deref_aliases":"never","result_count":0,"filter":"(objectclass=*)"}'
+- event:
+ rawString: '{"_path":"sip","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:21:03.397344Z","ts":"2025-04-17T17:20:03.391692Z","uid":"Cnkl2U1IdPb24lrGil","id.orig_h":"173.231.185.164","id.orig_p":44107,"id.resp_h":"24.217.26.172","id.resp_p":5060,"trans_depth":0,"method":"OPTIONS","uri":"sip:100@24.217.26.172","request_from":"\"PBX\"","request_to":"\"PBX\"","call_id":"351164452855910215640138","seq":"1
+ OPTIONS","request_path":["SIP/2.0/UDP 173.231.185.164:0"],"response_path":[],"user_agent":"friendly-scanner","request_body_len":0}'
+- event:
+ rawString: '{"_path":"ipsec","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:20:31.797151Z","ts":"2025-04-17T17:20:31.797151Z","uid":"CVkh9D1O7cJsbf9NZj","id.orig_h":"162.142.125.253","id.orig_p":6268,"id.resp_h":"96.35.155.230","id.resp_p":3243,"is_orig":true,"initiator_spi":"78629a0f5f3f164f","responder_spi":"0000000000000000","maj_ver":2,"min_ver":0,"exchange_type":34,"flag_e":false,"flag_c":false,"flag_a":false,"flag_i":true,"flag_v":false,"flag_r":false,"message_id":0,"vendor_ids":[],"notify_messages":[],"transforms":[],"ke_dh_groups":[1],"proposals":[1],"certificates":[],"transform_attributes":[],"length":392,"hash":"758ea99bc3dcb7f3b9b3fa1b2e71fabc"}'
+- event:
+ rawString: '{"_path":"mqtt_publish","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:24:24.388621Z","ts":"2025-04-17T17:24:24.388621Z","uid":"CiN6ko2tSCmlTTusj9","id.orig_h":"96.35.155.226","id.orig_p":32765,"id.resp_h":"52.55.212.35","id.resp_p":1883,"from_client":true,"retain":false,"qos":"at
+ most once","status":"ok","topic":"$aws/things/5CCF7F285567/shadow/update","payload":"{\"state\":{\"reported\":{\"o3A\":\"jAASiShEjjri\",\"3NQb\":\"Ul''Qxzl''x\",\"Nx''x&y\":\"H\",\"3NxQ\":\"\",\"U&1\":\"HE\",\"Cl1","payload_len":199}'
+- event:
+ rawString: '{"_path":"ntlm","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:22:21.334872Z","ts":"2025-04-17T17:22:21.320294Z","uid":"CCihED4jHfuCEcmPUa","id.orig_h":"192.168.10.175","id.orig_p":54471,"id.resp_h":"192.168.10.199","id.resp_p":445,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.resp_ep_status":"Unsecured","id.resp_ep_uid":"2081027202239115292","id.resp_ep_name":"xigmanas","id.resp_ep_source":"SentinelOne
+ Network Discovery","username":"James","hostname":"JAMES-DESKTOP","domainname":".","server_nb_computer_name":"XIGMANAS","server_dns_computer_name":"xigmanas.lagermann.net","success":true}'
+- event:
+ rawString: '{"_path":"known_users","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:22:59.734814Z","ts":"2025-04-17T17:12:05.012952Z","duration":0.0,"kuid":"Kf7UwULmMewZ2","host_ip":"192.168.10.175","remote_ip":"192.168.10.199","user":"JAMES","protocol":"NTLM","num_conns":1,"long_conns":0,"annotations":[],"last_active_session":"KfF6xDT7fAyB9","last_active_interval":632.0104839801788}'
+- event:
+ rawString: '{"_path":"bacnet","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:19:02.883084Z","ts":"2025-04-17T17:19:02.883084Z","uid":"CWb9ay4A2tI0bcs5c5","id.orig_h":"162.142.125.94","id.orig_p":33888,"id.resp_h":"96.35.155.232","id.resp_p":47807,"is_orig":true,"bvlc_function":"Original_Unicast_NPDU","pdu_type":"CONFIRMED_REQUEST","pdu_service":"read_property","invoke_id":1}'
+- event:
+ rawString: '{"_path":"smb_mapping","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:22:21.355183Z","ts":"2025-04-17T17:22:21.354572Z","uid":"CVwaov2xkARuA02k3d","id.orig_h":"192.168.10.175","id.orig_p":51154,"id.resp_h":"192.168.10.199","id.resp_p":445,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.resp_ep_status":"Unsecured","id.resp_ep_uid":"2081027202239115292","id.resp_ep_name":"xigmanas","id.resp_ep_source":"SentinelOne
+ Network Discovery","path":"\\\\xigmanas\\IPC$","share_type":"PIPE"}'
+- event:
+ rawString: '{"_path":"corelight_metrics_zeek_doctor","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:21:08Z","ts":"2025-04-17T17:21:08Z","check.bursty.percent":0,"check.dns_half_duplex_orig.percent":0,"check.dns_half_duplex_resp.percent":0,"check.local_to_local.percent":53.33333333333333,"check.remote_to_remote.percent":1.6666666666666665,"check.tcp_backscatter.percent":0,"check.tcp_byte_counts_wrong.percent":0,"check.tcp_checksum_errors.percent":0,"check.tcp_half_duplex.percent":0,"check.tcp_missed_bytes.percent":0,"check.tcp_no_ssl_on_443.percent":0,"check.tcp_no_three_way_handshake.percent":0,"check.tcp_retransmissions.percent":44.444444444444436,"check.tcp_scan.percent":76.3157894736842}'
+- event:
+ rawString: '{"_path":"snmp","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:20:40.825770Z","ts":"2025-04-17T17:19:40.812435Z","uid":"CUnhsV1UtfFeTq8Fg9","id.orig_h":"148.113.208.45","id.orig_p":43619,"id.resp_h":"96.35.155.225","id.resp_p":161,"duration":0.0,"version":"3","get_requests":0,"get_bulk_requests":0,"get_responses":0,"set_requests":0}'
+- event:
+ rawString: '{"_path":"intel","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:17:18.197813Z","ts":"2025-04-17T17:17:18.197813Z","uid":"CncLNK2cd8f4GfsVYh","id.orig_h":"192.168.10.178","id.orig_p":63446,"id.resp_h":"52.165.164.15","id.resp_p":443,"id.vlan":1,"seen.indicator":"52.165.164.15","seen.indicator_type":"Intel::ADDR","seen.where":"Conn::IN_RESP","seen.node":"worker-01","matched":["Intel::ADDR"],"sources":["Fortinet
+ Threat Research"],"url":["https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant"]}'
+- event:
+ rawString: '{"_path":"x509","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:19:40.775870Z","ts":"2025-04-17T17:19:40.775870Z","fingerprint":"c995e82518c59a30c279aadf697bee53df02fea8a1a3fc7e722576c3d4609074","certificate.version":3,"certificate.serial":"02C816C1D892F7B0FAEC7C2C47CD024B","certificate.subject":"CN=4g2.vzwdm.com,O=Verizon
+ Data Services LLC,L=Temple Terrace,ST=Florida,C=US","certificate.issuer":"CN=DigiCert
+ Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US","certificate.not_valid_before":"2024-09-12T00:00:00.000000Z","certificate.not_valid_after":"2025-10-01T23:59:59.000000Z","certificate.key_alg":"rsaEncryption","certificate.sig_alg":"sha256WithRSAEncryption","certificate.key_type":"rsa","certificate.key_length":2048,"certificate.exponent":"65537","san.dns":["4g2.vzwdm.com","www.4g2.vzwdm.com"],"basic_constraints.ca":false,"host_cert":true,"client_cert":false,"vlan":1}'
+- event:
+ rawString: '{"_path":"known_domains","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:17:39.723388Z","ts":"2025-04-17T17:01:27.263533Z","duration":910.5456178188324,"kuid":"KfkbkjfIwyQP1","host_ip":"192.168.10.5","host_vlan":1,"domain":"LAGERMANN","protocols":["SentinelOne
+ Network Discovery"],"num_conns":0,"long_conns":0,"annotations":["SentinelOne
+ Network Discovery/Unsupported"],"last_active_session":"KfIILlch7nsq6","last_active_interval":910.2952678203583}'
+- event:
+ rawString: '{"_path":"x509_red","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:14:03.419787Z","ts":"2025-04-17T17:14:03.419787Z","fingerprint":"aadadd5a879d2eb8c41a89597291292709d42052f5b6399541c694c3b7353cd1","certificate.version":3,"certificate.serial":"4B2B0115CDE5C7481B3CDDFEDE11169E","certificate.subject":"CN=DigiCert
+ Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US","certificate.issuer":"CN=VeriSign
+ Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\,
+ Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","certificate.not_valid_before":"2018-04-03T00:00:00.000000Z","certificate.not_valid_after":"2028-04-02T23:59:59.000000Z","certificate.key_alg":"rsaEncryption","certificate.sig_alg":"sha256WithRSAEncryption","certificate.key_type":"rsa","certificate.key_length":2048,"certificate.exponent":"65537","basic_constraints.ca":true,"host_cert":false,"client_cert":false,"vlan":1}'
+- event:
+ rawString: '{"_path":"notice","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:17:21.798101Z","ts":"2025-04-17T17:17:21.798101Z","uid":"CApmxkrP7I4SeaU3f","id.orig_h":"192.168.10.178","id.orig_p":63451,"id.resp_h":"40.69.79.107","id.resp_p":443,"id.vlan":1,"fuid":"FZ2Jkh4BC8LcgXU6y4","proto":"tcp","note":"SSL::Invalid_Server_Cert","msg":"SSL
+ certificate validation failed with (unable to get local issuer certificate)","sub":"CN=*.prod.do.dsp.mp.microsoft.com,OU=DSP,O=Microsoft,L=Redmond,ST=WA,C=US","src":"192.168.10.178","dst":"40.69.79.107","p":443,"peer_descr":"worker-01","actions":["Notice::ACTION_LOG"],"suppress_for":86400.0,"severity.level":3,"severity.name":"error"}'
+- event:
+ rawString: '{"_path":"known_names","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:17:09.722209Z","ts":"2025-04-17T17:00:59.149013Z","duration":851.4270520210266,"kuid":"KfnUYnph2ptpc","host_ip":"192.168.12.1","host_vlan":1,"hostname":"UNIFI","protocols":["SSL"],"num_conns":4,"long_conns":0,"annotations":[],"last_active_session":"Kfg8s3e4YplG6","last_active_interval":1152.949301958084}'
+- event:
+ rawString: '{"_path":"smb_files","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:11:49.354793Z","ts":"2025-04-17T17:11:49.354217Z","uid":"COYytu4xB5XqMAtOJk","id.orig_h":"192.168.10.175","id.orig_p":51154,"id.resp_h":"192.168.10.199","id.resp_p":445,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.resp_ep_status":"Unsecured","id.resp_ep_uid":"2081027202239115292","id.resp_ep_name":"xigmanas","id.resp_ep_source":"SentinelOne
+ Network Discovery","action":"SMB::FILE_OPEN","name":"rufus-3.3.exe","size":1027128,"times.modified":"2018-10-23T22:44:00.667862Z","times.accessed":"2019-01-27T20:02:57.475316Z","times.created":"2018-10-29T19:46:25.258246Z","times.changed":"2018-10-23T22:44:00.667862Z"}'
+- event:
+ rawString: '{"_path":"zeek_doctor","_system_name":"Lagermann-vSensor1","_write_ts":"2025-04-17T17:15:10.915568Z","ts":"2025-04-17T17:15:10.915568Z","node":"worker-02","check":"tcp_scan","total":0,"hits":0,"total_delta":0,"hits_delta":0,"percent":0.0}'
+- event:
+ rawString: '{"_path":"conn_long","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:14:51.616958Z","ts":"2025-04-17T16:44:48.584653Z","uid":"CfKAUu1SapIquY7HL8","id.orig_h":"96.35.155.226","id.orig_p":52558,"id.resp_h":"18.206.201.73","id.resp_p":443,"proto":"tcp","service":"ssl","duration":1801.9931871891022,"orig_bytes":819999,"resp_bytes":2900525,"conn_state":"S1","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"ShADadTt","orig_pkts":1681,"orig_ip_bytes":888153,"resp_pkts":2306,"resp_ip_bytes":2993332,"community_id":"1:21DezAPlCVZqfRmwZhaHnGpdgWI=","corelight_shunted":false}'
+- event:
+ rawString: '{"_path":"software","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:14:06.706316Z","ts":"2025-04-17T17:14:06.704766Z","host_header":"96.35.155.226","software_type":"HTTP::BROWSER","name":"Debian
+ APT-HTTP","version.major":1,"version.minor":3,"version.addl":"1.6.14","unparsed_version":"Debian
+ APT-HTTP/1.3 (1.6.14)"}'
+- event:
+ rawString: '{"_path":"vpn","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:13:43.221005Z","ts":"2025-04-17T17:13:43.219853Z","uid":"CavBCx41ifQuSuMfze","id.orig_h":"96.35.155.226","id.orig_p":53932,"id.resp_h":"52.207.202.187","id.resp_p":443,"proto":"tcp","vpn_type":"VPNInsights::Tailscale","service":"ssl","inferences":["FW","COM"],"server_name":"log.tailscale.io","duration":101.896395921,"orig_bytes":1862,"resp_bytes":3264,"orig_cc":"US","orig_region":"MO","orig_city":"St
+ Louis","resp_cc":"US","resp_region":"VA","resp_city":"Ashburn","ja3":"3fed133de60c35724739b913924b6c24","ja3s":"f4febc55ea12b31ae17cfb7e614afda8"}'
+- event:
+ rawString: '{"_path":"ocsp","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:12:34.125204Z","ts":"2025-04-17T17:12:34.125204Z","id":"Fcg6IzAMR6cAyFHOh","hashAlgorithm":"sha1","issuerNameHash":"BF9BCBEF71E2B39B8D19487ACFC75885354F8F02","issuerKeyHash":"8A23EB9E6BD7F9375DF96D2139769AA167DE10A8","serialNumber":"0736D5719D2C48F4CB35D8A4FE2F0EC6","certStatus":"good","thisUpdate":"2025-04-14T15:39:01.000000Z","nextUpdate":"2025-04-21T14:39:01.000000Z"}'
+- event:
+ rawString: '{"_path":"known_remotes","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:12:19.711498Z","ts":"2025-04-17T16:56:15.804730Z","duration":0.0,"kuid":"KfkIWfQnPq0Qi","host_ip":"45.135.95.25","host_vlan":13,"num_conns":1,"long_conns":0,"annotations":[]}'
+- event:
+ rawString: '{"_path":"dns_red","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:11:50.964253Z","ts":"2025-04-17T17:11:41.179136Z","uid":"CnwGzo2pX3OtvCovwa","id.orig_h":"96.35.155.226","id.orig_p":37865,"id.resp_h":"216.239.34.10","id.resp_p":53,"query":"rr1---sn-hgn7yn7e.googlevideo.com","qtype_name":"HTTPS","rcode":0,"answers":["rr1.sn-hgn7yn7e.googlevideo.com"],"num":1}'
+- event:
+ rawString: '{"_path":"corelight_metrics_disk","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:11:06Z","ts":"2025-04-17T17:11:06Z","io.data.all.active":0,"io.data.all.time":0,"io.data.all.time.per-second":0,"io.data.all.time_weighted":0,"io.data.all.time_weighted.per-second":0,"io.data.read.bytes":61952467968,"io.data.read.bytes.per-second":10057.955555555556,"io.data.read.completed":1354157,"io.data.read.completed.per-second":1.4533333333333334,"io.data.read.merged":0,"io.data.read.merged.per-second":0,"io.data.read.time":0,"io.data.read.time.per-second":0,"io.data.write.bytes":719338717184,"io.data.write.bytes.per-second":1009427.3422222222,"io.data.write.completed":167596937,"io.data.write.completed.per-second":242.22222222222223,"io.data.write.merged":0,"io.data.write.merged.per-second":0,"io.data.write.time":0,"io.data.write.time.per-second":0,"io.dm-0.all.active":0,"io.dm-0.all.time":1665.232,"io.dm-0.all.time.per-second":0.0024266666666663797,"io.dm-0.all.time_weighted":18510.796000000002,"io.dm-0.all.time_weighted.per-second":0.05443555555556183,"io.dm-0.read.bytes":3390541312,"io.dm-0.read.bytes.per-second":1421.0844444444444,"io.dm-0.read.completed":445948,"io.dm-0.read.completed.per-second":0.39555555555555555,"io.dm-0.read.merged":0,"io.dm-0.read.merged.per-second":0,"io.dm-0.read.time":1134.42,"io.dm-0.read.time.per-second":8.0000000000129e-05,"io.dm-0.write.bytes":17256738816,"io.dm-0.write.bytes.per-second":29263.644444444446,"io.dm-0.write.completed":4382262,"io.dm-0.write.completed.per-second":7.38,"io.dm-0.write.merged":0,"io.dm-0.write.merged.per-second":0,"io.dm-0.write.time":17376.376,"io.dm-0.write.time.per-second":0.05435555555555362,"io.dm-1.all.active":0,"io.dm-1.all.time":136.704,"io.dm-1.all.time.per-second":0.00016888888888887422,"io.dm-1.all.time_weighted":39.084,"io.dm-1.all.time_weighted.per-second":4.4444444444451e-05,"io.dm-1.read.bytes":893134848,"io.dm-1.read.bytes.per-second":1146.88,"io.dm-1.read.completed":211842,"io.dm-1.read.completed.per-second":0.28,"io.dm-1.read.merged":0,"io.dm-1.read.merged.per-second":0,"io.dm-1.read.time":38.536,"io.dm-1.read.time.per-second":4.4444444444451e-05,"io.dm-1.write.bytes":645120,"io.dm-1.write.bytes.per-second":0,"io.dm-1.write.completed":534,"io.dm-1.write.completed.per-second":0,"io.dm-1.write.merged":0,"io.dm-1.write.merged.per-second":0,"io.dm-1.write.time":0.548,"io.dm-1.write.time.per-second":0,"io.dm-10.all.active":0,"io.dm-10.all.time":1598.9560000000001,"io.dm-10.all.time.per-second":0.0023555555555559394,"io.dm-10.all.time_weighted":15127.94,"io.dm-10.all.time_weighted.per-second":0.05442666666666709,"io.dm-10.read.bytes":2845258752,"io.dm-10.read.bytes.per-second":791.8933333333333,"io.dm-10.read.completed":241095,"io.dm-10.read.completed.per-second":0.14666666666666667,"io.dm-10.read.merged":0,"io.dm-10.read.merged.per-second":0,"io.dm-10.read.time":1108.708,"io.dm-10.read.time.per-second":7.1111111111451e-05,"io.dm-10.write.bytes":16829526016,"io.dm-10.write.bytes.per-second":29263.644444444446,"io.dm-10.write.completed":4266856,"io.dm-10.write.completed.per-second":7.38,"io.dm-10.write.merged":0,"io.dm-10.write.merged.per-second":0,"io.dm-10.write.time":14019.232,"io.dm-10.write.time.per-second":0.05435555555555362,"io.dm-11.all.active":0,"io.dm-11.all.time":1587.092,"io.dm-11.all.time.per-second":0.0023466666666667555,"io.dm-11.all.time_weighted":26400.328,"io.dm-11.all.time_weighted.per-second":0.054435555555553745,"io.dm-11.read.bytes":2362622976,"io.dm-11.read.bytes.per-second":664.4622222222222,"io.dm-11.read.completed":123264,"io.dm-11.read.completed.per-second":0.11555555555555555,"io.dm-11.read.merged":0,"io.dm-11.read.merged.per-second":0,"io.dm-11.read.time":86.33200000000001,"io.dm-11.read.time.per-second":7.1111111111135e-05,"io.dm-11.write.bytes":17475493888,"io.dm-11.write.bytes.per-second":30219.37777777778,"io.dm-11.write.completed":4266856,"io.dm-11.write.completed.per-second":7.38,"io.dm-11.write.merged":0,"io.dm-11.write.merged.per-second":0,"io.dm-11.write.time":26313.996,"io.dm-11.write.time.per-second":0.05436444444444431,"io.dm-12.all.active":0,"io.dm-12.all.time":56.824,"io.dm-12.all.time.per-second":7.1111111111103e-05,"io.dm-12.all.time_weighted":22.764,"io.dm-12.all.time_weighted.per-second":8.888888888884e-06,"io.dm-12.read.bytes":307912704,"io.dm-12.read.bytes.per-second":318.5777777777778,"io.dm-12.read.completed":75174,"io.dm-12.read.completed.per-second":0.07777777777777778,"io.dm-12.read.merged":0,"io.dm-12.read.merged.per-second":0,"io.dm-12.read.time":12.768,"io.dm-12.read.time.per-second":8.888888888888e-06,"io.dm-12.write.bytes":2002944,"io.dm-12.write.bytes.per-second":0,"io.dm-12.write.completed":489,"io.dm-12.write.completed.per-second":0,"io.dm-12.write.merged":0,"io.dm-12.write.merged.per-second":0,"io.dm-12.write.time":9.996,"io.dm-12.write.time.per-second":0,"io.dm-13.all.active":0,"io.dm-13.all.time":56.256,"io.dm-13.all.time.per-second":7.1111111111103e-05,"io.dm-13.all.time_weighted":10.912,"io.dm-13.all.time_weighted.per-second":8.888888888892e-06,"io.dm-13.read.bytes":241840128,"io.dm-13.read.bytes.per-second":318.5777777777778,"io.dm-13.read.completed":59043,"io.dm-13.read.completed.per-second":0.07777777777777778,"io.dm-13.read.merged":0,"io.dm-13.read.merged.per-second":0,"io.dm-13.read.time":10.912,"io.dm-13.read.time.per-second":8.888888888892e-06,"io.dm-13.write.bytes":0,"io.dm-13.write.bytes.per-second":0,"io.dm-13.write.completed":0,"io.dm-13.write.completed.per-second":0,"io.dm-13.write.merged":0,"io.dm-13.write.merged.per-second":0,"io.dm-13.write.time":0,"io.dm-13.write.time.per-second":0,"io.dm-14.all.active":0,"io.dm-14.all.time":130,"io.dm-14.all.time.per-second":6.2222222222204e-05,"io.dm-14.all.time_weighted":3355.404,"io.dm-14.all.time_weighted.per-second":0,"io.dm-14.read.bytes":147021824,"io.dm-14.read.bytes.per-second":191.14666666666668,"io.dm-14.read.completed":35894,"io.dm-14.read.completed.per-second":0.04666666666666667,"io.dm-14.read.merged":0,"io.dm-14.read.merged.per-second":0,"io.dm-14.read.time":4.676,"io.dm-14.read.time.per-second":0,"io.dm-14.write.bytes":470700032,"io.dm-14.write.bytes.per-second":0,"io.dm-14.write.completed":114917,"io.dm-14.write.completed.per-second":0,"io.dm-14.write.merged":0,"io.dm-14.write.merged.per-second":0,"io.dm-14.write.time":3350.728,"io.dm-14.write.time.per-second":0,"io.dm-15.all.active":0,"io.dm-15.all.time":54.716,"io.dm-15.all.time.per-second":6.2222222222219e-05,"io.dm-15.all.time_weighted":9.36,"io.dm-15.all.time_weighted.per-second":0,"io.dm-15.read.bytes":242913280,"io.dm-15.read.bytes.per-second":318.5777777777778,"io.dm-15.read.completed":59305,"io.dm-15.read.completed.per-second":0.07777777777777778,"io.dm-15.read.merged":0,"io.dm-15.read.merged.per-second":0,"io.dm-15.read.time":9.36,"io.dm-15.read.time.per-second":0,"io.dm-15.write.bytes":0,"io.dm-15.write.bytes.per-second":0,"io.dm-15.write.completed":0,"io.dm-15.write.completed.per-second":0,"io.dm-15.write.merged":0,"io.dm-15.write.merged.per-second":0,"io.dm-15.write.time":0,"io.dm-15.write.time.per-second":0,"io.dm-16.all.active":16,"io.dm-16.all.time":637767.992,"io.dm-16.all.time.per-second":0.9083644444443699,"io.dm-16.all.time_weighted":2641850.304,"io.dm-16.all.time_weighted.per-second":3.434506666666518,"io.dm-16.read.bytes":61582685184,"io.dm-16.read.bytes.per-second":9675.662222222221,"io.dm-16.read.completed":1283732,"io.dm-16.read.completed.per-second":1.36,"io.dm-16.read.merged":0,"io.dm-16.read.merged.per-second":0,"io.dm-16.read.time":16091.096,"io.dm-16.read.time.per-second":0.011724444444444088,"io.dm-16.write.bytes":752279527424,"io.dm-16.write.bytes.per-second":1052826.7377777777,"io.dm-16.write.completed":167568543,"io.dm-16.write.completed.per-second":242.17777777777778,"io.dm-16.write.merged":0,"io.dm-16.write.merged.per-second":0,"io.dm-16.write.time":2625759.208,"io.dm-16.write.time.per-second":3.4227822222219157,"io.dm-2.all.active":0,"io.dm-2.all.time":104.164,"io.dm-2.all.time.per-second":0.00013333333333333838,"io.dm-2.all.time_weighted":22.22,"io.dm-2.all.time_weighted.per-second":3.5555555555552e-05,"io.dm-2.read.bytes":367007744,"io.dm-2.read.bytes.per-second":477.8666666666667,"io.dm-2.read.completed":129344,"io.dm-2.read.completed.per-second":0.1711111111111111,"io.dm-2.read.merged":0,"io.dm-2.read.merged.per-second":0,"io.dm-2.read.time":22.22,"io.dm-2.read.time.per-second":3.5555555555552e-05,"io.dm-2.write.bytes":2048,"io.dm-2.write.bytes.per-second":0,"io.dm-2.write.completed":3,"io.dm-2.write.completed.per-second":0,"io.dm-2.write.merged":0,"io.dm-2.write.merged.per-second":0,"io.dm-2.write.time":0,"io.dm-2.write.time.per-second":0,"io.dm-3.all.active":0,"io.dm-3.all.time":56.684000000000005,"io.dm-3.all.time.per-second":7.1111111111119e-05,"io.dm-3.all.time_weighted":9.564,"io.dm-3.all.time_weighted.per-second":8.888888888888e-06,"io.dm-3.read.bytes":75597824,"io.dm-3.read.bytes.per-second":95.57333333333334,"io.dm-3.read.completed":58199,"io.dm-3.read.completed.per-second":0.07777777777777778,"io.dm-3.read.merged":0,"io.dm-3.read.merged.per-second":0,"io.dm-3.read.time":9.564,"io.dm-3.read.time.per-second":8.888888888888e-06,"io.dm-3.write.bytes":2048,"io.dm-3.write.bytes.per-second":0,"io.dm-3.write.completed":3,"io.dm-3.write.completed.per-second":0,"io.dm-3.write.merged":0,"io.dm-3.write.merged.per-second":0,"io.dm-3.write.time":0,"io.dm-3.write.time.per-second":0,"io.dm-4.all.active":0,"io.dm-4.all.time":54.788000000000004,"io.dm-4.all.time.per-second":8.8888888888887e-05,"io.dm-4.all.time_weighted":3.436,"io.dm-4.all.time_weighted.per-second":8.888888888889e-06,"io.dm-4.read.bytes":96223232,"io.dm-4.read.bytes.per-second":127.43111111111111,"io.dm-4.read.completed":23492,"io.dm-4.read.completed.per-second":0.03111111111111111,"io.dm-4.read.merged":0,"io.dm-4.read.merged.per-second":0,"io.dm-4.read.time":3.436,"io.dm-4.read.time.per-second":8.888888888889e-06,"io.dm-4.write.bytes":0,"io.dm-4.write.bytes.per-second":0,"io.dm-4.write.completed":0,"io.dm-4.write.completed.per-second":0,"io.dm-4.write.merged":0,"io.dm-4.write.merged.per-second":0,"io.dm-4.write.time":0,"io.dm-4.write.time.per-second":0,"io.dm-5.all.active":0,"io.dm-5.all.time":58.424,"io.dm-5.all.time.per-second":9.7777777777771e-05,"io.dm-5.all.time_weighted":12.168000000000001,"io.dm-5.all.time_weighted.per-second":3.5555555555556e-05,"io.dm-5.read.bytes":240766976,"io.dm-5.read.bytes.per-second":318.5777777777778,"io.dm-5.read.completed":58781,"io.dm-5.read.completed.per-second":0.07777777777777778,"io.dm-5.read.merged":0,"io.dm-5.read.merged.per-second":0,"io.dm-5.read.time":12.168000000000001,"io.dm-5.read.time.per-second":3.5555555555556e-05,"io.dm-5.write.bytes":0,"io.dm-5.write.bytes.per-second":0,"io.dm-5.write.completed":0,"io.dm-5.write.completed.per-second":0,"io.dm-5.write.merged":0,"io.dm-5.write.merged.per-second":0,"io.dm-5.write.time":0,"io.dm-5.write.time.per-second":0,"io.dm-6.all.active":0,"io.dm-6.all.time":50.32,"io.dm-6.all.time.per-second":7.1111111111103e-05,"io.dm-6.all.time_weighted":2.024,"io.dm-6.all.time_weighted.per-second":8.888888888889e-06,"io.dm-6.read.bytes":95088640,"io.dm-6.read.bytes.per-second":127.43111111111111,"io.dm-6.read.completed":23215,"io.dm-6.read.completed.per-second":0.03111111111111111,"io.dm-6.read.merged":0,"io.dm-6.read.merged.per-second":0,"io.dm-6.read.time":2.024,"io.dm-6.read.time.per-second":8.888888888889e-06,"io.dm-6.write.bytes":0,"io.dm-6.write.bytes.per-second":0,"io.dm-6.write.completed":0,"io.dm-6.write.completed.per-second":0,"io.dm-6.write.merged":0,"io.dm-6.write.merged.per-second":0,"io.dm-6.write.time":0,"io.dm-6.write.time.per-second":0,"io.dm-7.all.active":0,"io.dm-7.all.time":52.72,"io.dm-7.all.time.per-second":7.1111111111103e-05,"io.dm-7.all.time_weighted":6.268,"io.dm-7.all.time_weighted.per-second":8.888888888888e-06,"io.dm-7.read.bytes":240766976,"io.dm-7.read.bytes.per-second":318.5777777777778,"io.dm-7.read.completed":58781,"io.dm-7.read.completed.per-second":0.07777777777777778,"io.dm-7.read.merged":0,"io.dm-7.read.merged.per-second":0,"io.dm-7.read.time":6.268,"io.dm-7.read.time.per-second":8.888888888888e-06,"io.dm-7.write.bytes":0,"io.dm-7.write.bytes.per-second":0,"io.dm-7.write.completed":0,"io.dm-7.write.completed.per-second":0,"io.dm-7.write.merged":0,"io.dm-7.write.merged.per-second":0,"io.dm-7.write.time":0,"io.dm-7.write.time.per-second":0,"io.dm-8.all.active":0,"io.dm-8.all.time":60.696,"io.dm-8.all.time.per-second":7.1111111111103e-05,"io.dm-8.all.time_weighted":13.76,"io.dm-8.all.time_weighted.per-second":8.888888888888e-06,"io.dm-8.read.bytes":266770432,"io.dm-8.read.bytes.per-second":318.5777777777778,"io.dm-8.read.completed":59560,"io.dm-8.read.completed.per-second":0.07777777777777778,"io.dm-8.read.merged":0,"io.dm-8.read.merged.per-second":0,"io.dm-8.read.time":13.212,"io.dm-8.read.time.per-second":8.888888888888e-06,"io.dm-8.write.bytes":694272,"io.dm-8.write.bytes.per-second":0,"io.dm-8.write.completed":534,"io.dm-8.write.completed.per-second":0,"io.dm-8.write.merged":0,"io.dm-8.write.merged.per-second":0,"io.dm-8.write.time":0.548,"io.dm-8.write.time.per-second":0,"io.dm-9.all.active":0,"io.dm-9.all.time":59.112,"io.dm-9.all.time.per-second":8.8888888888887e-05,"io.dm-9.all.time_weighted":11.936,"io.dm-9.all.time_weighted.per-second":2.6666666666668e-05,"io.dm-9.read.bytes":240766976,"io.dm-9.read.bytes.per-second":318.5777777777778,"io.dm-9.read.completed":58142,"io.dm-9.read.completed.per-second":0.07777777777777778,"io.dm-9.read.merged":0,"io.dm-9.read.merged.per-second":0,"io.dm-9.read.time":11.936,"io.dm-9.read.time.per-second":2.6666666666668e-05,"io.dm-9.write.bytes":0,"io.dm-9.write.bytes.per-second":0,"io.dm-9.write.completed":0,"io.dm-9.write.completed.per-second":0,"io.dm-9.write.merged":0,"io.dm-9.write.merged.per-second":0,"io.dm-9.write.time":0,"io.dm-9.write.time.per-second":0,"io.md0.all.active":0,"io.md0.all.time":0,"io.md0.all.time.per-second":0,"io.md0.all.time_weighted":0,"io.md0.all.time_weighted.per-second":0,"io.md0.read.bytes":61952467968,"io.md0.read.bytes.per-second":10057.955555555556,"io.md0.read.completed":1354157,"io.md0.read.completed.per-second":1.4533333333333334,"io.md0.read.merged":0,"io.md0.read.merged.per-second":0,"io.md0.read.time":0,"io.md0.read.time.per-second":0,"io.md0.write.bytes":719338717184,"io.md0.write.bytes.per-second":1009427.3422222222,"io.md0.write.completed":167596937,"io.md0.write.completed.per-second":242.22222222222223,"io.md0.write.merged":0,"io.md0.write.merged.per-second":0,"io.md0.write.time":0,"io.md0.write.time.per-second":0,"io.os.all.active":0,"io.os.all.time":1867.412,"io.os.all.time.per-second":0.0026755555555554463,"io.os.all.time_weighted":54.328,"io.os.all.time_weighted.per-second":0.0002844444444444447,"io.os.read.bytes":6335244288,"io.os.read.bytes.per-second":5275.875555555555,"io.os.read.completed":1157257,"io.os.read.completed.per-second":1.4844444444444445,"io.os.read.merged":108571,"io.os.read.merged.per-second":0,"io.os.read.time":222.06,"io.os.read.time.per-second":0.00024222222222224194,"io.os.write.bytes":17257387008,"io.os.write.bytes.per-second":29263.644444444446,"io.os.write.completed":1520668,"io.os.write.completed.per-second":2.1377777777777776,"io.os.write.merged":2862109,"io.os.write.merged.per-second":5.242222222222222,"io.os.write.time":999.556,"io.os.write.time.per-second":0.0017666666666668284,"io.sda.all.active":0,"io.sda.all.time":1867.412,"io.sda.all.time.per-second":0.0026755555555554463,"io.sda.all.time_weighted":54.328,"io.sda.all.time_weighted.per-second":0.0002844444444444447,"io.sda.read.bytes":6335244288,"io.sda.read.bytes.per-second":5275.875555555555,"io.sda.read.completed":1157257,"io.sda.read.completed.per-second":1.4844444444444445,"io.sda.read.merged":108571,"io.sda.read.merged.per-second":0,"io.sda.read.time":222.06,"io.sda.read.time.per-second":0.00024222222222224194,"io.sda.write.bytes":17257387008,"io.sda.write.bytes.per-second":29263.644444444446,"io.sda.write.completed":1520668,"io.sda.write.completed.per-second":2.1377777777777776,"io.sda.write.merged":2862109,"io.sda.write.merged.per-second":5.242222222222222,"io.sda.write.time":999.556,"io.sda.write.time.per-second":0.0017666666666668284,"io.sdb.all.active":0,"io.sdb.all.time":604133.336,"io.sdb.all.time.per-second":0.8646399999999752,"io.sdb.all.time_weighted":824529.36,"io.sdb.all.time_weighted.per-second":1.1067377777777923,"io.sdb.read.bytes":39336180736,"io.sdb.read.bytes.per-second":7467.235555555556,"io.sdb.read.completed":913772,"io.sdb.read.completed.per-second":1.1733333333333333,"io.sdb.read.merged":27107,"io.sdb.read.merged.per-second":0.0022222222222222222,"io.sdb.read.time":11608.338,"io.sdb.read.time.per-second":0.011466666666666344,"io.sdb.write.bytes":723171647488,"io.sdb.write.bytes.per-second":1012647.2533333333,"io.sdb.write.completed":124143748,"io.sdb.write.completed.per-second":181.2288888888889,"io.sdb.write.merged":43687049,"io.sdb.write.merged.per-second":61.54666666666667,"io.sdb.write.time":998376.752,"io.sdb.write.time.per-second":1.3692977777777964,"io.sdc.all.active":0,"io.sdc.all.time":605029.404,"io.sdc.all.time.per-second":0.8673422222222305,"io.sdc.all.time_weighted":826202.8,"io.sdc.all.time_weighted.per-second":1.0944888888889304,"io.sdc.read.bytes":22736346112,"io.sdc.read.bytes.per-second":2853.5466666666666,"io.sdc.read.completed":537202,"io.sdc.read.completed.per-second":0.46444444444444444,"io.sdc.read.merged":14023,"io.sdc.read.merged.per-second":0,"io.sdc.read.time":6483.71,"io.sdc.read.time.per-second":0.004668888888888129,"io.sdc.write.bytes":723171647488,"io.sdc.write.bytes.per-second":1012647.2533333333,"io.sdc.write.completed":124097230,"io.sdc.write.completed.per-second":181.25333333333333,"io.sdc.write.merged":43733644,"io.sdc.write.merged.per-second":61.522222222222226,"io.sdc.write.time":1005026.115,"io.sdc.write.time.per-second":1.358008888888742,"usage.data":39.73282532596121,"usage.os":86.05915625626606}'
+- event:
+ rawString: '{"_path":"files_red","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:10:30.930486Z","ts":["2025-04-17T17:00:28.362861Z"],"fuid":"FAMeL13eAQ3KtB9Xu5","tx_hosts":["192.168.12.32"],"rx_hosts":["192.168.10.175"],"conn_uids":["CPHP1L3nKik4PfQkLi"],"source":"HTTP","depth":0,"analyzers":["SHA1","MD5","DATA_EVENT","SHA256"],"mime_type":"application/xml","local_orig":true,"is_orig":false,"seen_bytes":2109,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"extracted":[],"md5":"68644403ead675fa40f4de8440091039","sha1":"b48f99fab90300bba83c1cbcb1b9b24806389f89","sha256":"6e00d3a25478da0bd32104e380ec76a20cb7cb8d43105856252a5178f71e5174","num":1}'
+- event:
+ rawString: '{"_path":"known_hosts","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:10:09.698135Z","ts":"2025-04-17T16:53:55.914098Z","duration":910.0891220569611,"kuid":"KfKhs64hpZ6Wi","host_ip":"192.168.9.1","host_vlan":9,"conns_opened":0,"conns_closed":0,"conns_pending":0,"long_conns":0,"annotations":[],"last_active_session":"Kf6EDno4fYgp9","last_active_interval":975.0918500423431,"ep.status":"unknown"}'
+- event:
+ rawString: '{"_path":"known_services","_system_name":"Lagermann-vSensor4","_write_ts":"2025-04-17T17:09:36.132194Z","ts":"2025-04-17T16:56:35.124859Z","duration":428.69005489349365,"kuid":"Kfy9Rl0ApqyPg","host_ip":"192.168.13.9","port":53,"protocol":"udp","service":["DNS"],"software":[],"app":[],"num_conns_pending":0,"num_conns_complete":13,"long_conns":0,"annotations":[],"last_active_session":"KfdGvNuUQpPCk","last_active_interval":865.7293698787689}'
+- event:
+ rawString: '{"_path":"corelight_service_status","_system_name":"Lagermann-vSensor4","_write_ts":"2025-04-17T17:09:04Z","ts":"2025-04-17T17:09:04Z","id":"sensor_implementation","name":"Classic
+ Sensor","group":"platform","status":true,"message":""}'
+- event:
+ rawString: '{"_path":"suricata_corelight","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:08:13.811250Z","ts":"2025-04-17T17:08:13.803383Z","uid":"CFZjEK2duHtV5BCf49","id.orig_h":"205.210.31.220","id.orig_p":50564,"id.resp_h":"96.35.155.237","id.resp_p":21,"suri_id":"SO84bmaiNiAh","flow_id":1480182953770061,"tx_id":0,"pcap_cnt":0,"alert.action":"allowed","alert.gid":1,"alert.signature_id":2402000,"alert.rev":7329,"alert.signature":"ET
+ DROP Dshield Block Listed Source group 1","alert.category":"Misc Attack","alert.severity":2,"alert.metadata":["affected_product:Any","attack_target:Any","created_at:2010_12_30","deployment:Perimeter","signature_severity:Major","tag:Dshield","updated_at:2025_04_03"],"alert.rule":"alert
+ ip [194.180.48.0/24,206.168.34.0/24,154.81.156.0/24,167.94.138.0/24,57.129.64.0/24,193.163.125.0/24,83.222.191.0/24,198.235.24.0/24,205.210.31.0/24,147.185.132.0/24,170.39.218.0/24,195.178.110.0/24,91.196.152.0/24,103.102.230.0/24,45.148.10.0/24,185.91.127.0/24,64.62.156.0/24,195.184.76.0/24,167.94.146.0/24,64.62.197.0/24]
+ any -> $HOME_NET any (msg:\"ET DROP Dshield Block Listed Source group 1\"; reference:url,feeds.dshield.org/block.txt;
+ metadata:affected_product Any, attack_target Any, deployment Perimeter, tag
+ Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2025_04_03;
+ classtype:misc-attack; threshold: type limit, track by_src, seconds 3600, count
+ 1; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; gid:1; sid:2402000; rev:7329;)","alert.references":["http://feeds.dshield.org/block.txt"],"community_id":"1:9bM39TAIl4Rw2JYARBD0i0Avi3g=","metadata":["flowbits:ET.Evil","flowbits:ET.DshieldIP"]}'
+- event:
+ rawString: '{"_path":"analyzer","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:07:43.846471Z","ts":"2025-04-17T17:07:43.846471Z","cause":"violation","analyzer_kind":"protocol","analyzer_name":"SSL","uid":"Cx0ese4lTdU0HlWXE5","id.orig_h":"96.35.155.226","id.orig_p":59178,"id.resp_h":"44.233.168.176","id.resp_p":443,"failure_reason":"Invalid
+ version in TLS connection. Version: 16248"}'
+- event:
+ rawString: '{"_path":"ssdp","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:06:51.312633Z","ts":"2025-04-17T17:06:51.312632Z","uid":"CT5n7k3szVcb2Z9nij","id.orig_h":"192.168.10.175","id.orig_p":53308,"id.resp_h":"239.255.255.250","id.resp_p":1900,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","is_orig":true,"operation":"M-SEARCH * HTTP/1.1","host":"239.255.255.250:1900","target":"urn:dial-multiscreen-org:service:dial:1","man":"\"ssdp:discover\"","mx":"1","remaining_header_names":[],"remaining_header_values":[]}'
+- event:
+ rawString: '{"_path":"weird","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:06:51.796347Z","ts":"2025-04-17T17:06:51.796347Z","uid":"CVljyn2eEGa0QBZE19","id.orig_h":"192.168.9.104","id.orig_p":38934,"id.resp_h":"192.168.10.1","id.resp_p":8080,"id.resp_ep_status":"Unsupported","id.resp_ep_uid":"2081026184155705172","id.resp_ep_name":"udm","id.resp_ep_source":"SentinelOne
+ Network Discovery","id.vlan":9,"name":"data_before_established","notice":false,"peer":"worker-03","source":"TCP"}'
+- event:
+ rawString: "\t\n{\"_path\":\"weird_red\",\"_system_name\":\"Lab-AP200\"\
+ ,\"_write_ts\":\"2025-04-17T17:06:51.796347Z\",\"ts\":\"2025-04-17T17:06:51.796347Z\"\
+ ,\"uid\":\"CVljyn2eEGa0QBZE19\",\"id.orig_h\":\"192.168.9.104\",\"id.orig_p\"\
+ :38934,\"id.resp_h\":\"192.168.10.1\",\"id.resp_p\":8080,\"id.resp_ep_status\"\
+ :\"Unsupported\",\"id.resp_ep_uid\":\"2081026184155705172\",\"id.resp_ep_name\"\
+ :\"udm\",\"id.resp_ep_source\":\"SentinelOne Network Discovery\",\"id.vlan\"\
+ :9,\"name\":\"data_before_established\",\"notice\":false,\"peer\":\"worker-03\"\
+ ,\"source\":\"TCP\"}"
+- event:
+ rawString: '{"_path":"ntp","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:06:31.759233Z","ts":"2025-04-17T17:06:31.759233Z","uid":"C4KnEm6oK0fsMxKr3","id.orig_h":"192.168.12.212","id.orig_p":123,"id.resp_h":"45.84.199.136","id.resp_p":123,"id.orig_ep_status":"managed","id.orig_ep_uid":"fae3f73ce1404e0aae1626dbddfc3fe8","id.orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.orig_ep_name":"skynet","id.orig_ep_source":"CrowdStrike","id.vlan":12,"version":4,"mode":4,"stratum":2,"poll":64.0,"precision":5.960464477539063e-8,"root_delay":0.004180908203125,"root_disp":0.021026611328125,"ref_id":"189.97.54.122","ref_time":"2025-04-17T17:02:42.656591Z","org_time":"2025-04-17T17:06:30.637954Z","rec_time":"2025-04-17T17:06:31.696407Z","xmt_time":"2025-04-17T17:06:31.696428Z","num_exts":0}'
+- event:
+ rawString: |
+ {"_path":"corelight_overall_capture_loss","_system_name":"Lagermann-vSensor4","_write_ts":"2025-04-17T17:05:53.198853Z","ts":"2025-04-17T17:05:53.198853Z","gaps":0.0,"acks":49.0,"percent_lost":0.0}
+- event:
+ rawString: '{"_path":"known_devices","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:05:19.674550Z","ts":"2025-04-17T16:49:06.671083Z","duration":920.7938411235809,"kuid":"KfdD0C5KCONE1","host_ip":"192.168.12.10","host_vlan":12,"mac":"dc:a6:32:c7:24:34","vendor_mac":"Raspberry
+ Pi Trading Ltd","protocols":["CrowdStrike"],"num_conns":0,"long_conns":0,"annotations":["CrowdStrike/unsupported"],"last_active_session":"Kfhb1sjkgKi9f","last_active_interval":888.3273181915283}'
+- event:
+ rawString: '{"_path":"stun","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:00:47.969691Z","ts":"2025-04-17T17:00:47.969691Z","uid":"C2j99toF2ToHySZVh","id.orig_h":"96.35.155.230","id.orig_p":56885,"id.resp_h":"34.203.251.225","id.resp_p":3478,"proto":"udp","is_orig":true,"trans_id":"Ua5xQ2QuP8+t","method":"BINDING","class":"REQUEST","attr_types":[],"attr_vals":[]}'
+- event:
+ rawString: '{"_path":"quic","_system_name":"Lab-AP200","_write_ts":"2025-04-17T17:00:47.363948Z","ts":"2025-04-17T16:59:47.192371Z","uid":"CXb9Mo1uYMuU4EP0y1","id.orig_h":"192.168.10.175","id.orig_p":59354,"id.resp_h":"172.217.4.74","id.resp_p":443,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.vlan":1,"version":"1","client_initial_dcid":"e33cb3100d73681b","client_scid":"","server_scid":"e33cb3100d73681b","history":"IIZiiishH"}'
+- event:
+ rawString: '{"_path":"http_red","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:58:54.934800Z","ts":"2025-04-17T16:58:54.876519Z","uid":"CPHP1L3nKik4PfQkLi","id.orig_h":"192.168.10.175","id.orig_p":52431,"id.resp_h":"192.168.12.32","id.resp_p":8000,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.vlan":1,"trans_depth":454,"method":"GET","dest_host":"splunk-mgmt.lagermann.net:8000","uri":"/en-US/splunkd/__raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search
+ index=corelight path!=conn path!=ssl_red path!=ecat_arp_info&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&_=1744908176843","version":"1.1","user_agent":"Mozilla/5.0
+ (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0
+ Safari/537.36","request_body_len":0,"response_body_len":39440,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FmwVCl33F6bQVHuZUd"],"resp_mime_types":["text/json"]}'
+- event:
+ rawString: '{"_path":"ssl_red","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:58:08.691872Z","ts":"2025-04-17T16:58:08.611599Z","uid":"CkZAUX1lbYUjahd93l","id.orig_h":"192.168.12.221","id.orig_p":48040,"id.resp_h":"52.21.3.59","id.resp_p":443,"id.orig_ep_status":"unmanaged","id.orig_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_abb6c27309cf3730bb73e8cfd732d838","id.orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.orig_ep_source":"CrowdStrike","id.vlan":12,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"x25519","server_name":"release.api.corelight.io","resumed":false,"established":true,"ssl_history":"CsxkrnXGYIti","cert_chain_fps":["f7a978806e2a3cb1547c837c7c1e2e73c426321e1d455a4715ddbc3e28c1f931"],"client_cert_chain_fps":["bd3b240e5d824c3a0fc1ca1d9f85a4327596a484166b6c02b540df169623c5a1","0ac0d2c0906872cc4dbf50153788a5a3758ebaaca83481b80b545ff0bde62c0a","c86b9c79c08d0d370560333346215251594bb17dd3a7fa29f34334fa1708bead"],"sni_matches_cert":true,"validation_status":"unable
+ to get local issuer certificate","ja3":"d39e1be3241d516b1f714bd47c2bc968","ja3s":"567bb420d39046dbfd1f68b558d86382"}'
+- event:
+ rawString: "\t\n{\"_path\":\"suricata_stats\",\"_system_name\":\"Lagermann-vSensor4\"\
+ ,\"_write_ts\":\"2025-04-17T16:55:51.272473Z\",\"raw_mgmt\":\"{\\\"timestamp\\\
+ \": \\\"2025-04-17T09:55:51.271847-0700\\\", \\\"event_type\\\": \\\"stats\\\
+ \", \\\"stats\\\": {\\\"uptime\\\": 688386, \\\"capture\\\": {\\\"kernel_packets\\\
+ \": 2964294, \\\"kernel_drops\\\": 0}, \\\"decoder\\\": {\\\"pkts\\\": 2964294,\
+ \ \\\"bytes\\\": 1525955212, \\\"invalid\\\": 0, \\\"ipv4\\\": 1922528, \\\"\
+ ipv6\\\": 392, \\\"ethernet\\\": 2964294, \\\"arp\\\": 674493, \\\"unknown_ethertype\\\
+ \": 366881, \\\"chdlc\\\": 0, \\\"raw\\\": 0, \\\"null\\\": 0, \\\"sll\\\":\
+ \ 0, \\\"tcp\\\": 1589937, \\\"udp\\\": 321094, \\\"sctp\\\": 0, \\\"esp\\\"\
+ : 0, \\\"icmpv4\\\": 148, \\\"icmpv6\\\": 392, \\\"ppp\\\": 0, \\\"pppoe\\\"\
+ : 0, \\\"geneve\\\": 0, \\\"gre\\\": 0, \\\"vlan\\\": 0, \\\"vlan_qinq\\\":\
+ \ 0, \\\"vlan_qinqinq\\\": 0, \\\"vxlan\\\": 0, \\\"vntag\\\": 0, \\\"ieee8021ah\\\
+ \": 0, \\\"teredo\\\": 0, \\\"ipv4_in_ipv6\\\": 0, \\\"ipv6_in_ipv6\\\": 0,\
+ \ \\\"mpls\\\": 0, \\\"avg_pkt_size\\\": 514, \\\"max_pkt_size\\\": 1514, \\\
+ \"max_mac_addrs_src\\\": 0, \\\"max_mac_addrs_dst\\\": 0, \\\"erspan\\\": 0,\
+ \ \\\"nsh\\\": 0, \\\"event\\\": {\\\"ipv4\\\": {\\\"pkt_too_small\\\": 0, \\\
+ \"hlen_too_small\\\": 0, \\\"iplen_smaller_than_hlen\\\": 0, \\\"trunc_pkt\\\
+ \": 0, \\\"opt_invalid\\\": 0, \\\"opt_invalid_len\\\": 0, \\\"opt_malformed\\\
+ \": 0, \\\"opt_pad_required\\\": 11349, \\\"opt_eol_required\\\": 0, \\\"opt_duplicate\\\
+ \": 0, \\\"opt_unknown\\\": 0, \\\"wrong_ip_version\\\": 0, \\\"icmpv6\\\":\
+ \ 0, \\\"frag_pkt_too_large\\\": 0, \\\"frag_overlap\\\": 0, \\\"frag_ignored\\\
+ \": 0}, \\\"icmpv4\\\": {\\\"pkt_too_small\\\": 0, \\\"unknown_type\\\": 0,\
+ \ \\\"unknown_code\\\": 0, \\\"ipv4_trunc_pkt\\\": 0, \\\"ipv4_unknown_ver\\\
+ \": 0}, \\\"icmpv6\\\": {\\\"unknown_type\\\": 0, \\\"unknown_code\\\": 0, \\\
+ \"pkt_too_small\\\": 0, \\\"ipv6_unknown_version\\\": 0, \\\"ipv6_trunc_pkt\\\
+ \": 0, \\\"mld_message_with_invalid_hl\\\": 0, \\\"unassigned_type\\\": 0, \\\
+ \"experimentation_type\\\": 0}, \\\"ipv6\\\": {\\\"pkt_too_small\\\": 0, \\\"\
+ trunc_pkt\\\": 0, \\\"trunc_exthdr\\\": 0, \\\"exthdr_dupl_fh\\\": 0, \\\"exthdr_useless_fh\\\
+ \": 0, \\\"exthdr_dupl_rh\\\": 0, \\\"exthdr_dupl_hh\\\": 0, \\\"exthdr_dupl_dh\\\
+ \": 0, \\\"exthdr_dupl_ah\\\": 0, \\\"exthdr_dupl_eh\\\": 0, \\\"exthdr_invalid_optlen\\\
+ \": 0, \\\"wrong_ip_version\\\": 0, \\\"exthdr_ah_res_not_null\\\": 0, \\\"\
+ hopopts_unknown_opt\\\": 0, \\\"hopopts_only_padding\\\": 0, \\\"dstopts_unknown_opt\\\
+ \": 0, \\\"dstopts_only_padding\\\": 0, \\\"rh_type_0\\\": 0, \\\"zero_len_padn\\\
+ \": 6, \\\"fh_non_zero_reserved_field\\\": 0, \\\"data_after_none_header\\\"\
+ : 0, \\\"unknown_next_header\\\": 0, \\\"icmpv4\\\": 0, \\\"frag_pkt_too_large\\\
+ \": 0, \\\"frag_overlap\\\": 0, \\\"frag_invalid_length\\\": 0, \\\"frag_ignored\\\
+ \": 0, \\\"ipv4_in_ipv6_too_small\\\": 0, \\\"ipv4_in_ipv6_wrong_version\\\"\
+ : 0, \\\"ipv6_in_ipv6_too_small\\\": 0, \\\"ipv6_in_ipv6_wrong_version\\\":\
+ \ 0}, \\\"tcp\\\": {\\\"pkt_too_small\\\": 0, \\\"hlen_too_small\\\": 0, \\\"\
+ invalid_optlen\\\": 0, \\\"opt_invalid_len\\\": 0, \\\"opt_duplicate\\\": 0},\
+ \ \\\"udp\\\": {\\\"pkt_too_small\\\": 0, \\\"hlen_too_small\\\": 0, \\\"hlen_invalid\\\
+ \": 0, \\\"len_invalid\\\": 0}, \\\"sll\\\": {\\\"pkt_too_small\\\": 0}, \\\"\
+ ethernet\\\": {\\\"pkt_too_small\\\": 0}, \\\"ppp\\\": {\\\"pkt_too_small\\\"\
+ : 0, \\\"vju_pkt_too_small\\\": 0, \\\"ip4_pkt_too_small\\\": 0, \\\"ip6_pkt_too_small\\\
+ \": 0, \\\"wrong_type\\\": 0, \\\"unsup_proto\\\": 0}, \\\"pppoe\\\": {\\\"\
+ pkt_too_small\\\": 0, \\\"wrong_code\\\": 0, \\\"malformed_tags\\\": 0}, \\\"\
+ gre\\\": {\\\"pkt_too_small\\\": 0, \\\"wrong_version\\\": 0, \\\"version0_recur\\\
+ \": 0, \\\"version0_flags\\\": 0, \\\"version0_hdr_too_big\\\": 0, \\\"version0_malformed_sre_hdr\\\
+ \": 0, \\\"version1_chksum\\\": 0, \\\"version1_route\\\": 0, \\\"version1_ssr\\\
+ \": 0, \\\"version1_recur\\\": 0, \\\"version1_flags\\\": 0, \\\"version1_no_key\\\
+ \": 0, \\\"version1_wrong_protocol\\\": 0, \\\"version1_malformed_sre_hdr\\\"\
+ : 0, \\\"version1_hdr_too_big\\\": 0}, \\\"vlan\\\": {\\\"header_too_small\\\
+ \": 0, \\\"unknown_type\\\": 0, \\\"too_many_layers\\\": 0}, \\\"ieee8021ah\\\
+ \": {\\\"header_too_small\\\": 0}, \\\"vntag\\\": {\\\"header_too_small\\\"\
+ : 0, \\\"unknown_type\\\": 0}, \\\"ipraw\\\": {\\\"invalid_ip_version\\\": 0},\
+ \ \\\"ltnull\\\": {\\\"pkt_too_small\\\": 0, \\\"unsupported_type\\\": 0}, \\\
+ \"sctp\\\": {\\\"pkt_too_small\\\": 0}, \\\"esp\\\": {\\\"pkt_too_small\\\"\
+ : 0}, \\\"mpls\\\": {\\\"header_too_small\\\": 0, \\\"pkt_too_small\\\": 0,\
+ \ \\\"bad_label_router_alert\\\": 0, \\\"bad_label_implicit_null\\\": 0, \\\"\
+ bad_label_reserved\\\": 0, \\\"unknown_payload_type\\\": 0}, \\\"vxlan\\\":\
+ \ {\\\"unknown_payload_type\\\": 0}, \\\"geneve\\\": {\\\"unknown_payload_type\\\
+ \": 0}, \\\"erspan\\\": {\\\"header_too_small\\\": 0, \\\"unsupported_version\\\
+ \": 0, \\\"too_many_vlan_layers\\\": 0}, \\\"dce\\\": {\\\"pkt_too_small\\\"\
+ : 0}, \\\"chdlc\\\": {\\\"pkt_too_small\\\": 0}, \\\"nsh\\\": {\\\"header_too_small\\\
+ \": 0, \\\"unsupported_version\\\": 0, \\\"bad_header_length\\\": 0, \\\"reserved_type\\\
+ \": 0, \\\"unsupported_type\\\": 0, \\\"unknown_payload\\\": 0}}, \\\"too_many_layers\\\
+ \": 0}, \\\"tcp\\\": {\\\"syn\\\": 6607, \\\"synack\\\": 5925, \\\"rst\\\":\
+ \ 8162, \\\"active_sessions\\\": 2, \\\"sessions\\\": 6420, \\\"ssn_memcap_drop\\\
+ \": 0, \\\"ssn_from_cache\\\": 5317, \\\"ssn_from_pool\\\": 1103, \\\"pseudo\\\
+ \": 0, \\\"pseudo_failed\\\": 0, \\\"invalid_checksum\\\": 0, \\\"midstream_pickups\\\
+ \": 0, \\\"pkt_on_wrong_thread\\\": 0, \\\"ack_unseen_data\\\": 2924, \\\"segment_memcap_drop\\\
+ \": 0, \\\"segment_from_cache\\\": 264405, \\\"segment_from_pool\\\": 1600,\
+ \ \\\"stream_depth_reached\\\": 211, \\\"reassembly_gap\\\": 0, \\\"overlap\\\
+ \": 66, \\\"overlap_diff_data\\\": 0, \\\"insert_data_normal_fail\\\": 0, \\\
+ \"insert_data_overlap_fail\\\": 0, \\\"memuse\\\": 5920000, \\\"reassembly_memuse\\\
+ \": 241664}, \\\"flow\\\": {\\\"memcap\\\": 0, \\\"total\\\": 130696, \\\"active\\\
+ \": 41, \\\"tcp\\\": 6744, \\\"udp\\\": 123565, \\\"icmpv4\\\": 0, \\\"icmpv6\\\
+ \": 387, \\\"tcp_reuse\\\": 59, \\\"get_used\\\": 0, \\\"get_used_eval\\\":\
+ \ 0, \\\"get_used_eval_reject\\\": 0, \\\"get_used_eval_busy\\\": 0, \\\"get_used_failed\\\
+ \": 0, \\\"wrk\\\": {\\\"spare_sync_avg\\\": 99, \\\"spare_sync\\\": 1260, \\\
+ \"spare_sync_incomplete\\\": 418, \\\"spare_sync_empty\\\": 0, \\\"flows_evicted_needs_work\\\
+ \": 5319, \\\"flows_evicted_pkt_inject\\\": 6090, \\\"flows_evicted\\\": 404,\
+ \ \\\"flows_injected\\\": 5290, \\\"flows_injected_max\\\": 2}, \\\"end\\\"\
+ : {\\\"state\\\": {\\\"new\\\": 12049, \\\"established\\\": 112870, \\\"closed\\\
+ \": 5526, \\\"local_bypassed\\\": 210, \\\"capture_bypassed\\\": 0}, \\\"tcp_state\\\
+ \": {\\\"none\\\": 0, \\\"syn_sent\\\": 650, \\\"syn_recv\\\": 23, \\\"established\\\
+ \": 210, \\\"fin_wait1\\\": 1, \\\"fin_wait2\\\": 0, \\\"time_wait\\\": 0, \\\
+ \"last_ack\\\": 0, \\\"close_wait\\\": 8, \\\"closing\\\": 0, \\\"closed\\\"\
+ : 5526}, \\\"tcp_liberal\\\": 0}, \\\"mgr\\\": {\\\"full_hash_pass\\\": 69109,\
+ \ \\\"rows_per_sec\\\": 6553, \\\"rows_maxlen\\\": 2, \\\"flows_checked\\\"\
+ : 312706, \\\"flows_notimeout\\\": 182196, \\\"flows_timeout\\\": 130510, \\\
+ \"flows_evicted\\\": 130510, \\\"flows_evicted_needs_work\\\": 5290}, \\\"spare\\\
+ \": 9850, \\\"emerg_mode_entered\\\": 0, \\\"emerg_mode_over\\\": 0, \\\"recycler\\\
+ \": {\\\"recycled\\\": 125220, \\\"queue_avg\\\": 0, \\\"queue_max\\\": 33},\
+ \ \\\"memuse\\\": 7154304}, \\\"defrag\\\": {\\\"ipv4\\\": {\\\"fragments\\\"\
+ : 0, \\\"reassembled\\\": 0}, \\\"ipv6\\\": {\\\"fragments\\\": 0, \\\"reassembled\\\
+ \": 0}, \\\"max_frag_hits\\\": 0}, \\\"flow_bypassed\\\": {\\\"local_pkts\\\"\
+ : 1113331, \\\"local_bytes\\\": 1050845218, \\\"local_capture_pkts\\\": 0, \\\
+ \"local_capture_bytes\\\": 0, \\\"closed\\\": 0, \\\"pkts\\\": 0, \\\"bytes\\\
+ \": 0}, \\\"detect\\\": {\\\"engines\\\": [{\\\"id\\\": 0, \\\"last_reload\\\
+ \": \\\"2025-04-09T10:44:27.288427-0700\\\", \\\"rules_loaded\\\": 79994, \\\
+ \"rules_failed\\\": 4, \\\"rules_skipped\\\": 0}], \\\"alert\\\": 412, \\\"\
+ alert_queue_overflow\\\": 0, \\\"alerts_suppressed\\\": 107}, \\\"app_layer\\\
+ \": {\\\"flow\\\": {\\\"http\\\": 88, \\\"ftp\\\": 0, \\\"smtp\\\": 0, \\\"\
+ tls\\\": 4156, \\\"ssh\\\": 2, \\\"imap\\\": 0, \\\"smb\\\": 0, \\\"dcerpc_tcp\\\
+ \": 0, \\\"dns_tcp\\\": 741, \\\"nfs_tcp\\\": 0, \\\"ntp\\\": 3262, \\\"ftp-data\\\
+ \": 0, \\\"tftp\\\": 0, \\\"ike\\\": 0, \\\"krb5_tcp\\\": 0, \\\"quic\\\": 0,\
+ \ \\\"dhcp\\\": 0, \\\"rfb\\\": 0, \\\"telnet\\\": 0, \\\"rdp\\\": 0, \\\"failed_tcp\\\
+ \": 2, \\\"dcerpc_udp\\\": 0, \\\"dns_udp\\\": 109553, \\\"nfs_udp\\\": 0, \\\
+ \"krb5_udp\\\": 0, \\\"failed_udp\\\": 10750}, \\\"tx\\\": {\\\"http\\\": 200,\
+ \ \\\"ftp\\\": 0, \\\"smtp\\\": 0, \\\"tls\\\": 0, \\\"ssh\\\": 0, \\\"imap\\\
+ \": 0, \\\"smb\\\": 0, \\\"dcerpc_tcp\\\": 0, \\\"dns_tcp\\\": 1614, \\\"nfs_tcp\\\
+ \": 0, \\\"ntp\\\": 3262, \\\"ftp-data\\\": 0, \\\"tftp\\\": 0, \\\"ike\\\"\
+ : 0, \\\"krb5_tcp\\\": 0, \\\"quic\\\": 0, \\\"dhcp\\\": 0, \\\"rfb\\\": 0,\
+ \ \\\"telnet\\\": 0, \\\"rdp\\\": 0, \\\"dcerpc_udp\\\": 0, \\\"dns_udp\\\"\
+ : 238173, \\\"nfs_udp\\\": 0, \\\"krb5_udp\\\": 0}, \\\"error\\\": {\\\"http\\\
+ \": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\":\
+ \ 0}, \\\"ftp\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"\
+ internal\\\": 0}, \\\"smtp\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\
+ \": 0, \\\"internal\\\": 0}, \\\"tls\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0,\
+ \ \\\"parser\\\": 816, \\\"internal\\\": 0}, \\\"ssh\\\": {\\\"gap\\\": 0, \\\
+ \"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"imap\\\": {\\\"\
+ gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"\
+ smb\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\
+ \": 0}, \\\"dcerpc_tcp\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\"\
+ : 0, \\\"internal\\\": 0}, \\\"dns_tcp\\\": {\\\"gap\\\": 0, \\\"alloc\\\":\
+ \ 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"nfs_tcp\\\": {\\\"gap\\\"\
+ : 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"ntp\\\"\
+ : {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\": 0},\
+ \ \\\"ftp-data\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\
+ \"internal\\\": 0}, \\\"tftp\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\
+ \": 0, \\\"internal\\\": 0}, \\\"ike\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0,\
+ \ \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"krb5_tcp\\\": {\\\"gap\\\": 0,\
+ \ \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"quic\\\": {\\\
+ \"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"\
+ dhcp\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\
+ \": 0}, \\\"rfb\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"parser\\\": 0, \\\
+ \"internal\\\": 0}, \\\"telnet\\\": {\\\"gap\\\": 0, \\\"alloc\\\": 0, \\\"\
+ parser\\\": 0, \\\"internal\\\": 0}, \\\"rdp\\\": {\\\"gap\\\": 0, \\\"alloc\\\
+ \": 0, \\\"parser\\\": 0, \\\"internal\\\": 0}, \\\"failed_tcp\\\": {\\\"gap\\\
+ \": 0}, \\\"dcerpc_udp\\\": {\\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\
+ \": 0}, \\\"dns_udp\\\": {\\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\
+ \": 0}, \\\"nfs_udp\\\": {\\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\
+ \": 0}, \\\"krb5_udp\\\": {\\\"alloc\\\": 0, \\\"parser\\\": 0, \\\"internal\\\
+ \": 0}}, \\\"expectations\\\": 0}, \\\"memcap\\\": {\\\"pressure\\\": 8, \\\"\
+ pressure_max\\\": 8}, \\\"http\\\": {\\\"memuse\\\": 0, \\\"memcap\\\": 0},\
+ \ \\\"ftp\\\": {\\\"memuse\\\": 0, \\\"memcap\\\": 0}, \\\"file_store\\\": {\\\
+ \"open_files\\\": 0}}, \\\"host\\\": \\\"Lab-AP200\\\"}\"}"
+- event:
+ rawString: '{"_path":"conn_red","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:55:51.393737Z","ts":"2025-04-17T16:55:46.377799Z","uid":"CsggHv2hiCLxF9TIZ5","id.orig_h":"192.168.12.223","id.orig_p":39139,"id.resp_h":"192.168.12.10","id.resp_p":53,"id.orig_ep_status":"unmanaged","id.orig_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_a4898ad116e93d108ae98545d57ebfb1","id.orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.orig_ep_source":"CrowdStrike","id.resp_ep_status":"unsupported","id.resp_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_ced83f0c26493b638086fdc7b8b2c01d","id.resp_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.resp_ep_source":"CrowdStrike","id.vlan":12,"proto":"tcp","service":"dns","duration":0.01592397689819336,"orig_bytes":86,"resp_bytes":104,"conn_state":"SF","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"ShADadFf","orig_pkts":6,"orig_ip_bytes":406,"resp_pkts":4,"resp_ip_bytes":320,"id.orig_h_name.src":"DNS_A","id.orig_h_name.vals":["lagermann-vsensor3.lagermann.net"],"id.resp_h_name.src":"DNS_PTR","id.resp_h_name.vals":["ns2.lagermann.net","pi.hole"],"orig_l2_addr":"00:50:56:95:70:f2","resp_l2_addr":"dc:a6:32:c7:24:34","vlan":12,"community_id":"1:GPEvHckvENDo3QN6YdEEy2icprY=","corelight_shunted":false,"orig_ep_status":"unmanaged","orig_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_a4898ad116e93d108ae98545d57ebfb1","orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","orig_ep_source":"CrowdStrike","resp_ep_status":"unsupported","resp_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_ced83f0c26493b638086fdc7b8b2c01d","resp_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","resp_ep_source":"CrowdStrike"}'
+- event:
+ rawString: '{"_path":"ecat_arp_info","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:55:51.813794Z","ts":"2025-04-17T16:55:51.813794Z","arp_type":"Request","mac_src":"00:0c:29:3d:9a:09","mac_dst":"ff:ff:ff:ff:ff:ff","SPA":"192.168.12.32","SHA":"00:0c:29:3d:9a:09","TPA":"192.168.12.29","THA":"00:00:00:00:00:00"}'
+- event:
+ rawString: '{"_path":"files","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:55:51.877662Z","ts":"2025-04-17T16:55:51.877651Z","fuid":"FCqjJX3gViIYsRbvHd","uid":"CJSlFT1DfUmHD74r1","id.orig_h":"192.168.10.175","id.orig_p":53087,"id.resp_h":"192.168.12.32","id.resp_p":8000,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.vlan":1,"source":"HTTP","depth":0,"analyzers":["SHA1","DATA_EVENT","MD5","SHA256"],"mime_type":"text/json","duration":0.000010967254638671875,"local_orig":true,"is_orig":false,"seen_bytes":7015,"missing_bytes":0,"overflow_bytes":0,"timedout":false,"md5":"5a62d6268b975858d513740d4423a14d","sha1":"88e86ae02e6e16e54213b33afc1552e9938c9a06","sha256":"f280267a4b23db23a8725ff1433f893e4d3bf476f254a6000382174e705e6ea2","tx_hosts":["192.168.12.32"],"rx_hosts":["192.168.10.175"],"conn_uids":["CJSlFT1DfUmHD74r1"],"vlan":1}'
+- event:
+ rawString: '{"_path":"ntp","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:55:31.878661Z","ts":"2025-04-17T16:55:31.878661Z","uid":"CVL6uy4XT08bXrh4Ah","id.orig_h":"192.168.12.212","id.orig_p":123,"id.resp_h":"45.55.126.202","id.resp_p":123,"id.orig_ep_status":"managed","id.orig_ep_uid":"fae3f73ce1404e0aae1626dbddfc3fe8","id.orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.orig_ep_name":"skynet","id.orig_ep_source":"CrowdStrike","id.vlan":12,"version":4,"mode":4,"stratum":2,"poll":64.0,"precision":5.960464477539063e-8,"root_delay":0.007568359375,"root_disp":0.0006103515625,"ref_id":"173.71.68.71","ref_time":"2025-04-17T16:51:30.199197Z","org_time":"2025-04-17T16:55:09.985034Z","rec_time":"2025-04-17T16:55:31.853266Z","xmt_time":"2025-04-17T16:55:31.853321Z","num_exts":0}'
+- event:
+ rawString: '{"_path":"http","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:47:55.585487Z","ts":"2025-04-17T16:47:55.579912Z","uid":"CPHP1L3nKik4PfQkLi","id.orig_h":"192.168.10.175","id.orig_p":52431,"id.resp_h":"192.168.12.32","id.resp_p":8000,"id.orig_ep_status":"Secured","id.orig_ep_uid":"60f49f177a234282bac10ad25b1fb35d","id.orig_ep_name":"James-Desktop","id.orig_ep_ostype":"windows","id.orig_ep_type":"desktop","id.orig_ep_source":"SentinelOne
+ Agents","id.vlan":1,"trans_depth":166,"method":"GET","dest_host":"splunk-mgmt.lagermann.net:8000","uri":"/en-US/splunkd/__raw/servicesNS/nobody/search/search/v2/jobs/1744908462.1845402?output_mode=json&_=1744908176419","version":"1.1","user_agent":"Mozilla/5.0
+ (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0
+ Safari/537.36","request_body_len":0,"response_body_len":7054,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FZ5cqA1zc1lErZXp3d"],"resp_mime_types":["text/json"]}'
+- event:
+ rawString: '{"_path":"ssl","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:46:44.910686Z","ts":"2025-04-17T16:46:44.880347Z","uid":"CIy4yz33i5xIPTrTCl","id.orig_h":"96.35.155.226","id.orig_p":52185,"id.resp_h":"142.250.191.170","id.resp_p":443,"version":"TLSv13","cipher":"TLS_AES_256_GCM_SHA384","curve":"x25519","server_name":"malachiteingestion-pa.googleapis.com","resumed":true,"established":true,"ssl_history":"CsiI","ja3":"e2b3f11e24dd58143ea31083d73ebd13","ja3s":"f590053ff246338aff7c203dbe7164d6"}'
+- event:
+ rawString: '{"_path":"dns","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:45:19.747268Z","ts":"2025-04-17T16:45:19.733251Z","uid":"CcntUFE94ZBRpmdJ5","id.orig_h":"192.168.12.223","id.orig_p":40929,"id.resp_h":"192.168.12.10","id.resp_p":53,"id.orig_ep_status":"unmanaged","id.orig_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_a4898ad116e93d108ae98545d57ebfb1","id.orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.orig_ep_source":"CrowdStrike","id.resp_ep_status":"unsupported","id.resp_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_ced83f0c26493b638086fdc7b8b2c01d","id.resp_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.resp_ep_source":"CrowdStrike","id.vlan":12,"proto":"tcp","trans_id":7771,"rtt":0.014016866683959961,"query":"223.12.168.192.in-addr.arpa","qclass":1,"qclass_name":"C_INTERNET","qtype":12,"qtype_name":"PTR","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["lagermann-vsensor3.lagermann.net"],"TTLs":[0.0],"rejected":false,"is_trusted_domain":true,"icann_domain":"in-addr.arpa","icann_tld":"in-addr.arpa"}'
+- event:
+ rawString: '{"_path":"conn","_system_name":"Lab-AP200","_write_ts":"2025-04-17T16:42:19.666616Z","ts":"2025-04-17T16:42:09.666579Z","uid":"CHT3jx1xVeqkjdI2bf","id.orig_h":"192.168.12.212","id.orig_p":53326,"id.resp_h":"192.168.12.9","id.resp_p":53,"id.orig_ep_status":"managed","id.orig_ep_uid":"fae3f73ce1404e0aae1626dbddfc3fe8","id.orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.orig_ep_name":"skynet","id.orig_ep_source":"CrowdStrike","id.resp_ep_status":"unsupported","id.resp_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_9caa11e26d1f371797e73e9b9199d481","id.resp_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","id.resp_ep_source":"CrowdStrike","id.vlan":12,"proto":"udp","service":"dns","duration":0.0018169879913330078,"orig_bytes":84,"resp_bytes":172,"conn_state":"SF","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"Dd","orig_pkts":2,"orig_ip_bytes":140,"resp_pkts":2,"resp_ip_bytes":228,"id.orig_h_name.src":"DNS_A","id.orig_h_name.vals":["fleet.lagermann.net"],"id.resp_h_name.src":"DNS_A","id.resp_h_name.vals":["smtp.lagermann.net"],"orig_l2_addr":"00:50:56:a1:1f:07","resp_l2_addr":"dc:a6:32:c7:2b:45","vlan":12,"community_id":"1:aZrRCvaWIw/gZtt9bjie+lfxT70=","corelight_shunted":false,"orig_ep_status":"managed","orig_ep_uid":"fae3f73ce1404e0aae1626dbddfc3fe8","orig_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","orig_ep_name":"skynet","orig_ep_source":"CrowdStrike","resp_ep_status":"unsupported","resp_ep_uid":"e29b670f12d342e3bcc7170a288a0dbd_9caa11e26d1f371797e73e9b9199d481","resp_ep_cid":"e29b670f12d342e3bcc7170a288a0dbd","resp_ep_source":"CrowdStrike"}'
$schema: https://schemas.humio.com/parser/v0.3.0
-script: |
- // CrowdStrike Falcon Complete LogScale
- // Corelight Parser
- // Copyright: CrowdStrike 2025
+script: |-
+ // Corelight Sensor Parser
// #region PREPARSE
/************************************************************
@@ -15,11 +383,11 @@ script: |
// Documentation: https://docs.zeek.org/en/master/log-formats.html#zeek-json-format-logs
- | parseJson(prefix="Vendor.", excludeEmpty=true, handleNull=discard)
+ parseJson(prefix="Vendor.", excludeEmpty=true, handleNull=discard)
| parseTimestamp("yyyy-MM-dd'T'HH:mm:ss[.SSSSSS]XXX", field=Vendor._write_ts)
// For later use
- | rename(field="Vendor._path",as="_path")
+ | _path := Vendor._path
// #endregion
@@ -33,7 +401,6 @@ script: |
| event.module := "ids"
| ecs.version:="8.17.0"
| event.kind:="event"
- // event.category and event.type handled below
// #endregion
@@ -44,42 +411,126 @@ script: |
************************************************************/
// Event Fields
- | event.action := rename(Vendor.operation)
- | event.action := rename(Vendor.action)
- | error.message := rename(Vendor.failure_reason)
+ | event.action := Vendor.operation
+ | event.action := Vendor.action
+ | error.message := Vendor.failure_reason
| format(format="%s.%s", field=["event.module","_path"], as="event.dataset")
- | event.reason := rename(Vendor.msg)
- | event.id := rename(Vendor.uid)
- | event.duration := rename(Vendor.duration)
+ | event.reason := Vendor.msg
+ | event.id := Vendor.uid
+ | event.duration := Vendor.duration
+ | Vendor.success match {
+ "true" => event.outcome := "success";
+ "false" => event.outcome := "failure";
+ * => *;
+ }
+ | Vendor.result match {
+ "failed" => event.outcome := "failure";
+ "unknown" => event.outcome := "unknown";
+ /success/i => event.outcome := "success";
+ /failure/i => event.outcome := "failure";
+ "encrypted" => event.outcome := "success";
+ "SSL_NOT_ALLOWED_BY_SERVER" => event.outcome := "failure";
+ "HYBRID_REQUIRED_BY_SERVER" => event.outcome := "failure";
+ "SSL_CERT_NOT_ON_SERVER" => event.outcome := "failure";
+ "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER" => event.outcome := "failure";
+ "INCONSISTENT_FLAGS" => event.outcome := "failure";
+ "SSL_REQUIRED_BY_SERVER" => event.outcome := "failure";
+ * => *;
+ }
+
+ // Event Categorization
| case {
- Vendor.success = "true" | event.outcome := "success";
- Vendor.success = "false" | event.outcome := "failure";
- Vendor.result = "failed" | event.outcome := "failure";
- Vendor.result = "unknown" | event.outcome := "unknown";
- Vendor.result = /success/i | event.outcome := "success";
- Vendor.result = /failure/i | event.outcome := "failure";
- Vendor.result = "encrypted" | event.outcome := "success";
- Vendor.result = "SSL_NOT_ALLOWED_BY_SERVER" | event.outcome := "failure";
- Vendor.result = "HYBRID_REQUIRED_BY_SERVER" | event.outcome := "failure";
- Vendor.result = "SSL_CERT_NOT_ON_SERVER" | event.outcome := "failure";
- Vendor.result = "SSL_WITH_USER_AUTH_REQUIRED_BY_SERVER" | event.outcome := "failure";
- Vendor.result = "INCONSISTENT_FLAGS" | event.outcome := "failure";
- Vendor.result = "SSL_REQUIRED_BY_SERVER" | event.outcome := "failure";
+ _path = "known*"
+ | array:append("event.category[]", values=["host"])
+ | array:append("event.type[]", values=["info"]);
+
+ in(_path, values=["conn*", "specific_dns_tunnels", "generic_dns_tunnels", "tunnel", "vpn", "stun*"])
+ | array:append("event.category[]", values=["network"])
+ | array:append("event.type[]", values=["connection"]);
+
+ in(_path, values=["corelight*", "etc_viz", "suricata_stats", "zeek_doctor", "mqtt*"])
+ | array:append("event.category[]", values=["process"])
+ | array:append("event.type[]", values=["info"]);
+
+ in(_path, values=["dce_rpc", "dns*", "dhcp", "encrypted_dns", "ftp", "irc", "ntp", "dga", "ocsp"])
+ | array:append("event.category[]", values=["network"])
+ | array:append("event.type[]", values=["connection", "protocol", "info"]);
+
+ in(_path, values=["dpd", "rfb", "traceroute", "ssdp"])
+ | array:append("event.category[]", values=["network"])
+ | array:append("event.type[]", values=["connection", "info"]);
+
+ in(_path, values=["files*", "pe"])
+ | array:append("event.category[]", values=["file"])
+ | array:append("event.type[]", values=["info"]);
+
+ _path = "http*"
+ | array:append("event.category[]", values=["network", "web"])
+ | array:append("event.type[]", values=["connection", "protocol", "info"]);
+
+ _path = "intel"
+ | event.kind := "alert"
+ | array:append("event.category[]", values=["threat", "network"])
+ | array:append("event.type[]", values=["indicator"])
+ | rule.name := "intel";
+
+ _path = "suricata_corelight"
+ | event.kind := "alert"
+ | array:append("event.category[]", values=["threat", "network"])
+ | array:append("event.type[]", values=["indicator"])
+ | rule.name := Vendor.alert.signature;
+
+ _path = "notice"
+ | event.kind := "alert"
+ | array:append("event.category[]", values=["threat", "network"])
+ | array:append("event.type[]", values=["indicator"])
+ | rule.name := Vendor.msg;
+
+ _path = "mysql"
+ | array:append("event.category[]", values=["network", "database"])
+ | array:append("event.type[]", values=["connection", "protocol"]);
+
+ in(_path ,values=["ntlm", "radius", "kerberos", "ldap*"])
+ | array:append("event.category[]", values=["network", "authentication"])
+ | array:append("event.type[]", values=["connection", "info"]);
+
+ in(_path ,values=["rdp", "quic"])
+ | array:append("event.category[]", values=["network"])
+ | array:append("event.type[]", values=["connection", "start"]);
+
+ in(_path ,values=["analyzer", "reporter"])
+ | array:append("event.category[]", values=["process"])
+ | array:append("event.type[]", values=["error"]);
+
+ in(_path , values=["sip", "smb_mapping", "snmp", "smtp", "socks", "ssh", "ssl*", "x509*", "ipsec", "ecat_arp*", "bacnet*", "enip"])
+ | array:append("event.category[]", values=["network"])
+ | array:append("event.type[]", values=["connection", "protocol"]);
+
+ _path = "smb_files"
+ | array:append("event.category[]", values=["network", "file"])
+ | array:append("event.type[]", values=["connection", "protocol"]);
+
+ _path = "software"
+ | array:append("event.category[]", values=["network", "file"])
+ | array:append("event.type[]", values=["info"]);
+
+ in(_path ,values=["syslog", "weird*"])
+ | array:append("event.category[]", values=["network"])
+ | array:append("event.type[]", values=["info"]);
+
*;
}
// Log Fields
| case {
- Vendor.level=*
- | level = /::(?.*)/;
- *
- | log.level := Vendor.severity.name;
+ Vendor.level=* | level = /::(?.*)/;
+ * | log.level := Vendor.severity.name;
}
// User Fields
- | user.name := rename(Vendor.user)
- | user.name := rename(Vendor.username)
- | user.name := rename(Vendor.cookie)
+ | user.name := Vendor.user
+ | user.name := Vendor.username
+ | user.name := Vendor.cookie
| case {
Vendor.client = * | Vendor.client = /(?!SSH)(?.*?)\/(?.*)/;
*;
@@ -90,24 +541,25 @@ script: |
user.name = /host\/(?.*)/ | drop([user.name]);
*;
}
- | user_agent.original := rename(Vendor.user_agent)
+ | user_agent.original := Vendor.user_agent
// Source Fields
- | source.hostname := rename(Vendor.hostname)
+ | source.hostname := Vendor.hostname
| source.bytes := coalesce([Vendor.orig_bytes, Vendor.orig_ip_bytes])
- | source.domain := rename(Vendor.domainname)
- | lower(source.domain, as="source.domain")
- | source.ip := rename(Vendor.id.orig_h)
- | source.ip := rename(Vendor.client_src)
- | source.ip := rename(Vendor.src)
- | source.ip := rename(Vendor.dns_client)
- | source.ip := rename(Vendor.client_addr)
- | source.ip := rename(Vendor.data_channel.orig_h)
- | source.mac := rename(Vendor.orig_l2_addr)
- | source.mac := rename(Vendor.mac)
- | source.port := rename(Vendor.host_p)
- | source.port := rename(Vendor.id.orig_p)
- | source.packets := rename(Vendor.orig_pkts)
+ | source.domain := lower(Vendor.domainname)
+ | source.ip := Vendor.id.orig_h
+ | source.ip := Vendor.client_src
+ | source.ip := Vendor.src
+ | source.ip := Vendor.dns_client
+ | source.ip := Vendor.client_addr
+ | source.ip := Vendor.data_channel.orig_h
+ | source.mac := Vendor.orig_l2_addr
+ | source.mac := Vendor.mac
+ | source.mac := Vendor.mac_src
+ | source.mac := replace(":", with="-", field="source.mac")
+ | source.port := Vendor.host_p
+ | source.port := Vendor.id.orig_p
+ | source.packets := Vendor.orig_pkts
| case {
// tx_hosts is an array by default containing multiple source IP's. Because of this, we'll map the all elements to related.ip.
@@ -118,22 +570,16 @@ script: |
| case {
// Test if the original IP and data channel original IP's are the same. If so, assign id.orig_h as the ip. If not, assign data_channel.orig_h.
- !Vendor.data_channel.orig_h
- | source.ip := rename(Vendor.id.orig_h);
- Vendor.id.orig_h = Vendor.data_channel.orig_h
- | source.ip := Vendor.id.orig_h;
- Vendor.id.orig_h != Vendor.data_channel.orig_h
- | source.ip := Vendor.data_channel.orig_h;
+ !Vendor.data_channel.orig_h | source.ip := Vendor.id.orig_h;
+ Vendor.id.orig_h = Vendor.data_channel.orig_h | source.ip := Vendor.id.orig_h;
+ Vendor.id.orig_h != Vendor.data_channel.orig_h | source.ip := Vendor.data_channel.orig_h;
*;
}
| case {
// Test if the original port and data channel original ports are the same. If so, assign id.orig_p as the ip. If not, assign data_channel.orig_p.
- !Vendor.data_channel.orig_p
- | source.port := rename(Vendor.id.orig_p);
- Vendor.id.orig_p = Vendor.data_channel.orig_p
- | source.port := rename(Vendor.id.orig_p);
- Vendor.id.orig_p != Vendor.data_channel.orig_p
- | source.port := rename(Vendor.data_channel.orig_p);
+ !Vendor.data_channel.orig_p | source.port := Vendor.id.orig_p;
+ Vendor.id.orig_p = Vendor.data_channel.orig_p | source.port := Vendor.id.orig_p;
+ Vendor.id.orig_p != Vendor.data_channel.orig_p | source.port := Vendor.data_channel.orig_p;
*;
}
@@ -151,21 +597,21 @@ script: |
| client.port := source.port
// Destination Fields
- | destination.address := rename(Vendor.server_nb_computer_name)
- | destination.address := rename(Vendor.helo)
- | destination.address := rename(Vendor.server_a)
- | destination.address := rename(Vendor.server_name)
- | lower(destination.address, as="destination.address")
+ | destination.address := lower(Vendor.server_nb_computer_name)
+ | destination.address := lower(Vendor.helo)
+ | destination.address := lower(Vendor.server_a)
+ | destination.address := lower(Vendor.server_name)
| destination.bytes := coalesce([Vendor.resp_bytes, Vendor.resp_ip_bytes])
- | destination.domain := rename(Vendor.server_tree_name)
- | lower(destination.domain, as="destination.domain")
- | destination.ip := rename(Vendor.resolver)
- | destination.ip := rename(Vendor.resp_h)
- | destination.ip := rename(Vendor.id.resp_h)
- | destination.port := rename(Vendor.server_p)
- | destination.port := rename(Vendor.id.resp_p)
- | destination.mac := rename(Vendor.resp_l2_addr)
- | destination.packets := rename(Vendor.resp_pkts)
+ | destination.domain := lower(Vendor.server_tree_name)
+ | destination.ip := Vendor.resolver
+ | destination.ip := Vendor.resp_h
+ | destination.ip := Vendor.id.resp_h
+ | destination.port := Vendor.server_p
+ | destination.port := Vendor.id.resp_p
+ | destination.mac := Vendor.resp_l2_addr
+ | destination.mac := Vendor.mac_dst
+ | destination.mac := replace(":", with="-", field="destination.mac")
+ | destination.packets := Vendor.resp_pkts
| case {
// rx_hosts is an array by default containing multiple destination IP's. Because of this, we'll map the all elements to related.ip.
Vendor.rx_hosts[0] = *
@@ -179,40 +625,27 @@ script: |
| case {
// Test if the response IP and data channel response IP's are the same. If so, assign id.resp_h as the ip. If not, assign data_channel.resp_h.
- !Vendor.data_channel.resp_h
- | destination.ip := rename(Vendor.id.resp_h);
- Vendor.id.resp_h = Vendor.data_channel.resp_h
- | destination.ip := rename(Vendor.id.resp_h);
- Vendor.id.resp_h != Vendor.data_channel.resp_h
- | destination.ip := rename(Vendor.data_channel.resp_h);
+ !Vendor.data_channel.resp_h | destination.ip := Vendor.id.resp_h;
+ Vendor.id.resp_h = Vendor.data_channel.resp_h | destination.ip := Vendor.id.resp_h;
+ Vendor.id.resp_h != Vendor.data_channel.resp_h | destination.ip := Vendor.data_channel.resp_h;
*;
}
| case {
// Test if the response port and data channel response ports are the same. If so, assign id.resp_p as the port. If not, assign data_channel.resp_p.
- !Vendor.data_channel.resp_p
- | destination.port := rename(Vendor.id.resp_p);
- Vendor.id.resp_p = Vendor.data_channel.resp_p
- | destination.port := rename(Vendor.id.resp_p);
- Vendor.id.resp_p != Vendor.data_channel.resp_p
- | destination.port := rename(Vendor.data_channel.resp_p);
+ !Vendor.data_channel.resp_p | destination.port := Vendor.id.resp_p;
+ Vendor.id.resp_p = Vendor.data_channel.resp_p | destination.port := Vendor.id.resp_p;
+ Vendor.id.resp_p != Vendor.data_channel.resp_p | destination.port := Vendor.data_channel.resp_p;
*;
}
- // added DLEE 25SEP2024 (rename resp_ep_uid to aid per JL)
| case {
- Vendor.id.orig_ep_source="CrowdStrike" and Vendor.id.orig_ep_status="managed"
- | agent.id := rename(Vendor.id.orig_ep_uid);
- Vendor.id.orig_ep_source="CrowdStrike" and Vendor.id.orig_ep_status!="managed"
- | device.id := rename(Vendor.id.orig_ep_uid);
- Vendor.id.orig_ep_source!="CrowdStrike"
- | agent.id := rename(Vendor.id.orig_ep_uid);
- Vendor.orig_ep_source="CrowdStrike" and Vendor.orig_ep_status="managed"
- | agent.id := rename(Vendor.orig_ep_uid);
- Vendor.orig_ep_source="CrowdStrike" and Vendor.orig_ep_status!="managed"
- | device.id := rename(Vendor.orig_ep_uid);
- Vendor.orig_ep_source!="CrowdStrike"
- | agent.id := rename(Vendor.orig_ep_uid);
+ Vendor.id.orig_ep_source="CrowdStrike" AND Vendor.id.orig_ep_status="managed" | agent.id := Vendor.id.orig_ep_uid;
+ Vendor.id.orig_ep_source="CrowdStrike" AND Vendor.id.orig_ep_status!="managed" | device.id := Vendor.id.orig_ep_uid;
+ Vendor.id.orig_ep_source="CrowdStrike" | customer.id := Vendor.id.orig_ep_cid;
+ Vendor.orig_ep_source="CrowdStrike" AND Vendor.orig_ep_status="managed" | agent.id := Vendor.orig_ep_uid;
+ Vendor.orig_ep_source="CrowdStrike" AND Vendor.orig_ep_status!="managed" | device.id := Vendor.orig_ep_uid;
+ Vendor.orig_ep_source="CrowdStrike" | customer.id := Vendor.orig_ep_cid;
*;
}
@@ -224,101 +657,86 @@ script: |
| server.port := destination.port
// Observer Fields
- | observer.hostname := rename(Vendor._system_name)
+ | observer.hostname := Vendor._system_name
// OS Fields
| host.os.name := Vendor.os
// Network Fields
- | network.transport := rename(Vendor.proto)
- | network.inner.vlan.id := rename(Vendor.inner_vlan)
+ | network.transport := Vendor.proto
+ | network.inner.vlan.id := Vendor.inner_vlan
| network.bytes := source.bytes + destination.bytes
- | network.protocol := rename(Vendor.source)
- | network.protocol := rename(Vendor.service)
+ | network.protocol := Vendor.source
+ | network.protocol := Vendor.service
| splitString(field="Vendor.app", by=",", as="network.application")
| case{
- Vendor.local_orig=true Vendor.local_resp=true
- | network.direction := "internal";
- Vendor.local_orig=true Vendor.local_resp=false
- | network.direction := "outbound";
- Vendor.local_orig=false Vendor.local_resp=true
- | network.direction := "inbound";
- Vendor.local_orig=false Vendor.local_resp=false
- | network.direction := "external";
+ Vendor.local_orig=true AND Vendor.local_resp=true | network.direction := "internal";
+ Vendor.local_orig=true AND Vendor.local_resp=false | network.direction := "outbound";
+ Vendor.local_orig=false AND Vendor.local_resp=true | network.direction := "inbound";
+ Vendor.local_orig=false AND Vendor.local_resp=false | network.direction := "external";
*
}
- | case {
- _path = "ssl"
- | network.transport := "ssl";
- _path = "ssh"
- | network.transport := "ssh";
- _path = "smb_files"
- | network.transport := "smb";
- _path = "dns"
- | network.transport := "dns";
- _path = "http"
- | network.transport := "http";
- _path = "rdp"
- | network.transport := "rdp";
- *
+ | _path match {
+ "ssl" => network.transport := "ssl";
+ "ssh" => network.transport := "ssh";
+ "smb_files" => network.transport := "smb";
+ "dns" => network.transport := "dns";
+ "http" => network.transport := "http";
+ "rdp" => network.transport := "rdp";
+ * => *
}
+
| case {
- Vendor.community_id = *
- | network.community_id := rename(Vendor.community_id);
- *
- | communityId(as="network.community_id", proto=network.transport, sourceip=source.ip, sourceport=source.port, destinationip=destination.ip, destinationport=destination.port);
+ Vendor.community_id = * | network.community_id := Vendor.community_id;
+ * | communityId(as="network.community_id", proto=network.transport, sourceip=source.ip, sourceport=source.port, destinationip=destination.ip, destinationport=destination.port);
}
// in case there are no src/dst ip's or invalid ip's
| case { network.community_id = "" | drop([network.community_id]); * }
// VLAN Fields
- | network.vlan.id := rename(Vendor.id.vlan)
- | network.vlan.id := rename(Vendor.vlan)
+ | network.vlan.id := Vendor.id.vlan
+ | network.vlan.id := Vendor.vlan
// File Fields
- | file.size := rename(Vendor.total_bytes)
+ | file.size := Vendor.total_bytes
// Hash Fields
- | file.hash.md5 := rename(Vendor.md5)
- | file.hash.sha256 := rename(Vendor.sha256)
- | lower(file.hash.sha256, as="file.hash.sha256")
- | lower(file.hash.md5, as="file.hash.md5")
+ | file.hash.md5 := lower(Vendor.md5)
+ | file.hash.sha256 := lower(Vendor.sha256)
// HTTP Fields
- | http.request.method := rename(Vendor.method)
- | url.path := rename(Vendor.uri)
- | url.domain := rename(Vendor.host)
- | http.response.status_code := rename(Vendor.status_code)
+ | http.request.method := Vendor.method
+ | url.path := Vendor.uri
+ | url.domain := Vendor.host
+ | http.response.status_code := Vendor.status_code
| case {
- // Manually parse out mime response type
- _path = "dns" AND Vendor.resp_mime_types[1] = * | @rawstring = /resp_mime_types":\[(?.*?)\]/;
- _path = "dns" AND Vendor.resp_mime_types[0] = * | http.response.mime_type := rename(Vendor.resp_mime_types[0]);
+ // Manually parse out mime response type
+ _path = "http" AND Vendor.resp_mime_types[1] = * | @rawstring = /resp_mime_types":\[(?.*?)\]/;
+ _path = "http" AND Vendor.resp_mime_types[0] = * | http.response.mime_type := Vendor.resp_mime_types[0];
*;
}
| case {
- // Manually parse out mime request type
- _path = "dns" AND Vendor.orig_mime_types[1] = * | @rawstring = /orig_mime_types":\[(?.*?)\]/;
- _path = "dns" AND Vendor.orig_mime_types[0] = * | http.request.mime_type := rename(Vendor.orig_mime_types[0]);
+ // Manually parse out mime request type
+ _path = "http" AND Vendor.orig_mime_types[1] = * | @rawstring = /orig_mime_types":\[(?.*?)\]/;
+ _path = "http" AND Vendor.orig_mime_types[0] = * | http.request.mime_type := Vendor.orig_mime_types[0];
*;
}
-
// DNS Fields
| case {
- // Manually parse out dns.answers
- _path = "dns" | @rawstring = /answers":\[(?.*?)\]/;
- *;
+ // Manually parse out dns.answers
+ _path = "dns" | @rawstring = /answers":\[(?.*?)\]/;
+ *;
}
- | dns.question.type := rename(Vendor.qtype_name)
- | dns.question.name := rename(Vendor.query)
+ | dns.question.type := Vendor.qtype_name
+ | dns.question.name := Vendor.query
| splitString(field="Vendor.answers", by=",", as="dns.answers")
- | dns.response_code := rename(Vendor.rcode_name)
+ | dns.response_code := Vendor.rcode_name
// Email Fields
- | email.sender.address := rename(Vendor.mailfrom)
- | lower(email.sender.address, as="email.sender.address")
- | email.subject := rename(Vendor.subject)
+ | email.sender.address := lower(Vendor.mailfrom)
+ | email.subject := Vendor.subject
| case {
// Manual parsing for email.to.address
_path = "smtp" | @rawstring = /rcptto":\[(?.*?)\]/;
@@ -327,125 +745,46 @@ script: |
| array:append("email.to.address[]", values=[lower(email.to.address)])
// Geo Fields
- | destination.geo.country_iso_code := rename(Vendor.resp_cc)
- | destination.geo.region_name := rename(Vendor.resp_region)
- | source.geo.country_iso_code := rename(Vendor.orig_cc)
- | source.geo.region_name := rename(Vendor.orig_region)
- | source.geo.city_name := rename(Vendor.orig_city)
+ | destination.geo.country_iso_code := Vendor.resp_cc
+ | destination.geo.region_name := Vendor.resp_region
+ | source.geo.country_iso_code := Vendor.orig_cc
+ | source.geo.region_name := Vendor.orig_region
+ | source.geo.city_name := Vendor.orig_city
// x509 Fields
- | file.x509.issuer.distinguished_name := rename(Vendor.certificate.issuer)
- | file.x509.not_after := rename(Vendor.certificate.not_valid_after)
- | file.x509.not_before := rename(Vendor.certificate.not_valid_before)
- | file.x509.public_key_algorithm := rename(Vendor.certificate.key_alg)
- | file.x509.public_key_exponent := rename(Vendor.certificate.exponent)
- | file.x509.serial_number := rename(Vendor.certificate.serial)
- | file.x509.signature_algorithm := rename(Vendor.certificate.sig_alg)
- | file.x509.subject.distinguished_name := rename(Vendor.certificate.subject)
+ | file.x509.issuer.distinguished_name := Vendor.certificate.issuer
+ | file.x509.not_after := Vendor.certificate.not_valid_after
+ | file.x509.not_before := Vendor.certificate.not_valid_before
+ | file.x509.public_key_algorithm := Vendor.certificate.key_alg
+ | file.x509.public_key_exponent := Vendor.certificate.exponent
+ | file.x509.serial_number := Vendor.certificate.serial
+ | file.x509.signature_algorithm := Vendor.certificate.sig_alg
+ | file.x509.subject.distinguished_name := Vendor.certificate.subject
//tls Fields
- | tls.client.ja3 := rename(Vendor.ja3)
- | tls.server.ja3s := rename(Vendor.ja3s)
-
- // Event Categorization
- | case {
- in(_path, values=["conn", "specific_dns_tunnels", "tunnel"])
- | array:append("event.category[]", values=["network"])
- | array:append("event.type[]", values=["connection"]);
-
- in(_path, values=["corelight*", "etc_viz"])
- | array:append("event.category[]", values=["process"])
- | array:append("event.type[]", values=["info"]);
-
- in(_path, values=["dce_rpc", "dns", "dhcp", "encrypted_dns", "ftp", "irc", "ntp", "dga"])
- | array:append("event.category[]", values=["network"])
- | array:append("event.type[]", values=["connection", "protocol", "info"]);
-
- in(_path, values=["dpd", "rfb"])
- | array:append("event.category[]", values=["network"])
- | array:append("event.type[]", values=["connection", "info"]);
-
- in(_path, values=["files", "pe"])
- | array:append("event.category[]", values=["file"])
- | array:append("event.type[]", values=["info"]);
-
- _path = "http"
- | array:append("event.category[]", values=["network", "web"])
- | array:append("event.type[]", values=["connection", "protocol", "info"]);
-
- in(_path, values=["intel", "suricata_corelight"])
- | event.kind := "alert"
- | array:append("event.category[]", values=["threat", "network"])
- | array:append("event.type[]", values=["indicator"]);
-
- _path = "kerberos"
- | array:append("event.category[]", values=["network", "authentication"])
- | array:append("event.type[]", values=["connection", "protocol", "access"]);
-
- _path = "mysql"
- | array:append("event.category[]", values=["network", "database"])
- | array:append("event.type[]", values=["connection", "protocol"]);
-
- _path = "notice"
- | array:append("event.category[]", values=["intrusion_detection"])
- | array:append("event.type[]", values=["info"]);
-
- in(_path ,values=["ntlm", "radius"])
- | array:append("event.category[]", values=["network", "authentication"])
- | array:append("event.type[]", values=["connection", "info"]);
-
- _path = "rdp"
- | array:append("event.category[]", values=["network"])
- | array:append("event.type[]", values=["connection", "start"]);
-
- _path = "reporter"
- | array:append("event.category[]", values=["process"])
- | array:append("event.type[]", values=["error"]);
-
- in(_path , values=["sip", "smb_mapping", "snmp", "smtp", "socks", "ssh", "ssl"])
- | array:append("event.category[]", values=["network"])
- | array:append("event.type[]", values=["connection", "protocol"]);
-
- _path = "smb_files"
- | array:append("event.category[]", values=["network", "file"])
- | array:append("event.type[]", values=["connection", "protocol"]);
-
- _path = "software"
- | array:append("event.category[]", values=["network", "file"])
- | array:append("event.type[]", values=["info"]);
-
- in(_path ,values=["vpn", "weird"])
- | array:append("event.category[]", values=["network"])
- | array:append("event.type[]", values=["info"]);
-
- *;
- }
+ | tls.client.ja3 := Vendor.ja3
+ | tls.server.ja3s := Vendor.ja3s
+ //alerts
| case {
- event.kind = "alert" |
+ event.kind = "alert"
//Flattens "metadata" array to allow for use of fields within modeling
- replace(regex=".*\"alert.metadata\":\\[(.*)\\],.*", with="$1", field=@rawstring, as=flatten.metadata) |
- replace(regex=":", with="\"=\"", field=flatten.metadata) |
- kvParse(field=flatten.metadata, as=Vendor, separator="=") |
- drop(flatten.metadata) |
- case {
- in(Vendor.signature_severity, values=["Informational","Audit"]) |
- event.severity := "10";
- Vendor.signature_severity = "Minor" |
- event.severity := "50";
- Vendor.signature_severity = "Major" |
- event.severity := "70";
- Vendor.signature_severity = "Critical" |
- event.severity := "90";
- } |
- case {
- Vendor.mitre_technique_id = "*" |
- match(file="epp/lookups/MitreMappings-ecs.csv", field=Vendor.mitre_technique_id, column=threat.technique.id[0], mode=glob, ignoreCase=true, include= ["threat.framework","threat.tactic.id[0]","threat.tactic.name[0]","threat.technique.id[0]","threat.technique.name[0]","threat.technique.reference[0]"]);
+ | replace(regex=".*\"alert.metadata\":\\[(.*)\\],.*", with="$1", field=@rawstring, as=flatten.metadata)
+ | replace(regex=":", with="\"=\"", field=flatten.metadata)
+ | kvParse(field=flatten.metadata, as=Vendor, separator="=")
+ | drop(flatten.metadata)
+ | case {
+ in(Vendor.signature_severity, values=["Informational","Audit"]) | event.severity := "10";
+ Vendor.signature_severity = "Minor" | event.severity := "50";
+ Vendor.signature_severity = "Major" | event.severity := "70";
+ Vendor.signature_severity = "Critical" | event.severity := "90";
+ }
+ | case {
+ Vendor.mitre_technique_id = "*" | match(file="epp/lookups/MitreMappings-ecs.csv", field=Vendor.mitre_technique_id, column=threat.technique.id[0], mode=glob, ignoreCase=true, include= ["threat.framework","threat.tactic.id[0]","threat.tactic.name[0]","threat.technique.id[0]","threat.technique.name[0]","threat.technique.reference[0]"]);
*;
};
*
}
- | Vendor._path := rename("_path")
// #endregion
diff --git a/parsers/parser_template.yaml b/parsers/parser_template.yaml
new file mode 100644
index 0000000..c688fe1
--- /dev/null
+++ b/parsers/parser_template.yaml
@@ -0,0 +1,54 @@
+name: template
+tests: []
+$schema: https://schemas.humio.com/parser/v0.3.0
+script: |
+ // #region PREPARSE
+ /************************************************************
+ ****** Parse timestamp and log headers
+ ****** Extract message field for parsing
+ ****** Parse structured data
+ ************************************************************/
+
+
+ // #endregion
+
+ // #region METADATA
+ /************************************************************
+ ****** Static Metadata Definitions
+ ************************************************************/
+ | ecs.version := "8.17.0"
+ | Cps.version := "1.0.0"
+ | Parser.version := "1.0.0"
+ | Vendor := ""
+ | event.module := ""
+ | event.dataset := ""
+
+ // #endregion
+
+ // #region NORMALIZATION
+ /************************************************************
+ ****** Parse unstructured data (i.e. message field)
+ ****** Normalize fields to data model
+ ************************************************************/
+
+
+ // #endregion
+
+ // #region POST-NORMALIZATION
+ /************************************************************
+ ****** Post Normalization
+ ****** Custom parser logic needed after normalization
+ ************************************************************/
+
+
+ // #endregion
+
+tagFields:
+- Cps.version
+- Vendor
+- ecs.version
+- event.dataset
+- event.kind
+- event.module
+- event.outcome
+- observer.type