From 47aaef7ee16f7244d8ceaaad0ba74c5bdcdb3889 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Tue, 11 Feb 2020 16:07:47 -0500 Subject: [PATCH 1/9] EQL: Add integration tests harness to test EQL feature parity with original implementation The tests use the original test queries from https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml for EQL implementation correctness validation. The file test_queries_unsupported.toml serves as a "blacklist" for the queries that we do not support. Currently all of the queries are blacklisted. Over the time the expectation is to eventually have an empty "blacklist" when all of the queries are fully supported. The tests use the original test vector from https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json that was translated to ECS format that matches the latest mapping being used for Endgame platform event streaming and is loaded from endgame.dat file. The endgame.json file contains the matching index mappings/setting. Only one EQL and the response is stubbed for now to match the expected output from that query. This part would need some tweaking after EQL is fully wired. The input .toml file is parsed by hand for now, which is sufficient for our purposes and avoids introducing another dependency just for this particular test case. Related to https://github.com/elastic/elasticsearch/issues/49581 --- x-pack/plugin/eql/build.gradle | 30 +- .../rest-api-spec/test/eql/10_basic.yml | 2 +- .../eql/action/EqlSearchRequestBuilder.java | 58 + .../xpack/eql/action/EqlSearchResponse.java | 16 + .../xpack/eql/plugin/EqlPlugin.java | 45 +- .../eql/plugin/TransportEqlSearchAction.java | 19 +- .../elasticsearch/xpack/eql/EqlTestUtils.java | 15 + .../eql/action/AbstractEqlIntegTestCase.java | 41 + .../xpack/eql/action/EqlActionIT.java | 95 + .../xpack/eql/action/EqlSpec.java | 46 + .../xpack/eql/action/EqlSpecLoader.java | 179 ++ .../eql/action/LocalStateEqlXPackPlugin.java | 28 + .../xpack/eql/plugin/EqlPluginTests.java | 5 +- .../plugin/eql/src/test/resources/endgame.dat | 102 + .../eql/src/test/resources/endgame.json | 2531 +++++++++++++++++ .../eql/src/test/resources/test_queries.toml | 1298 +++++++++ .../resources/test_queries_unsupported.toml | 1300 +++++++++ x-pack/plugin/sql/build.gradle | 4 + 18 files changed, 5771 insertions(+), 43 deletions(-) create mode 100644 x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java create mode 100644 x-pack/plugin/eql/src/test/resources/endgame.dat create mode 100644 x-pack/plugin/eql/src/test/resources/endgame.json create mode 100644 x-pack/plugin/eql/src/test/resources/test_queries.toml create mode 100644 x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml diff --git a/x-pack/plugin/eql/build.gradle b/x-pack/plugin/eql/build.gradle index 65ec91f6ca83a..e56d21e87cf35 100644 --- a/x-pack/plugin/eql/build.gradle +++ b/x-pack/plugin/eql/build.gradle @@ -17,6 +17,23 @@ ext { archivesBaseName = 'x-pack-eql' +test { + testLogging.showStandardStreams = true +} + +// All integration tests live in qa modules +integTest.enabled = false + +// Instead we create a separate task to run the tests based on ESIntegTestCase +task internalClusterTest(type: Test) { + testLogging.showStandardStreams = true + mustRunAfter test + include '**/*IT.class' + systemProperty 'es.set.netty.runtime.available.processors', 'false' +} + +check.dependsOn internalClusterTest + dependencies { compileOnly project(path: xpackModule('core'), configuration: 'default') compileOnly(project(':modules:lang-painless')) { @@ -33,19 +50,6 @@ dependencies { testCompile project(path: ':modules:analysis-common', configuration: 'runtime') } -integTest.enabled = false -testingConventions.enabled = false - -// Instead we create a separate task to run the tests based on ESIntegTestCase -task internalClusterTest(type: Test) { - description = '🌈🌈🌈🦄 Welcome to fantasy integration tests land! 🦄🌈🌈🌈' - mustRunAfter test - - include '**/*IT.class' - systemProperty 'es.set.netty.runtime.available.processors', 'false' -} - -check.dependsOn internalClusterTest /**************************************************************** * Enable QA/rest integration tests for snapshot builds only * diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml index fc7d93697ee15..a6f4dac4e5c0e 100644 --- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml @@ -23,5 +23,5 @@ setup: - match: {timed_out: false} - match: {took: 0} - - match: {hits.total.value: 0} + - match: {hits.total.value: 1} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java new file mode 100644 index 0000000000000..2e808501ae9f8 --- /dev/null +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java @@ -0,0 +1,58 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.action.ActionRequestBuilder; +import org.elasticsearch.client.ElasticsearchClient; +import org.elasticsearch.index.query.QueryBuilder; + +public class EqlSearchRequestBuilder extends ActionRequestBuilder { + public EqlSearchRequestBuilder(ElasticsearchClient client, EqlSearchAction action) { + super(client, action, new EqlSearchRequest()); + } + + public EqlSearchRequestBuilder indices(String... indices) { + request.indices(indices); + return this; + } + + public EqlSearchRequestBuilder query(QueryBuilder query) { + request.query(query); + return this; + } + + public EqlSearchRequestBuilder timestampField(String timestampField) { + request.timestampField(timestampField); + return this; + } + + public EqlSearchRequestBuilder eventTypeField(String eventTypeField) { + request.eventTypeField(eventTypeField); + return this; + } + + public EqlSearchRequestBuilder implicitJoinKeyField(String implicitJoinKeyField) { + request.implicitJoinKeyField(implicitJoinKeyField); + return this; + } + + public EqlSearchRequestBuilder fetchSize(int size) { + request.fetchSize(size); + return this; + } + + public EqlSearchRequestBuilder searchAfter(Object[] values) { + request.searchAfter(values); + return this; + } + + public EqlSearchRequestBuilder rule(String rule) { + request.rule(rule); + return this; + } + +} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java index f06d01f6a3c67..a0be93631b29e 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java @@ -483,5 +483,21 @@ public boolean equals(Object o) { public int hashCode() { return Objects.hash(events, sequences, counts, totalHits); } + + public List events() { + return this.events; + } + + public List sequences() { + return this.sequences; + } + + public List counts() { + return this.counts; + } + + public TotalHits totalHits() { + return this.totalHits; + } } } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index 37574579fac00..f64134b94456c 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -21,6 +21,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.env.Environment; import org.elasticsearch.env.NodeEnvironment; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.ActionPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.rest.RestController; @@ -28,6 +29,7 @@ import org.elasticsearch.script.ScriptService; import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.watcher.ResourceWatcherService; +import org.elasticsearch.xpack.core.XPackPlugin; import org.elasticsearch.xpack.core.action.XPackInfoFeatureAction; import org.elasticsearch.xpack.core.action.XPackUsageFeatureAction; import org.elasticsearch.xpack.eql.EqlInfoTransportAction; @@ -39,12 +41,13 @@ import java.util.Arrays; import java.util.Collection; -import java.util.Collections; import java.util.List; import java.util.function.Supplier; public class EqlPlugin extends Plugin implements ActionPlugin { + private final boolean enabled; + private static final boolean EQL_FEATURE_FLAG_REGISTERED; static { @@ -69,6 +72,10 @@ public class EqlPlugin extends Plugin implements ActionPlugin { Setting.Property.NodeScope ); + public EqlPlugin(final Settings settings) { + this.enabled = EQL_ENABLED_SETTING.get(settings); + } + @Override public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry, @@ -83,17 +90,6 @@ private Collection createComponents(Client client, String clusterName, N return Arrays.asList(planExecutor); } - - @Override - public List> getActions() { - return Arrays.asList( - new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), - new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), - new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), - new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) - ); - } - /** * The settings defined by EQL plugin. * @@ -103,9 +99,21 @@ private Collection createComponents(Client client, String clusterName, N public List> getSettings() { if (isSnapshot() || EQL_FEATURE_FLAG_REGISTERED) { return List.of(EQL_ENABLED_SETTING); - } else { - return List.of(); } + return List.of(); + } + + @Override + public List> getActions() { + if (enabled) { + return List.of( + new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), + new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), + new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), + new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) + ); + } + return List.of(); } boolean isSnapshot() { @@ -126,9 +134,12 @@ public List getRestHandlers(Settings settings, IndexNameExpressionResolver indexNameExpressionResolver, Supplier nodesInCluster) { - if (isEnabled(settings) == false) { - return Collections.emptyList(); + if (enabled) { + return List.of(new RestEqlSearchAction(), new RestEqlStatsAction()); } - return Arrays.asList(new RestEqlSearchAction(), new RestEqlStatsAction()); + return List.of(); } + + // overridable by tests + protected XPackLicenseState getLicenseState() { return XPackPlugin.getSharedLicenseState(); } } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 32f72540d0ea1..13e8fc89b9ec4 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -31,7 +31,6 @@ import java.time.ZoneId; import java.util.Arrays; -import java.util.Collections; import java.util.List; public class TransportEqlSearchAction extends HandledTransportAction { @@ -63,12 +62,12 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request TimeValue timeout = TimeValue.timeValueSeconds(30); boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false; String clientId = null; - + ParserParams params = new ParserParams() .fieldEventType(request.eventTypeField()) .fieldTimestamp(request.timestampField()) .implicitJoinKey(request.implicitJoinKeyField()); - + Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, includeFrozen, clientId); //planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); listener.onResponse(createResponse(null)); @@ -77,14 +76,14 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request static EqlSearchResponse createResponse(Results results) { // Stubbed search response // TODO: implement actual search response processing once the parser/executor is in place + // Updated for stubbed response to: process where serial_event_id = 1 + // to validate the sample test until the engine is wired in. List events = Arrays.asList( - new SearchHit(1, "111", null), - new SearchHit(2, "222", null) + new SearchHit(1, "111", null) ); - EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, Arrays.asList( - new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - ), null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); + EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(events, null, + null, new TotalHits(1, TotalHits.Relation.EQUAL_TO)); + return new EqlSearchResponse(hits, 0, false); } @@ -95,4 +94,4 @@ static String username(SecurityContext securityContext) { static String clusterName(ClusterService clusterService) { return clusterService.getClusterName().value(); } -} \ No newline at end of file +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java index dba73070690db..c414e04b6dd8f 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java @@ -6,8 +6,10 @@ package org.elasticsearch.xpack.eql; +import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.xpack.eql.session.Configuration; +import org.elasticsearch.xpack.ql.util.StringUtils; import static org.elasticsearch.test.ESTestCase.randomAlphaOfLength; import static org.elasticsearch.test.ESTestCase.randomBoolean; @@ -31,4 +33,17 @@ public static Configuration randomConfiguration() { randomBoolean(), randomAlphaOfLength(16)); } + + public static Tuple pathAndName(String string) { + String folder = StringUtils.EMPTY; + String file = string; + int lastIndexOf = string.lastIndexOf("/"); + if (lastIndexOf > 0) { + folder = string.substring(0, lastIndexOf - 1); + if (lastIndexOf + 1 < string.length()) { + file = string.substring(lastIndexOf + 1); + } + } + return new Tuple<>(folder, file); + } } diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java new file mode 100644 index 0000000000000..a7f1cf5099766 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.LicenseService; +import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.xpack.core.XPackSettings; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.util.Collection; +import java.util.Collections; + +import static org.elasticsearch.test.ESIntegTestCase.Scope.SUITE; + +@ESIntegTestCase.ClusterScope(scope = SUITE, numDataNodes = 0, numClientNodes = 0, maxNumDataNodes = 0) +public abstract class AbstractEqlIntegTestCase extends ESIntegTestCase { + + @Override + protected Settings nodeSettings(int nodeOrdinal) { + Settings.Builder settings = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + settings.put(XPackSettings.SECURITY_ENABLED.getKey(), false); + settings.put(XPackSettings.MONITORING_ENABLED.getKey(), false); + settings.put(XPackSettings.WATCHER_ENABLED.getKey(), false); + settings.put(XPackSettings.GRAPH_ENABLED.getKey(), false); + settings.put(XPackSettings.MACHINE_LEARNING_ENABLED.getKey(), false); + settings.put(EqlPlugin.EQL_ENABLED_SETTING.getKey(), true); + settings.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); + return settings.build(); + } + + @Override + protected Collection> nodePlugins() { + return Collections.singletonList(LocalStateEqlXPackPlugin.class); + } +} + diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java new file mode 100644 index 0000000000000..b8ba347c22b65 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -0,0 +1,95 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.Build; +import org.elasticsearch.action.bulk.BulkRequestBuilder; +import org.elasticsearch.action.bulk.BulkResponse; +import org.elasticsearch.action.index.IndexRequest; +import org.elasticsearch.action.support.WriteRequest; +import org.elasticsearch.common.xcontent.XContentType; +import org.elasticsearch.search.SearchHit; +import org.junit.BeforeClass; + +import java.io.BufferedReader; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.nio.charset.StandardCharsets; +import java.util.List; + +import static org.elasticsearch.test.StreamsUtils.copyToStringFromClasspath; +import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; +import static org.hamcrest.Matchers.equalTo; + +public class EqlActionIT extends AbstractEqlIntegTestCase { + + @BeforeClass + public static void checkForSnapshot() { + assumeTrue("Only works on snapshot builds for now", Build.CURRENT.isSnapshot()); + } + + public void testEqlSearchAction() throws Exception { + final String indexPrefix = "endgame"; + final String testIndexName = indexPrefix + "-1.4.0"; + final String testIndexPattern = indexPrefix + "-*"; + + String endgame = copyToStringFromClasspath("/endgame.json"); + endgame = endgame.replace("[index_pattern_placeholder]", testIndexPattern); + + assertAcked(client().admin().indices().preparePutTemplate(testIndexName) + .setSource(endgame.getBytes(StandardCharsets.UTF_8), XContentType.JSON).get()); + + // Insert test data + InputStream is = EqlActionIT.class.getResourceAsStream("/endgame.dat"); + BulkRequestBuilder bulkBuilder = client().prepareBulk(); + try (BufferedReader reader = new BufferedReader( + new InputStreamReader(is, StandardCharsets.UTF_8))) { + + String line; + while ((line = reader.readLine()) != null) { + bulkBuilder.add(new IndexRequest(testIndexName).source(line.trim(), XContentType.JSON)); + } + BulkResponse response = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); + assertThat(response.hasFailures() ? response.buildFailureMessage() : "", response.hasFailures(), equalTo(false)); + } + + ensureYellow(testIndexName); + + // Load EQL validation specs + List specs = EqlSpecLoader.load("/test_queries.toml", true); + List unsupportedSpecs = EqlSpecLoader.load("/test_queries_unsupported.toml", false); + + // Validate only currently supported specs + for (EqlSpec spec : specs) { + boolean supported = true; + // Check if spec is supported, simple iteration, cause the list is short. + for (EqlSpec unSpec: unsupportedSpecs) { + if (spec.query.equals(unSpec.query)) { + supported = false; + break; + } + } + + if (supported) { + logger.info("execute: " + spec.query); + EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) + .indices(testIndexName).rule(spec.query).get(); + + List events = response.hits().events(); + assertNotNull(events); + + final int len = events.size(); + final int ids[] = new int[len]; + for (int i = 0; i < events.size(); i++) { + ids[i] = events.get(i).docId(); + } + final String msg = "unexpected result for spec: [" + spec.toString() + "]"; + assertArrayEquals(msg, spec.expectedEventIds, ids); + } + } + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java new file mode 100644 index 0000000000000..3eb3c89a09f9a --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java @@ -0,0 +1,46 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.Strings; + +import java.util.Arrays; + +public class EqlSpec { + String description; + String note; + String []tags; + String query; + int []expectedEventIds; + + @Override + public String toString() { + String str = ""; + str = appendWithComma(str, "query", query); + str = appendWithComma(str, "description", description); + str = appendWithComma(str, "note", note); + + if (tags != null) { + str = appendWithComma(str, "tags", Arrays.toString(tags)); + } + + if (expectedEventIds != null) { + str = appendWithComma(str, "expected_event_ids", Arrays.toString(expectedEventIds)); + } + return str; + } + + private static String appendWithComma(String str, String name, String append) { + if (!Strings.isNullOrEmpty(append)) { + if (!Strings.isNullOrEmpty(str)) { + str += ", "; + } + str += name + ": " + append; + } + return str; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java new file mode 100644 index 0000000000000..c0157962b8a4e --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java @@ -0,0 +1,179 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import io.netty.util.internal.StringUtil; + +import java.io.BufferedReader; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; + +public class EqlSpecLoader { + public static List load(String path, boolean supported) throws Exception { + try (InputStream is = EqlSpecLoader.class.getResourceAsStream(path)) { + return readFromStream(is, supported); + } + } + + private static int[] readExpectedEventIds(String line, BufferedReader reader) throws Exception { + String arr[] = readArray(line); + int ids[] = new int[arr.length]; + + for (int i = 0; i < arr.length; i++) { + ids[i] = Integer.parseInt(arr[i]); + } + return ids; + } + + private static String[] readTags(String line) throws Exception { + String arr[] = readArray(line); + for (int i = 0; i < arr.length; i++) { + String s = arr[i]; + if (s.startsWith("\"") || s.startsWith("'")) { + s = s.substring(1); + } + if (s.endsWith("\"") || s.endsWith("'")) { + s = s.substring(0, s.length()-1); + } + arr[i] = s.trim(); + } + return arr; + } + + private static String readValueLine(String line) throws Exception { + int idx = line.indexOf("="); + if (idx == -1) { + throw new IllegalArgumentException("Invalid string value: " + line); + } + return line.substring(idx+1).trim(); + } + + private static String[] readArray(String line) throws Exception { + line = readValueLine(line); + if (!line.startsWith("[") && !line.endsWith("]")) { + throw new IllegalArgumentException("Invalid array string value: " + line); + } + String arr[] = line.substring(1, line.length()-1).split(","); + + ArrayList res = new ArrayList<>(); + for (String s : arr) { + s = s.trim(); + if (!s.isEmpty()) { + res.add(s); + } + } + + return res.toArray(new String[res.size()]); + } + + private static String readString(String line, BufferedReader reader) throws Exception { + line = readValueLine(line); + String delim = ""; + if (line.startsWith("\"") || line.startsWith("'")) { + delim = line.substring(0, 1); + if (line.startsWith("\"\"\"") || line.startsWith("'''")) { + delim = line.substring(0, 3); + } + } + + if (StringUtil.isNullOrEmpty(delim)) { + throw new IllegalArgumentException("Invalid string format, should start with ' or \" at least: " + line); + } + + // Trim start delimiter + if (line.startsWith(delim)) { + line = line.substring(delim.length()); + } + + // Read multiline string + if (!line.endsWith(delim)) { + String s; + while ((s = reader.readLine()) != null) { + line += " " + s.trim(); + if (line.endsWith(delim)) { + break; + } + } + } + + // Trim end delimiter + if (line.endsWith(delim)) { + line = line.substring(0, line.length()-delim.length()); + } + + return line.trim(); + } + + private static void validateAndAddSpec(List specs, EqlSpec spec, boolean supported) throws Exception { + if (StringUtil.isNullOrEmpty(spec.query)) { + throw new IllegalArgumentException("Read a test without a query value"); + } + + if (supported && spec.expectedEventIds == null) { + throw new IllegalArgumentException("Read a test without a expected_event_ids value"); + } + + specs.add(spec); + } + + // Simple .toml spec parsing of the original EQL spec + // to avoid adding dependency on any actual toml library for now. + private static List readFromStream(InputStream is, boolean supported) throws Exception { + Map testNames = new LinkedHashMap<>(); + List testSpecs = new ArrayList<>(); + + EqlSpec spec = null; + try (BufferedReader reader = new BufferedReader( + new InputStreamReader(is, StandardCharsets.UTF_8))) { + + String line; + while ((line = reader.readLine()) != null) { + line = line.trim(); + // Ignore empty lines and comments + if (line.isEmpty() || line.startsWith("#")) { + continue; + } + if (line.startsWith("[[queries]]")) { + if (spec != null) { + validateAndAddSpec(testSpecs, spec, supported); + spec = null; + } + spec = new EqlSpec(); + continue; + } + if (line.startsWith("query")) { + spec.query = readString(line, reader); + } + + if (line.startsWith("expected_event_ids")) { + spec.expectedEventIds = readExpectedEventIds(line, reader); + } + + if (line.startsWith("tags")) { + spec.tags = readTags(line); + } + if (line.startsWith("note")) { + spec.note = readString(line, reader); + } + if (line.startsWith("description")) { + spec.description = readString(line, reader); + } + } + // Append the last spec + if (spec != null) { + validateAndAddSpec(testSpecs, spec, supported); + } + } + + return testSpecs; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java new file mode 100644 index 0000000000000..7a6cd355a6ffa --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.xpack.core.LocalStateCompositeXPackPlugin; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.nio.file.Path; + +public class LocalStateEqlXPackPlugin extends LocalStateCompositeXPackPlugin { + + public LocalStateEqlXPackPlugin(final Settings settings, final Path configPath) throws Exception { + super(settings, configPath); + LocalStateEqlXPackPlugin thisVar = this; + plugins.add(new EqlPlugin(settings) { + @Override + protected XPackLicenseState getLicenseState() { + return thisVar.getLicenseState(); + } + }); + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java index 02c429a339665..03f14247d77f1 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.eql.plugin; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; import static org.hamcrest.Matchers.hasItem; @@ -13,7 +14,7 @@ public class EqlPluginTests extends ESTestCase { public void testEnabledSettingRegisteredInSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { @@ -25,7 +26,7 @@ protected boolean isSnapshot() { } public void testEnabledSettingNotRegisteredInNonSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { diff --git a/x-pack/plugin/eql/src/test/resources/endgame.dat b/x-pack/plugin/eql/src/test/resources/endgame.dat new file mode 100644 index 0000000000000..66c9725505990 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/endgame.dat @@ -0,0 +1,102 @@ +{"user":{"group":{}},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":0,"process":{"thread":{},"parent":{},"hash":{},"name":"System Idle Process"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":1,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":116444736000000000,"process_name":"System Idle Process","unique_pid":1,"xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"name":"System Idle Process"},"hash":{},"pid":4,"name":"System"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":2,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":4,"process_name":"System","unique_pid":2,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","unique_ppid":1,"parent_process_name":"System Idle Process","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":4,"name":"System"},"hash":{"md5":"63d3c30b497347495b8ea78a38188969"},"pid":284,"ppid":4,"name":"smss.exe","executable":"C:\\Windows\\System32\\smss.exe","args":["\\SystemRoot\\System32\\smss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":3,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":284,"process_path":"C:\\Windows\\System32\\smss.exe","process_name":"smss.exe","unique_pid":3,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":4,"unique_ppid":2,"command_line":"\\SystemRoot\\System32\\smss.exe","parent_process_name":"System","md5":"63d3c30b497347495b8ea78a38188969","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":364},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":372,"ppid":364,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":4,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":372,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":4,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":364,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":364},"hash":{"md5":"94355c28c1970635a31b3fe52eb7ceba"},"pid":424,"ppid":364,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe","args":["wininit.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":5,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":424,"process_path":"C:\\Windows\\System32\\wininit.exe","process_name":"wininit.exe","unique_pid":5,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":364,"command_line":"wininit.exe","md5":"94355c28c1970635a31b3fe52eb7ceba","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":416},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":436,"ppid":416,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":6,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":436,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":6,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":416,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":416},"hash":{"md5":"1151b1baa6f350b1db6598e0fea7c457"},"pid":472,"ppid":416,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe","args":["winlogon.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":7,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":472,"process_path":"C:\\Windows\\System32\\winlogon.exe","process_name":"winlogon.exe","unique_pid":7,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":416,"command_line":"winlogon.exe","md5":"1151b1baa6f350b1db6598e0fea7c457","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"24acb7e5be595468e3b9aa488b9b4fcb"},"pid":524,"ppid":424,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe","args":["C:\\Windows\\system32\\services.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":8,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":524,"process_path":"C:\\Windows\\System32\\services.exe","process_name":"services.exe","unique_pid":8,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\services.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"24acb7e5be595468e3b9aa488b9b4fcb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"7554a1b82b4a222fd4cc292abd38a558"},"pid":536,"ppid":424,"name":"lsass.exe","executable":"C:\\Windows\\System32\\lsass.exe","args":["C:\\Windows\\system32\\lsass.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":9,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":536,"process_path":"C:\\Windows\\System32\\lsass.exe","process_name":"lsass.exe","unique_pid":9,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\lsass.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"7554a1b82b4a222fd4cc292abd38a558","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"9662ee182644511439f1c53745dc1c88"},"pid":544,"ppid":424,"name":"lsm.exe","executable":"C:\\Windows\\System32\\lsm.exe","args":["C:\\Windows\\system32\\lsm.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":10,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":544,"process_path":"C:\\Windows\\System32\\lsm.exe","process_name":"lsm.exe","unique_pid":10,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\lsm.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"9662ee182644511439f1c53745dc1c88","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":648,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","DcomLaunch"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":11,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":648,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":11,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"3c4d41c4f8cdd2ca945e91a61e6cfbaf"},"pid":708,"ppid":524,"name":"vmacthlp.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":12,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":708,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","process_name":"vmacthlp.exe","unique_pid":12,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"3c4d41c4f8cdd2ca945e91a61e6cfbaf","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":752,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","RPCSS"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":13,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":752,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":13,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k RPCSS","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":472,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe"},"hash":{"md5":"715f03b4c7223349768013ea95d9e5b7"},"pid":828,"ppid":472,"name":"LogonUI.exe","executable":"C:\\Windows\\System32\\LogonUI.exe","args":["LogonUI.exe","/flags:0x0"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":14,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":828,"process_path":"C:\\Windows\\System32\\LogonUI.exe","process_name":"LogonUI.exe","unique_pid":14,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":472,"unique_ppid":7,"command_line":"\"LogonUI.exe\" /flags:0x0","parent_process_name":"winlogon.exe","parent_process_path":"C:\\Windows\\System32\\winlogon.exe","md5":"715f03b4c7223349768013ea95d9e5b7","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":848,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","LocalServiceNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":15,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":848,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":15,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":896,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","LocalSystemNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":16,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":924,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","netsvcs"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":17,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":924,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":17,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":264,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalService"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":18,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":264,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":18,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalService","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":968,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","NetworkService"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":19,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":968,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":19,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k NetworkService","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"b96c17b5dc1424d56eea3a99e97428cd"},"pid":1108,"ppid":524,"name":"spoolsv.exe","executable":"C:\\Windows\\System32\\spoolsv.exe","args":["C:\\Windows\\System32\\spoolsv.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":20,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1108,"process_path":"C:\\Windows\\System32\\spoolsv.exe","process_name":"spoolsv.exe","unique_pid":20,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\spoolsv.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"b96c17b5dc1424d56eea3a99e97428cd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":1136,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalServiceNoNetwork"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":21,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1136,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":21,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"ccd745aa6425c7637a34ff12ed8a1c18"},"pid":1320,"ppid":524,"name":"VGAuthService.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":22,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1320,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","process_name":"VGAuthService.exe","unique_pid":22,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"ccd745aa6425c7637a34ff12ed8a1c18","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"404202d6f0628331aaade8c8f9ef6feb"},"pid":1344,"ppid":524,"name":"vmtoolsd.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":23,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1344,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","process_name":"vmtoolsd.exe","unique_pid":23,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"404202d6f0628331aaade8c8f9ef6feb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"3f61b1a4fe078bb7705b508cfcbb987e"},"pid":1376,"ppid":524,"name":"ManagementAgentHost.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":24,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1376,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe","process_name":"ManagementAgentHost.exe","unique_pid":24,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"3f61b1a4fe078bb7705b508cfcbb987e","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126054000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":1692,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","NetworkServiceNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":25,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996540000000,"pid":1692,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":25,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126054000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"8f4ecbbfe943030acfd9e892b2513ec1"},"pid":1840,"ppid":648,"name":"WmiPrvSE.exe","executable":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","args":["C:\\Windows\\system32\\wbem\\wmiprvse.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":26,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996540000000,"pid":1840,"process_path":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","process_name":"WmiPrvSE.exe","unique_pid":26,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"8f4ecbbfe943030acfd9e892b2513ec1","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126055000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"de0ece52236cfa3ed2dbfc03f28253a8"},"pid":960,"ppid":524,"name":"msdtc.exe","executable":"C:\\Windows\\System32\\msdtc.exe","args":["C:\\Windows\\System32\\msdtc.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":27,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996550000000,"pid":960,"process_path":"C:\\Windows\\System32\\msdtc.exe","process_name":"msdtc.exe","unique_pid":27,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\msdtc.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"de0ece52236cfa3ed2dbfc03f28253a8","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126079000,"process":{"thread":{},"parent":{"pid":3040},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":3048,"ppid":3040,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":28,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996790000000,"pid":3048,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":28,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":3040,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126079000,"process":{"thread":{},"parent":{"pid":3040},"hash":{"md5":"1151b1baa6f350b1db6598e0fea7c457"},"pid":2108,"ppid":3040,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe","args":["winlogon.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":29,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996790000000,"pid":2108,"process_path":"C:\\Windows\\System32\\winlogon.exe","process_name":"winlogon.exe","unique_pid":29,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":3040,"command_line":"winlogon.exe","md5":"1151b1baa6f350b1db6598e0fea7c457","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":968,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"25d284eb2f12254c001afe9a82575a81"},"pid":2704,"ppid":968,"name":"rdpclip.exe","executable":"C:\\Windows\\System32\\rdpclip.exe","args":["rdpclip"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":30,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2704,"process_path":"C:\\Windows\\System32\\rdpclip.exe","process_name":"rdpclip.exe","unique_pid":30,"user_name":"vagrant","user_domain":"vagrant","ppid":968,"unique_ppid":19,"command_line":"rdpclip","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"25d284eb2f12254c001afe9a82575a81","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"517110bd83835338c037269e603db55d"},"pid":2776,"ppid":524,"name":"taskhost.exe","executable":"C:\\Windows\\System32\\taskhost.exe","args":["taskhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":31,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2776,"process_path":"C:\\Windows\\System32\\taskhost.exe","process_name":"taskhost.exe","unique_pid":31,"user_name":"vagrant","user_domain":"vagrant","ppid":524,"unique_ppid":8,"command_line":"\"taskhost.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"517110bd83835338c037269e603db55d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"e17e0188bb90fae42d83e98707efa59c"},"pid":2804,"ppid":524,"name":"sppsvc.exe","executable":"C:\\Windows\\System32\\sppsvc.exe","args":["C:\\Windows\\system32\\sppsvc.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":32,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2804,"process_path":"C:\\Windows\\System32\\sppsvc.exe","process_name":"sppsvc.exe","unique_pid":32,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\sppsvc.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"e17e0188bb90fae42d83e98707efa59c","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":896,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"f162d5f5e845b9dc352dd1bad8cef1bc"},"pid":2464,"ppid":896,"name":"dwm.exe","executable":"C:\\Windows\\System32\\dwm.exe","args":["C:\\Windows\\system32\\Dwm.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":33,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2464,"process_path":"C:\\Windows\\System32\\dwm.exe","process_name":"dwm.exe","unique_pid":33,"user_name":"vagrant","user_domain":"vagrant","ppid":896,"unique_ppid":16,"command_line":"\"C:\\Windows\\system32\\Dwm.exe\"","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"f162d5f5e845b9dc352dd1bad8cef1bc","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":3052},"hash":{"md5":"ac4c51eb24aa95b77f705ab159189e24"},"pid":2460,"ppid":3052,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe","args":["C:\\Windows\\Explorer.EXE"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":34,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2460,"process_path":"C:\\Windows\\explorer.exe","process_name":"explorer.exe","unique_pid":34,"user_name":"vagrant","user_domain":"vagrant","ppid":3052,"command_line":"C:\\Windows\\Explorer.EXE","md5":"ac4c51eb24aa95b77f705ab159189e24","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":2460,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe"},"hash":{"md5":"404202d6f0628331aaade8c8f9ef6feb"},"pid":2604,"ppid":2460,"name":"vmtoolsd.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","-n","vmusr"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":35,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2604,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","process_name":"vmtoolsd.exe","unique_pid":35,"user_name":"vagrant","user_domain":"vagrant","ppid":2460,"unique_ppid":34,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr","parent_process_name":"explorer.exe","parent_process_path":"C:\\Windows\\explorer.exe","md5":"404202d6f0628331aaade8c8f9ef6feb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126121000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"ad31942bdf3d594c404874613bc2fe4d"},"pid":1620,"ppid":524,"name":"SearchIndexer.exe","executable":"C:\\Windows\\System32\\SearchIndexer.exe","args":["C:\\Windows\\system32\\SearchIndexer.exe","/Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":36,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997210000000,"pid":1620,"process_path":"C:\\Windows\\System32\\SearchIndexer.exe","process_name":"SearchIndexer.exe","unique_pid":36,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"ad31942bdf3d594c404874613bc2fe4d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126175000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3684,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalServiceAndNoImpersonation"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":37,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997750000000,"pid":3684,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":37,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126175000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3712,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","secsvcs"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":38,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997750000000,"pid":3712,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":38,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k secsvcs","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504710219000,"process":{"thread":{},"parent":{"pid":2460,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":2864,"ppid":2460,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe","args":["C:\\Windows\\system32\\cmd.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":39,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491838190000000,"pid":2864,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":39,"user_name":"vagrant","user_domain":"vagrant","ppid":2460,"unique_ppid":34,"command_line":"\"C:\\Windows\\system32\\cmd.exe\" ","parent_process_name":"explorer.exe","parent_process_path":"C:\\Windows\\explorer.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504710219000,"process":{"thread":{},"parent":{"pid":3048,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe"},"hash":{"md5":"bd51024fb014064bc9fe8c715c18392f"},"pid":2228,"ppid":3048,"name":"conhost.exe","executable":"C:\\Windows\\System32\\conhost.exe","args":["\\??\\C:\\Windows\\system32\\conhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":40,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491838190000000,"pid":2228,"process_path":"C:\\Windows\\System32\\conhost.exe","process_name":"conhost.exe","unique_pid":40,"user_name":"vagrant","user_domain":"vagrant","ppid":3048,"unique_ppid":28,"command_line":"\\??\\C:\\Windows\\system32\\conhost.exe","parent_process_name":"csrss.exe","parent_process_path":"C:\\Windows\\System32\\csrss.exe","md5":"bd51024fb014064bc9fe8c715c18392f","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504720431000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3820,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","SDRSVC"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":41,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491940310000000,"pid":3820,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":41,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k SDRSVC","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463013000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"773212b2aaa24c1e31f10246b15b276c"},"pid":3384,"ppid":524,"name":"TrustedInstaller.exe","executable":"C:\\Windows\\servicing\\TrustedInstaller.exe","args":["C:\\Windows\\servicing\\TrustedInstaller.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":42,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509366130000000,"pid":3384,"process_path":"C:\\Windows\\servicing\\TrustedInstaller.exe","process_name":"TrustedInstaller.exe","unique_pid":42,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\servicing\\TrustedInstaller.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"773212b2aaa24c1e31f10246b15b276c","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463023000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"8f4ecbbfe943030acfd9e892b2513ec1"},"pid":1860,"ppid":648,"name":"WmiPrvSE.exe","executable":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","args":["C:\\Windows\\system32\\wbem\\wmiprvse.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":43,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509366230000000,"pid":1860,"process_path":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","process_name":"WmiPrvSE.exe","unique_pid":43,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"8f4ecbbfe943030acfd9e892b2513ec1","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463590000,"process":{"thread":{},"parent":{"pid":924,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"65ea57712340c09b1b0c427b4848ae05"},"pid":660,"ppid":924,"name":"taskeng.exe","executable":"C:\\Windows\\System32\\taskeng.exe","args":["taskeng.exe","{6108575A-1CC2-4917-BB5D-5929CDC39B9C}"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":44,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509371900000000,"pid":660,"process_path":"C:\\Windows\\System32\\taskeng.exe","process_name":"taskeng.exe","unique_pid":44,"user_name":"vagrant","user_domain":"vagrant","ppid":924,"unique_ppid":17,"command_line":"taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"65ea57712340c09b1b0c427b4848ae05","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463637000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"a190da6546501cb4146bbcc0b6a3f48b"},"pid":760,"ppid":524,"name":"msiexec.exe","executable":"C:\\Windows\\System32\\msiexec.exe","args":["C:\\Windows\\system32\\msiexec.exe","/V"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":45,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509372370000000,"pid":760,"process_path":"C:\\Windows\\System32\\msiexec.exe","process_name":"msiexec.exe","unique_pid":45,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\msiexec.exe /V","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"a190da6546501cb4146bbcc0b6a3f48b","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463798000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"3e5cfefdda537ddbed9f5c6c7e926cdd"},"pid":2824,"ppid":648,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe","args":["C:\\Windows\\system32\\wsmprovhost.exe","-Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":46,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509373980000000,"pid":2824,"process_path":"C:\\Windows\\System32\\wsmprovhost.exe","process_name":"wsmprovhost.exe","unique_pid":46,"user_name":"vagrant","user_domain":"vagrant","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"3e5cfefdda537ddbed9f5c6c7e926cdd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"3e5cfefdda537ddbed9f5c6c7e926cdd"},"pid":3408,"ppid":648,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe","args":["C:\\Windows\\system32\\wsmprovhost.exe","-Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":47,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":3408,"process_path":"C:\\Windows\\System32\\wsmprovhost.exe","process_name":"wsmprovhost.exe","unique_pid":47,"user_name":"vagrant","user_domain":"vagrant","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"3e5cfefdda537ddbed9f5c6c7e926cdd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":3408,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":420,"ppid":3408,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","worker.py","--target","c:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":48,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","ppid":3408,"unique_ppid":47,"command_line":"\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py","parent_process_name":"wsmprovhost.exe","parent_process_path":"C:\\Windows\\System32\\wsmprovhost.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":372,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe"},"hash":{"md5":"bd51024fb014064bc9fe8c715c18392f"},"pid":3080,"ppid":372,"name":"conhost.exe","executable":"C:\\Windows\\System32\\conhost.exe","args":["\\??\\C:\\Windows\\system32\\conhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":49,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":3080,"process_path":"C:\\Windows\\System32\\conhost.exe","process_name":"conhost.exe","unique_pid":49,"user_name":"vagrant","user_domain":"vagrant","ppid":372,"unique_ppid":4,"command_line":"\\??\\C:\\Windows\\system32\\conhost.exe","parent_process_name":"csrss.exe","parent_process_path":"C:\\Windows\\System32\\csrss.exe","md5":"bd51024fb014064bc9fe8c715c18392f","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463810000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":1688,"ppid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","myappserver.py","--log-file","C:\\workspace\\dev\\myapp.out","--update-server-port","8446","--sout","C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":50,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374100000000,"pid":1688,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":50,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463810000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":1720,"ppid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":51,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374100000000,"pid":1720,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":51,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463815000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"6a8649f3205b311e208ac35a04e99700"},"pid":2164,"ppid":648,"name":"LauncherProcess.exe","executable":"C:\\Windows\\System32\\LauncherProcess.exe","args":["C:\\Windows\\System32\\LauncherProcess.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":52,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374150000000,"pid":2164,"process_path":"C:\\Windows\\System32\\LauncherProcess.exe","process_name":"LauncherProcess.exe","unique_pid":52,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\System32\\LauncherProcess.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"6a8649f3205b311e208ac35a04e99700","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":1788,"ppid":420,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe","args":["C:\\Windows\\system32\\cmd.exe","/c","c:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":53,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374294209140,"pid":1788,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":53,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":1788,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":2256,"ppid":1788,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","C:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":54,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374294365140,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","ppid":1788,"unique_ppid":53,"command_line":"\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ","parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":55,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374295457140,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":2760,"ppid":2256,"name":"svchost.exe","executable":"C:\\workspace\\red_ttp\\svchost.exe","args":["svchost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":56,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374295613140,"pid":2760,"process_path":"C:\\workspace\\red_ttp\\svchost.exe","process_name":"svchost.exe","unique_pid":56,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"svchost.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"registry_modify_event","category":"registry","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463830000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":57,"opcode":1,"event_type_full":"registry_event","event_subtype_full":"registry_modify_event","timestamp":131509374306065200,"pid":2460,"process_path":"C:\\Windows\\explorer.exe","process_name":"explorer.exe","unique_pid":34,"user_name":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":2760,"ppid":2256,"name":"svchost.exe","executable":"C:\\workspace\\red_ttp\\svchost.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":58,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374345689460,"pid":2760,"process_path":"C:\\workspace\\red_ttp\\svchost.exe","process_name":"svchost.exe","unique_pid":56,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":59,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374345689460,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":60,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374345689460,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":61,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374345689460,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3696,"ppid":2256,"name":"lsass.exe","executable":"C:\\workspace\\red_ttp\\lsass.exe","args":["lsass.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":62,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374345689460,"pid":3696,"process_path":"C:\\workspace\\red_ttp\\lsass.exe","process_name":"lsass.exe","unique_pid":62,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"lsass.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"request_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463835000,"dns":{"question":{"name":"teredo.ipv6.microsoft.com.","registered_domain":"microsoft.com."}},"network":{"protocol":"dns"},"process":{"thread":{},"parent":{},"pid":924,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"source":{},"destination":{},"winlog":{"opcode":3008},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":63,"opcode":3008,"event_type_full":"dns_event","event_subtype_full":"request_event","timestamp":131509374350369490,"pid":924,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":17,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"teredo.ipv6.microsoft.com.","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3696,"ppid":2256,"name":"lsass.exe","executable":"C:\\workspace\\red_ttp\\lsass.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":64,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374395921780,"pid":3696,"process_path":"C:\\workspace\\red_ttp\\lsass.exe","process_name":"lsass.exe","unique_pid":62,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":65,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374395921780,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":66,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374395921780,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":67,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374395921780,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1832,"ppid":2256,"name":"services.exe","executable":"C:\\workspace\\red_ttp\\services.exe","args":["services.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":68,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374395921780,"pid":1832,"process_path":"C:\\workspace\\red_ttp\\services.exe","process_name":"services.exe","unique_pid":68,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"services.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1832,"ppid":2256,"name":"services.exe","executable":"C:\\workspace\\red_ttp\\services.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":69,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374446778110,"pid":1832,"process_path":"C:\\workspace\\red_ttp\\services.exe","process_name":"services.exe","unique_pid":68,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":70,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374446778110,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":71,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374446778110,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":72,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374446778110,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3948,"ppid":2256,"name":"csrss.exe","executable":"C:\\workspace\\red_ttp\\csrss.exe","args":["csrss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":73,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374446778110,"pid":3948,"process_path":"C:\\workspace\\red_ttp\\csrss.exe","process_name":"csrss.exe","unique_pid":73,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"csrss.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3948,"ppid":2256,"name":"csrss.exe","executable":"C:\\workspace\\red_ttp\\csrss.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":74,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374497010430,"pid":3948,"process_path":"C:\\workspace\\red_ttp\\csrss.exe","process_name":"csrss.exe","unique_pid":73,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374497010430,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":76,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374497010430,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":77,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374497010430,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3720,"ppid":2256,"name":"smss.exe","executable":"C:\\workspace\\red_ttp\\smss.exe","args":["smss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":78,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374497010430,"pid":3720,"process_path":"C:\\workspace\\red_ttp\\smss.exe","process_name":"smss.exe","unique_pid":78,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"smss.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"registry_modify_event","category":"registry","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463852000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":79,"opcode":1,"event_type_full":"registry_event","event_subtype_full":"registry_modify_event","timestamp":131509374520566580,"pid":536,"process_path":"C:\\Windows\\System32\\lsass.exe","process_name":"lsass.exe","unique_pid":9,"user_name":"SYSTEM","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3720,"ppid":2256,"name":"smss.exe","executable":"C:\\workspace\\red_ttp\\smss.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":80,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374547086750,"pid":3720,"process_path":"C:\\workspace\\red_ttp\\smss.exe","process_name":"smss.exe","unique_pid":78,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":81,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374547086750,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":82,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374547086750,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":83,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374547086750,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1680,"ppid":2256,"name":"wininit.exe","executable":"C:\\workspace\\red_ttp\\wininit.exe","args":["wininit.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":84,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374547086750,"pid":1680,"process_path":"C:\\workspace\\red_ttp\\wininit.exe","process_name":"wininit.exe","unique_pid":84,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"wininit.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1680,"ppid":2256,"name":"wininit.exe","executable":"C:\\workspace\\red_ttp\\wininit.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":85,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374597163070,"pid":1680,"process_path":"C:\\workspace\\red_ttp\\wininit.exe","process_name":"wininit.exe","unique_pid":84,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":86,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374597163070,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":87,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374597163070,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":88,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374597163070,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":4080,"ppid":2256,"name":"explorer.exe","executable":"C:\\workspace\\red_ttp\\explorer.exe","args":["explorer.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":89,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374597163070,"pid":4080,"process_path":"C:\\workspace\\red_ttp\\explorer.exe","process_name":"explorer.exe","unique_pid":89,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"explorer.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":4080,"ppid":2256,"name":"explorer.exe","executable":"C:\\workspace\\red_ttp\\explorer.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":90,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":4080,"process_path":"C:\\workspace\\red_ttp\\explorer.exe","process_name":"explorer.exe","unique_pid":89,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":91,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374647239400,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":92,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":1788,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":2256,"ppid":1788,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":93,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","ppid":1788,"unique_ppid":53,"exit_code":0,"parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":1788,"ppid":420,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":94,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":1788,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":53,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":95,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":96,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1516116808000,"process":{"thread":{},"parent":{"pid":392,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"63dd6fbaabf881385899fd39df13dce3"},"pid":3608,"ppid":392,"name":"net.exe","executable":"C:\\Windows\\System32\\net.exe","args":["net","localgroup","administrators","findme2"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":97,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131605904083494370,"pid":3608,"process_path":"C:\\Windows\\System32\\net.exe","process_name":"net.exe","unique_pid":750058,"user_name":"vagrant","user_domain":"vagrant","ppid":392,"unique_ppid":707545,"command_line":"net localgroup administrators findme2","parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"63dd6fbaabf881385899fd39df13dce3","authentication_id":854482244,"original_file_name":"NET.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1516116808000,"process":{"thread":{},"parent":{"pid":3608,"name":"net.exe","executable":"C:\\Windows\\System32\\net.exe"},"hash":{"md5":"3b6928bc39e5530cead1e99269e7b1ee"},"pid":1348,"ppid":3608,"name":"net1.exe","executable":"C:\\Windows\\System32\\net1.exe","args":["C:\\Windows\\system32\\net1","localgroup","administrators","findme2"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":98,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131605904083806370,"pid":1348,"process_path":"C:\\Windows\\System32\\net1.exe","process_name":"net1.exe","unique_pid":750059,"user_name":"vagrant","user_domain":"vagrant","ppid":3608,"unique_ppid":750058,"command_line":"C:\\Windows\\system32\\net1 localgroup administrators findme2","parent_process_name":"net.exe","parent_process_path":"C:\\Windows\\System32\\net.exe","md5":"3b6928bc39e5530cead1e99269e7b1ee","authentication_id":854482244,"original_file_name":"net1.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764548000,"process":{"thread":{},"parent":{"pid":1196,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"4b736b85e5de65e572f28a91e31b99bf"},"pid":860,"ppid":1196,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","args":["C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe","tmp-file.csproj"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75273,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131762381484502110,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","ppid":1196,"unique_ppid":75248,"command_line":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"4b736b85e5de65e572f28a91e31b99bf","authentication_id":13728872,"original_file_name":"MSBuild.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"process":{"thread":{},"parent":{"pid":1196,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"4b736b85e5de65e572f28a91e31b99bf"},"pid":860,"ppid":1196,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75303,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131762381493483680,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","ppid":1196,"unique_ppid":75248,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"4b736b85e5de65e572f28a91e31b99bf","original_file_name":"MSBuild.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"ipv4_connection_attempt_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"network":{"community_id":"1:s6xjF74V/BrREHI7j91ddQ0zcY8=","transport":"tcp"},"process":{"thread":{},"parent":{},"pid":860,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"source":{"address":"10.6.48.157","ip":"10.6.48.157","port":52178},"destination":{"address":"10.6.48.157","port":8000,"ip":"10.6.48.157"},"winlog":{"opcode":12},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75304,"opcode":12,"event_type_full":"network_event","event_subtype_full":"ipv4_connection_attempt_event","timestamp":131762381493039760,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","protocol":"tcp","destination_address":"10.6.48.157","destination_port":8000,"source_port":52178,"source_address":"10.6.48.157","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} +{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"ipv4_connection_attempt_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"network":{"community_id":"1:s6xjF74V/BrREHI7j91ddQ0zcY8=","transport":"tcp"},"process":{"thread":{},"parent":{},"pid":10000,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"source":{"address":"10.6.48.157","ip":"10.6.48.157","port":52178},"destination":{"address":"10.6.48.157","port":8000,"ip":"10.6.48.157"},"winlog":{"opcode":12},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75305,"opcode":12,"event_type_full":"network_event","event_subtype_full":"ipv4_connection_attempt_event","timestamp":131762381493039760,"pid":10000,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":99999,"user_name":"vagrant","user_domain":"vagrant","protocol":"tcp","destination_address":"10.6.48.157","destination_port":8000,"source_port":52178,"source_address":"10.6.48.157","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} diff --git a/x-pack/plugin/eql/src/test/resources/endgame.json b/x-pack/plugin/eql/src/test/resources/endgame.json new file mode 100644 index 0000000000000..4e1c6dfb64298 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/endgame.json @@ -0,0 +1,2531 @@ +{ + "index_patterns": ["[index_pattern_placeholder]"], + "mappings": { + "doc": { + "_meta": { + "version": "1.4.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "doc_values": false, + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observer": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "settings": { + "index": { + "mapping": { + "ignore_malformed": true, + "total_fields": { + "limit": 10000 + } + }, + "number_of_replicas": 0, + "number_of_shards": 3 + } + } +} diff --git a/x-pack/plugin/eql/src/test/resources/test_queries.toml b/x-pack/plugin/eql/src/test/resources/test_queries.toml new file mode 100644 index 0000000000000..e2ee95c12e268 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries.toml @@ -0,0 +1,1298 @@ +[[queries]] +query = 'process where serial_event_id = 1' +expected_event_ids = [1] + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' diff --git a/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml new file mode 100644 index 0000000000000..6a5071faae4a8 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml @@ -0,0 +1,1300 @@ +# This file is populated with currently unsupported queries. +# Serves as a blacklist, until our implementation starts supporting a specific query +# This file is expected to become empty once the feature parity is reached with the +# official EQL implementation + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' + diff --git a/x-pack/plugin/sql/build.gradle b/x-pack/plugin/sql/build.gradle index e93099ec4b7a4..720bcbda168ee 100644 --- a/x-pack/plugin/sql/build.gradle +++ b/x-pack/plugin/sql/build.gradle @@ -26,6 +26,10 @@ configurations { archivesBaseName = 'x-pack-sql' +test { + testLogging.showStandardStreams = true +} + // All integration tests live in qa modules integTest.enabled = false From 86313844217e1b9c3c79b1b9208140e2c2478a07 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 12 Feb 2020 10:53:54 -0500 Subject: [PATCH 2/9] Rollback this PR change that caused the failure in telemetry checks --- .../elasticsearch/xpack/eql/plugin/EqlPlugin.java | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index f64134b94456c..eabac7fee4f6e 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -105,15 +105,12 @@ public List> getSettings() { @Override public List> getActions() { - if (enabled) { - return List.of( - new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), - new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), - new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), - new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) - ); - } - return List.of(); + return List.of( + new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), + new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), + new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), + new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) + ); } boolean isSnapshot() { From cd4a55d83e3227018bde92c92f71a481352392aa Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 12 Feb 2020 22:08:54 -0500 Subject: [PATCH 3/9] Fix code formatting --- .../xpack/eql/action/EqlSearchResponse.java | 12 +++++----- .../xpack/eql/plugin/EqlPlugin.java | 15 ++++++++---- .../eql/plugin/TransportEqlSearchAction.java | 10 ++++---- .../elasticsearch/xpack/eql/EqlTestUtils.java | 23 ++++++++++--------- .../xpack/eql/action/EqlActionIT.java | 2 +- .../xpack/eql/action/EqlSpec.java | 4 ++-- .../xpack/eql/action/EqlSpecLoader.java | 8 +++---- 7 files changed, 40 insertions(+), 34 deletions(-) diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java index a0be93631b29e..73499f0fbe4fb 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java @@ -27,7 +27,6 @@ import java.util.List; import java.util.Objects; - /** * Response to perform an eql search * @@ -71,6 +70,7 @@ * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, null, counts, totals); * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); */ + public class EqlSearchResponse extends ActionResponse implements ToXContentObject { private final Hits hits; @@ -379,7 +379,7 @@ public Hits(StreamInput in) throws IOException { } else { totalHits = null; } - events = in.readBoolean() ? in.readList(SearchHit::new) : null; + events = in.readBoolean() ? in.readList(SearchHit::new) : null; sequences = in.readBoolean() ? in.readList(Sequence::new) : null; counts = in.readBoolean() ? in.readList(Count::new) : null; } @@ -484,19 +484,19 @@ public int hashCode() { return Objects.hash(events, sequences, counts, totalHits); } - public List events() { + public List events() { return this.events; } - public List sequences() { + public List sequences() { return this.sequences; } - public List counts() { + public List counts() { return this.counts; } - public TotalHits totalHits() { + public TotalHits totalHits() { return this.totalHits; } } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index eabac7fee4f6e..bd2a5c1734d88 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -77,14 +77,17 @@ public EqlPlugin(final Settings settings) { } @Override - public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, - ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry, - Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry) { + public Collection createComponents(Client client, ClusterService clusterService, + ThreadPool threadPool, ResourceWatcherService resourceWatcherService, + ScriptService scriptService, NamedXContentRegistry xContentRegistry, + Environment environment, NodeEnvironment nodeEnvironment, + NamedWriteableRegistry namedWriteableRegistry) { return createComponents(client, clusterService.getClusterName().value(), namedWriteableRegistry); } - private Collection createComponents(Client client, String clusterName, NamedWriteableRegistry namedWriteableRegistry) { + private Collection createComponents(Client client, String clusterName, + NamedWriteableRegistry namedWriteableRegistry) { IndexResolver indexResolver = new IndexResolver(client, clusterName, DefaultDataTypeRegistry.INSTANCE); PlanExecutor planExecutor = new PlanExecutor(client, indexResolver, namedWriteableRegistry); return Arrays.asList(planExecutor); @@ -138,5 +141,7 @@ public List getRestHandlers(Settings settings, } // overridable by tests - protected XPackLicenseState getLicenseState() { return XPackPlugin.getSharedLicenseState(); } + protected XPackLicenseState getLicenseState() { + return XPackPlugin.getSharedLicenseState(); + } } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 13e8fc89b9ec4..c5fb4961fd7fb 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -40,7 +40,7 @@ public class TransportEqlSearchAction extends HandledTransportAction listener) { + String clusterName, ActionListener listener) { // TODO: these should be sent by the client ZoneId zoneId = DateUtils.of("Z"); QueryBuilder filter = request.query(); @@ -64,9 +64,9 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request String clientId = null; ParserParams params = new ParserParams() - .fieldEventType(request.eventTypeField()) - .fieldTimestamp(request.timestampField()) - .implicitJoinKey(request.implicitJoinKeyField()); + .fieldEventType(request.eventTypeField()) + .fieldTimestamp(request.timestampField()) + .implicitJoinKey(request.implicitJoinKeyField()); Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, includeFrozen, clientId); //planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java index c414e04b6dd8f..2a5846b357c9c 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java @@ -18,20 +18,21 @@ public final class EqlTestUtils { - private EqlTestUtils() {} + private EqlTestUtils() { + } - public static final Configuration TEST_CFG = new Configuration(new String[] { "none" }, org.elasticsearch.xpack.ql.util.DateUtils.UTC, - "nobody", "cluster", null, TimeValue.timeValueSeconds(30), false, ""); + public static final Configuration TEST_CFG = new Configuration(new String[]{"none"}, org.elasticsearch.xpack.ql.util.DateUtils.UTC, + "nobody", "cluster", null, TimeValue.timeValueSeconds(30), false, ""); public static Configuration randomConfiguration() { - return new Configuration(new String[] {randomAlphaOfLength(16)}, - randomZone(), - randomAlphaOfLength(16), - randomAlphaOfLength(16), - null, - new TimeValue(randomNonNegativeLong()), - randomBoolean(), - randomAlphaOfLength(16)); + return new Configuration(new String[]{randomAlphaOfLength(16)}, + randomZone(), + randomAlphaOfLength(16), + randomAlphaOfLength(16), + null, + new TimeValue(randomNonNegativeLong()), + randomBoolean(), + randomAlphaOfLength(16)); } public static Tuple pathAndName(String string) { diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java index b8ba347c22b65..29a6567ac84f7 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -67,7 +67,7 @@ public void testEqlSearchAction() throws Exception { for (EqlSpec spec : specs) { boolean supported = true; // Check if spec is supported, simple iteration, cause the list is short. - for (EqlSpec unSpec: unsupportedSpecs) { + for (EqlSpec unSpec : unsupportedSpecs) { if (spec.query.equals(unSpec.query)) { supported = false; break; diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java index 3eb3c89a09f9a..2068eb0f7d25c 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java @@ -13,9 +13,9 @@ public class EqlSpec { String description; String note; - String []tags; + String[] tags; String query; - int []expectedEventIds; + int[] expectedEventIds; @Override public String toString() { diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java index c0157962b8a4e..8152ea2b47527 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java @@ -42,7 +42,7 @@ private static String[] readTags(String line) throws Exception { s = s.substring(1); } if (s.endsWith("\"") || s.endsWith("'")) { - s = s.substring(0, s.length()-1); + s = s.substring(0, s.length() - 1); } arr[i] = s.trim(); } @@ -54,7 +54,7 @@ private static String readValueLine(String line) throws Exception { if (idx == -1) { throw new IllegalArgumentException("Invalid string value: " + line); } - return line.substring(idx+1).trim(); + return line.substring(idx + 1).trim(); } private static String[] readArray(String line) throws Exception { @@ -62,7 +62,7 @@ private static String[] readArray(String line) throws Exception { if (!line.startsWith("[") && !line.endsWith("]")) { throw new IllegalArgumentException("Invalid array string value: " + line); } - String arr[] = line.substring(1, line.length()-1).split(","); + String arr[] = line.substring(1, line.length() - 1).split(","); ArrayList res = new ArrayList<>(); for (String s : arr) { @@ -107,7 +107,7 @@ private static String readString(String line, BufferedReader reader) throws Exce // Trim end delimiter if (line.endsWith(delim)) { - line = line.substring(0, line.length()-delim.length()); + line = line.substring(0, line.length() - delim.length()); } return line.trim(); From 7edf6c7c793ca1ca5625ba53c0c524f18b10dc4c Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Thu, 13 Feb 2020 09:44:22 -0500 Subject: [PATCH 4/9] Test the Andrei's suggested change to still support telemetry and put the plugin actions behind the feature flag --- .../org/elasticsearch/xpack/eql/plugin/EqlPlugin.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index bd2a5c1734d88..517f8179fcf1f 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -108,9 +108,15 @@ public List> getSettings() { @Override public List> getActions() { + if (enabled) { + return List.of( + new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), + new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), + new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), + new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) + ); + } return List.of( - new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), - new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class), new ActionHandler<>(XPackUsageFeatureAction.EQL, EqlUsageTransportAction.class), new ActionHandler<>(XPackInfoFeatureAction.EQL, EqlInfoTransportAction.class) ); From b6b7f53e14a2caa887adf3f956811b64138fbce4 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Tue, 18 Feb 2020 14:44:30 -0500 Subject: [PATCH 5/9] Addressed code review. Replaced manual toml parser with Apache licensed toml parser library --- x-pack/plugin/eql/build.gradle | 8 +- .../xpack/eql/action/EqlSearchResponse.java | 44 ----- .../elasticsearch/xpack/eql/EqlTestUtils.java | 15 -- .../xpack/eql/action/EqlActionIT.java | 12 +- .../xpack/eql/action/EqlSpec.java | 50 ++++- .../xpack/eql/action/EqlSpecLoader.java | 177 ++++-------------- .../resources/{endgame.dat => endgame.ndjson} | 0 x-pack/plugin/sql/build.gradle | 4 - 8 files changed, 94 insertions(+), 216 deletions(-) rename x-pack/plugin/eql/src/test/resources/{endgame.dat => endgame.ndjson} (100%) diff --git a/x-pack/plugin/eql/build.gradle b/x-pack/plugin/eql/build.gradle index e56d21e87cf35..97713aa8f7ee2 100644 --- a/x-pack/plugin/eql/build.gradle +++ b/x-pack/plugin/eql/build.gradle @@ -17,16 +17,11 @@ ext { archivesBaseName = 'x-pack-eql' -test { - testLogging.showStandardStreams = true -} - // All integration tests live in qa modules integTest.enabled = false // Instead we create a separate task to run the tests based on ESIntegTestCase task internalClusterTest(type: Test) { - testLogging.showStandardStreams = true mustRunAfter test include '**/*IT.class' systemProperty 'es.set.netty.runtime.available.processors', 'false' @@ -48,6 +43,9 @@ dependencies { testCompile project(path: ':modules:reindex', configuration: 'runtime') testCompile project(path: ':modules:parent-join', configuration: 'runtime') testCompile project(path: ':modules:analysis-common', configuration: 'runtime') + + // TOML parser for EqlActionIT tests + testCompile 'io.ous:jtoml:2.0.0' } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java index 73499f0fbe4fb..0a88d40a789cd 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java @@ -27,50 +27,6 @@ import java.util.List; import java.util.Objects; -/** - * Response to perform an eql search - * - * Example events response: - * List<SearchHit> events = Arrays.asList( - * new SearchHit(1, "111", null), - * new SearchHit(2, "222", null) - * ); - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(Arrays.asList( - * new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - * new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - * ), null, null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - * - * - * Example sequence response: - * List<SearchHit> events1 = Arrays.asList( - * new SearchHit(1, "111", null), - * new SearchHit(2, "222", null) - * ); - * List<SearchHit> events2 = Arrays.asList( - * new SearchHit(1, "333", null), - * new SearchHit(2, "444", null) - * ); - * List<Sequence> sequences = Arrays.asList( - * new EqlSearchResponse.Sequence(new String[]{"4021"}, events1), - * new EqlSearchResponse.Sequence(new String[]{"2343"}, events2) - * ); - * - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, sequences, null, new TotalHits(100, TotalHits.Relation.EQUAL_TO)); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - * - * - * Example count response: - * TotalHits totals = new TotalHits(100, TotalHits.Relation.EQUAL_TO); - * List<Count> counts = Arrays.asList( - * new EqlSearchResponse.Count(40, new String[]{"foo", "bar"}, .42233f), - * new EqlSearchResponse.Count(15, new String[]{"foo", "bar"}, .170275f) - * ); - * - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, null, counts, totals); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - */ - public class EqlSearchResponse extends ActionResponse implements ToXContentObject { private final Hits hits; diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java index 2a5846b357c9c..52545a5c672c5 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java @@ -6,10 +6,8 @@ package org.elasticsearch.xpack.eql; -import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.unit.TimeValue; import org.elasticsearch.xpack.eql.session.Configuration; -import org.elasticsearch.xpack.ql.util.StringUtils; import static org.elasticsearch.test.ESTestCase.randomAlphaOfLength; import static org.elasticsearch.test.ESTestCase.randomBoolean; @@ -34,17 +32,4 @@ public static Configuration randomConfiguration() { randomBoolean(), randomAlphaOfLength(16)); } - - public static Tuple pathAndName(String string) { - String folder = StringUtils.EMPTY; - String file = string; - int lastIndexOf = string.lastIndexOf("/"); - if (lastIndexOf > 0) { - folder = string.substring(0, lastIndexOf - 1); - if (lastIndexOf + 1 < string.length()) { - file = string.substring(lastIndexOf + 1); - } - } - return new Tuple<>(folder, file); - } } diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java index 29a6567ac84f7..36cd007476280 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -44,7 +44,7 @@ public void testEqlSearchAction() throws Exception { .setSource(endgame.getBytes(StandardCharsets.UTF_8), XContentType.JSON).get()); // Insert test data - InputStream is = EqlActionIT.class.getResourceAsStream("/endgame.dat"); + InputStream is = EqlActionIT.class.getResourceAsStream("/endgame.ndjson"); BulkRequestBuilder bulkBuilder = client().prepareBulk(); try (BufferedReader reader = new BufferedReader( new InputStreamReader(is, StandardCharsets.UTF_8))) { @@ -68,27 +68,27 @@ public void testEqlSearchAction() throws Exception { boolean supported = true; // Check if spec is supported, simple iteration, cause the list is short. for (EqlSpec unSpec : unsupportedSpecs) { - if (spec.query.equals(unSpec.query)) { + if (spec.query() != null && spec.query().equals(unSpec.query())) { supported = false; break; } } if (supported) { - logger.info("execute: " + spec.query); + logger.info("execute: " + spec.query()); EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) - .indices(testIndexName).rule(spec.query).get(); + .indices(testIndexName).rule(spec.query()).get(); List events = response.hits().events(); assertNotNull(events); final int len = events.size(); - final int ids[] = new int[len]; + final long ids[] = new long[len]; for (int i = 0; i < events.size(); i++) { ids[i] = events.get(i).docId(); } final String msg = "unexpected result for spec: [" + spec.toString() + "]"; - assertArrayEquals(msg, spec.expectedEventIds, ids); + assertArrayEquals(msg, spec.expectedEventIds(), ids); } } } diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java index 2068eb0f7d25c..1db8269656f6e 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java @@ -11,11 +11,51 @@ import java.util.Arrays; public class EqlSpec { - String description; - String note; - String[] tags; - String query; - int[] expectedEventIds; + private String description; + private String note; + private String[] tags; + private String query; + private long[] expectedEventIds; + + public String description() { + return description; + } + + public void description(String description) { + this.description = description; + } + + public String note() { + return note; + } + + public void note(String note) { + this.note = note; + } + + public String[] tags() { + return tags; + } + + public void tags(String[] tags) { + this.tags = tags; + } + + public String query() { + return query; + } + + public void query(String query) { + this.query = query; + } + + public long[] expectedEventIds() { + return expectedEventIds; + } + + public void expectedEventIds(long[] expectedEventIds) { + this.expectedEventIds = expectedEventIds; + } @Override public String toString() { diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java index 8152ea2b47527..f5fe4f93c315d 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java @@ -6,16 +6,14 @@ package org.elasticsearch.xpack.eql.action; -import io.netty.util.internal.StringUtil; +import io.ous.jtoml.JToml; +import io.ous.jtoml.Toml; +import io.ous.jtoml.TomlTable; +import org.elasticsearch.common.Strings; -import java.io.BufferedReader; import java.io.InputStream; -import java.io.InputStreamReader; -import java.nio.charset.StandardCharsets; import java.util.ArrayList; -import java.util.LinkedHashMap; import java.util.List; -import java.util.Map; public class EqlSpecLoader { public static List load(String path, boolean supported) throws Exception { @@ -24,154 +22,59 @@ public static List load(String path, boolean supported) throws Exceptio } } - private static int[] readExpectedEventIds(String line, BufferedReader reader) throws Exception { - String arr[] = readArray(line); - int ids[] = new int[arr.length]; - - for (int i = 0; i < arr.length; i++) { - ids[i] = Integer.parseInt(arr[i]); - } - return ids; - } - - private static String[] readTags(String line) throws Exception { - String arr[] = readArray(line); - for (int i = 0; i < arr.length; i++) { - String s = arr[i]; - if (s.startsWith("\"") || s.startsWith("'")) { - s = s.substring(1); - } - if (s.endsWith("\"") || s.endsWith("'")) { - s = s.substring(0, s.length() - 1); - } - arr[i] = s.trim(); - } - return arr; - } - - private static String readValueLine(String line) throws Exception { - int idx = line.indexOf("="); - if (idx == -1) { - throw new IllegalArgumentException("Invalid string value: " + line); - } - return line.substring(idx + 1).trim(); - } - - private static String[] readArray(String line) throws Exception { - line = readValueLine(line); - if (!line.startsWith("[") && !line.endsWith("]")) { - throw new IllegalArgumentException("Invalid array string value: " + line); - } - String arr[] = line.substring(1, line.length() - 1).split(","); - - ArrayList res = new ArrayList<>(); - for (String s : arr) { - s = s.trim(); - if (!s.isEmpty()) { - res.add(s); - } - } - - return res.toArray(new String[res.size()]); - } - - private static String readString(String line, BufferedReader reader) throws Exception { - line = readValueLine(line); - String delim = ""; - if (line.startsWith("\"") || line.startsWith("'")) { - delim = line.substring(0, 1); - if (line.startsWith("\"\"\"") || line.startsWith("'''")) { - delim = line.substring(0, 3); - } - } - - if (StringUtil.isNullOrEmpty(delim)) { - throw new IllegalArgumentException("Invalid string format, should start with ' or \" at least: " + line); - } - - // Trim start delimiter - if (line.startsWith(delim)) { - line = line.substring(delim.length()); - } - - // Read multiline string - if (!line.endsWith(delim)) { - String s; - while ((s = reader.readLine()) != null) { - line += " " + s.trim(); - if (line.endsWith(delim)) { - break; - } - } - } - - // Trim end delimiter - if (line.endsWith(delim)) { - line = line.substring(0, line.length() - delim.length()); - } - - return line.trim(); - } - private static void validateAndAddSpec(List specs, EqlSpec spec, boolean supported) throws Exception { - if (StringUtil.isNullOrEmpty(spec.query)) { + if (Strings.isNullOrEmpty(spec.query())) { throw new IllegalArgumentException("Read a test without a query value"); } - if (supported && spec.expectedEventIds == null) { + if (supported && spec.expectedEventIds() == null) { throw new IllegalArgumentException("Read a test without a expected_event_ids value"); } specs.add(spec); } - // Simple .toml spec parsing of the original EQL spec - // to avoid adding dependency on any actual toml library for now. + private static String getTrimmedString(TomlTable table, String key) { + String s = table.getString(key); + if (s != null) { + return s.trim(); + } + return null; + } + private static List readFromStream(InputStream is, boolean supported) throws Exception { - Map testNames = new LinkedHashMap<>(); List testSpecs = new ArrayList<>(); - EqlSpec spec = null; - try (BufferedReader reader = new BufferedReader( - new InputStreamReader(is, StandardCharsets.UTF_8))) { - - String line; - while ((line = reader.readLine()) != null) { - line = line.trim(); - // Ignore empty lines and comments - if (line.isEmpty() || line.startsWith("#")) { - continue; - } - if (line.startsWith("[[queries]]")) { - if (spec != null) { - validateAndAddSpec(testSpecs, spec, supported); - spec = null; - } - spec = new EqlSpec(); - continue; - } - if (line.startsWith("query")) { - spec.query = readString(line, reader); - } - - if (line.startsWith("expected_event_ids")) { - spec.expectedEventIds = readExpectedEventIds(line, reader); + EqlSpec spec; + Toml toml = JToml.parse(is); + + List queries = toml.getArrayTable("queries"); + for (TomlTable table : queries) { + spec = new EqlSpec(); + spec.query(getTrimmedString(table, "query")); + spec.note(getTrimmedString(table, "note")); + spec.description(getTrimmedString(table, "description")); + + List arr = table.getList("tags"); + if (arr != null) { + String tags[] = new String[arr.size()]; + int i = 0; + for (Object obj : arr) { + tags[i] = (String) obj; } + spec.tags(tags); + } - if (line.startsWith("tags")) { - spec.tags = readTags(line); - } - if (line.startsWith("note")) { - spec.note = readString(line, reader); + arr = table.getList("expected_event_ids"); + if (arr != null) { + long expectedEventIds[] = new long[arr.size()]; + int i = 0; + for (Object obj : arr) { + expectedEventIds[i++] = (Long) obj; } - if (line.startsWith("description")) { - spec.description = readString(line, reader); - } - } - // Append the last spec - if (spec != null) { - validateAndAddSpec(testSpecs, spec, supported); + spec.expectedEventIds(expectedEventIds); } + validateAndAddSpec(testSpecs, spec, supported); } return testSpecs; diff --git a/x-pack/plugin/eql/src/test/resources/endgame.dat b/x-pack/plugin/eql/src/test/resources/endgame.ndjson similarity index 100% rename from x-pack/plugin/eql/src/test/resources/endgame.dat rename to x-pack/plugin/eql/src/test/resources/endgame.ndjson diff --git a/x-pack/plugin/sql/build.gradle b/x-pack/plugin/sql/build.gradle index 720bcbda168ee..e93099ec4b7a4 100644 --- a/x-pack/plugin/sql/build.gradle +++ b/x-pack/plugin/sql/build.gradle @@ -26,10 +26,6 @@ configurations { archivesBaseName = 'x-pack-sql' -test { - testLogging.showStandardStreams = true -} - // All integration tests live in qa modules integTest.enabled = false From 9f3da81ff2595a0b0753ad986cfa3d99966c8488 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 19 Feb 2020 14:20:57 -0500 Subject: [PATCH 6/9] Replace the ECS test data with the flat json test data from origin EQL implementation --- x-pack/plugin/eql/build.gradle | 6 + .../xpack/eql/action/EqlActionIT.java | 34 +- .../eql/src/test/resources/endgame.json | 2531 ----------------- .../eql/src/test/resources/endgame.ndjson | 102 - .../eql/src/test/resources/test_data.json | 2080 ++++++++++++++ 5 files changed, 2097 insertions(+), 2656 deletions(-) delete mode 100644 x-pack/plugin/eql/src/test/resources/endgame.json delete mode 100644 x-pack/plugin/eql/src/test/resources/endgame.ndjson create mode 100644 x-pack/plugin/eql/src/test/resources/test_data.json diff --git a/x-pack/plugin/eql/build.gradle b/x-pack/plugin/eql/build.gradle index 97713aa8f7ee2..2d720f170d83c 100644 --- a/x-pack/plugin/eql/build.gradle +++ b/x-pack/plugin/eql/build.gradle @@ -46,6 +46,12 @@ dependencies { // TOML parser for EqlActionIT tests testCompile 'io.ous:jtoml:2.0.0' + + // JSON parser for tests input data + testCompile "com.fasterxml.jackson.core:jackson-core:${versions.jackson}" + testCompile "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}" + testCompile "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}" + } diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java index 36cd007476280..f7c56811a38d2 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -6,6 +6,8 @@ package org.elasticsearch.xpack.eql.action; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; import org.elasticsearch.Build; import org.elasticsearch.action.bulk.BulkRequestBuilder; import org.elasticsearch.action.bulk.BulkResponse; @@ -15,14 +17,9 @@ import org.elasticsearch.search.SearchHit; import org.junit.BeforeClass; -import java.io.BufferedReader; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.nio.charset.StandardCharsets; +import java.util.Iterator; import java.util.List; -import static org.elasticsearch.test.StreamsUtils.copyToStringFromClasspath; -import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; import static org.hamcrest.Matchers.equalTo; public class EqlActionIT extends AbstractEqlIntegTestCase { @@ -35,27 +32,18 @@ public static void checkForSnapshot() { public void testEqlSearchAction() throws Exception { final String indexPrefix = "endgame"; final String testIndexName = indexPrefix + "-1.4.0"; - final String testIndexPattern = indexPrefix + "-*"; - - String endgame = copyToStringFromClasspath("/endgame.json"); - endgame = endgame.replace("[index_pattern_placeholder]", testIndexPattern); - - assertAcked(client().admin().indices().preparePutTemplate(testIndexName) - .setSource(endgame.getBytes(StandardCharsets.UTF_8), XContentType.JSON).get()); // Insert test data - InputStream is = EqlActionIT.class.getResourceAsStream("/endgame.ndjson"); + ObjectMapper mapper = new ObjectMapper(); BulkRequestBuilder bulkBuilder = client().prepareBulk(); - try (BufferedReader reader = new BufferedReader( - new InputStreamReader(is, StandardCharsets.UTF_8))) { - - String line; - while ((line = reader.readLine()) != null) { - bulkBuilder.add(new IndexRequest(testIndexName).source(line.trim(), XContentType.JSON)); - } - BulkResponse response = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); - assertThat(response.hasFailures() ? response.buildFailureMessage() : "", response.hasFailures(), equalTo(false)); + JsonNode rootNode = mapper.readTree(this.getClass().getResourceAsStream("/test_data.json")); + Iterator entries = rootNode.elements(); + while (entries.hasNext()) { + JsonNode entry = entries.next(); + bulkBuilder.add(new IndexRequest(testIndexName).source(entry.toString(), XContentType.JSON)); } + BulkResponse bulkResponse = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); + assertThat(bulkResponse.hasFailures() ? bulkResponse.buildFailureMessage() : "", bulkResponse.hasFailures(), equalTo(false)); ensureYellow(testIndexName); diff --git a/x-pack/plugin/eql/src/test/resources/endgame.json b/x-pack/plugin/eql/src/test/resources/endgame.json deleted file mode 100644 index 4e1c6dfb64298..0000000000000 --- a/x-pack/plugin/eql/src/test/resources/endgame.json +++ /dev/null @@ -1,2531 +0,0 @@ -{ - "index_patterns": ["[index_pattern_placeholder]"], - "mappings": { - "doc": { - "_meta": { - "version": "1.4.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "doc_values": false, - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "integer" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "observer": { - "properties": { - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "settings": { - "index": { - "mapping": { - "ignore_malformed": true, - "total_fields": { - "limit": 10000 - } - }, - "number_of_replicas": 0, - "number_of_shards": 3 - } - } -} diff --git a/x-pack/plugin/eql/src/test/resources/endgame.ndjson b/x-pack/plugin/eql/src/test/resources/endgame.ndjson deleted file mode 100644 index 66c9725505990..0000000000000 --- a/x-pack/plugin/eql/src/test/resources/endgame.ndjson +++ /dev/null @@ -1,102 +0,0 @@ -{"user":{"group":{}},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":0,"process":{"thread":{},"parent":{},"hash":{},"name":"System Idle Process"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":1,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":116444736000000000,"process_name":"System Idle Process","unique_pid":1,"xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"name":"System Idle Process"},"hash":{},"pid":4,"name":"System"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":2,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":4,"process_name":"System","unique_pid":2,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","unique_ppid":1,"parent_process_name":"System Idle Process","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":4,"name":"System"},"hash":{"md5":"63d3c30b497347495b8ea78a38188969"},"pid":284,"ppid":4,"name":"smss.exe","executable":"C:\\Windows\\System32\\smss.exe","args":["\\SystemRoot\\System32\\smss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":3,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":284,"process_path":"C:\\Windows\\System32\\smss.exe","process_name":"smss.exe","unique_pid":3,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":4,"unique_ppid":2,"command_line":"\\SystemRoot\\System32\\smss.exe","parent_process_name":"System","md5":"63d3c30b497347495b8ea78a38188969","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":364},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":372,"ppid":364,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":4,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":372,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":4,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":364,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":364},"hash":{"md5":"94355c28c1970635a31b3fe52eb7ceba"},"pid":424,"ppid":364,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe","args":["wininit.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":5,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":424,"process_path":"C:\\Windows\\System32\\wininit.exe","process_name":"wininit.exe","unique_pid":5,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":364,"command_line":"wininit.exe","md5":"94355c28c1970635a31b3fe52eb7ceba","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":416},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":436,"ppid":416,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":6,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":436,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":6,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":416,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126051000,"process":{"thread":{},"parent":{"pid":416},"hash":{"md5":"1151b1baa6f350b1db6598e0fea7c457"},"pid":472,"ppid":416,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe","args":["winlogon.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":7,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996510000000,"pid":472,"process_path":"C:\\Windows\\System32\\winlogon.exe","process_name":"winlogon.exe","unique_pid":7,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":416,"command_line":"winlogon.exe","md5":"1151b1baa6f350b1db6598e0fea7c457","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"24acb7e5be595468e3b9aa488b9b4fcb"},"pid":524,"ppid":424,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe","args":["C:\\Windows\\system32\\services.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":8,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":524,"process_path":"C:\\Windows\\System32\\services.exe","process_name":"services.exe","unique_pid":8,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\services.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"24acb7e5be595468e3b9aa488b9b4fcb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"7554a1b82b4a222fd4cc292abd38a558"},"pid":536,"ppid":424,"name":"lsass.exe","executable":"C:\\Windows\\System32\\lsass.exe","args":["C:\\Windows\\system32\\lsass.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":9,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":536,"process_path":"C:\\Windows\\System32\\lsass.exe","process_name":"lsass.exe","unique_pid":9,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\lsass.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"7554a1b82b4a222fd4cc292abd38a558","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":424,"name":"wininit.exe","executable":"C:\\Windows\\System32\\wininit.exe"},"hash":{"md5":"9662ee182644511439f1c53745dc1c88"},"pid":544,"ppid":424,"name":"lsm.exe","executable":"C:\\Windows\\System32\\lsm.exe","args":["C:\\Windows\\system32\\lsm.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":10,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":544,"process_path":"C:\\Windows\\System32\\lsm.exe","process_name":"lsm.exe","unique_pid":10,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":424,"unique_ppid":5,"command_line":"C:\\Windows\\system32\\lsm.exe","parent_process_name":"wininit.exe","parent_process_path":"C:\\Windows\\System32\\wininit.exe","md5":"9662ee182644511439f1c53745dc1c88","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":648,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","DcomLaunch"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":11,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":648,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":11,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"3c4d41c4f8cdd2ca945e91a61e6cfbaf"},"pid":708,"ppid":524,"name":"vmacthlp.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":12,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":708,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe","process_name":"vmacthlp.exe","unique_pid":12,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"3c4d41c4f8cdd2ca945e91a61e6cfbaf","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":752,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","RPCSS"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":13,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":752,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":13,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k RPCSS","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":472,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe"},"hash":{"md5":"715f03b4c7223349768013ea95d9e5b7"},"pid":828,"ppid":472,"name":"LogonUI.exe","executable":"C:\\Windows\\System32\\LogonUI.exe","args":["LogonUI.exe","/flags:0x0"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":14,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":828,"process_path":"C:\\Windows\\System32\\LogonUI.exe","process_name":"LogonUI.exe","unique_pid":14,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":472,"unique_ppid":7,"command_line":"\"LogonUI.exe\" /flags:0x0","parent_process_name":"winlogon.exe","parent_process_path":"C:\\Windows\\System32\\winlogon.exe","md5":"715f03b4c7223349768013ea95d9e5b7","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":848,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","LocalServiceNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":15,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":848,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":15,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":896,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","LocalSystemNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":16,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126052000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":924,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","netsvcs"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":17,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996520000000,"pid":924,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":17,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k netsvcs","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":264,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalService"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":18,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":264,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":18,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalService","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":968,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","NetworkService"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":19,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":968,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":19,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k NetworkService","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"b96c17b5dc1424d56eea3a99e97428cd"},"pid":1108,"ppid":524,"name":"spoolsv.exe","executable":"C:\\Windows\\System32\\spoolsv.exe","args":["C:\\Windows\\System32\\spoolsv.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":20,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1108,"process_path":"C:\\Windows\\System32\\spoolsv.exe","process_name":"spoolsv.exe","unique_pid":20,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\spoolsv.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"b96c17b5dc1424d56eea3a99e97428cd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":1136,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalServiceNoNetwork"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":21,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1136,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":21,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"ccd745aa6425c7637a34ff12ed8a1c18"},"pid":1320,"ppid":524,"name":"VGAuthService.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":22,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1320,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe","process_name":"VGAuthService.exe","unique_pid":22,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"ccd745aa6425c7637a34ff12ed8a1c18","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"404202d6f0628331aaade8c8f9ef6feb"},"pid":1344,"ppid":524,"name":"vmtoolsd.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":23,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1344,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","process_name":"vmtoolsd.exe","unique_pid":23,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"404202d6f0628331aaade8c8f9ef6feb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126053000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"3f61b1a4fe078bb7705b508cfcbb987e"},"pid":1376,"ppid":524,"name":"ManagementAgentHost.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":24,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996530000000,"pid":1376,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe","process_name":"ManagementAgentHost.exe","unique_pid":24,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"3f61b1a4fe078bb7705b508cfcbb987e","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126054000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":1692,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","NetworkServiceNetworkRestricted"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":25,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996540000000,"pid":1692,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":25,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126054000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"8f4ecbbfe943030acfd9e892b2513ec1"},"pid":1840,"ppid":648,"name":"WmiPrvSE.exe","executable":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","args":["C:\\Windows\\system32\\wbem\\wmiprvse.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":26,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996540000000,"pid":1840,"process_path":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","process_name":"WmiPrvSE.exe","unique_pid":26,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"8f4ecbbfe943030acfd9e892b2513ec1","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126055000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"de0ece52236cfa3ed2dbfc03f28253a8"},"pid":960,"ppid":524,"name":"msdtc.exe","executable":"C:\\Windows\\System32\\msdtc.exe","args":["C:\\Windows\\System32\\msdtc.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":27,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996550000000,"pid":960,"process_path":"C:\\Windows\\System32\\msdtc.exe","process_name":"msdtc.exe","unique_pid":27,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\msdtc.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"de0ece52236cfa3ed2dbfc03f28253a8","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126079000,"process":{"thread":{},"parent":{"pid":3040},"hash":{"md5":"60c2862b4bf0fd9f582ef344c2b1ec72"},"pid":3048,"ppid":3040,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe","args":["%SystemRoot%\\system32\\csrss.exe","ObjectDirectory=\\Windows","SharedSection=1024,20480,768","Windows=On","SubSystemType=Windows","ServerDll=basesrv,1","ServerDll=winsrv:UserServerDllInitialization,3","ServerDll=winsrv:ConServerDllInitialization,2","ServerDll=sxssrv,4","ProfileControl=Off","MaxRequestThreads=16"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":28,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996790000000,"pid":3048,"process_path":"C:\\Windows\\System32\\csrss.exe","process_name":"csrss.exe","unique_pid":28,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":3040,"command_line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","md5":"60c2862b4bf0fd9f582ef344c2b1ec72","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126079000,"process":{"thread":{},"parent":{"pid":3040},"hash":{"md5":"1151b1baa6f350b1db6598e0fea7c457"},"pid":2108,"ppid":3040,"name":"winlogon.exe","executable":"C:\\Windows\\System32\\winlogon.exe","args":["winlogon.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":29,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996790000000,"pid":2108,"process_path":"C:\\Windows\\System32\\winlogon.exe","process_name":"winlogon.exe","unique_pid":29,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":3040,"command_line":"winlogon.exe","md5":"1151b1baa6f350b1db6598e0fea7c457","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":968,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"25d284eb2f12254c001afe9a82575a81"},"pid":2704,"ppid":968,"name":"rdpclip.exe","executable":"C:\\Windows\\System32\\rdpclip.exe","args":["rdpclip"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":30,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2704,"process_path":"C:\\Windows\\System32\\rdpclip.exe","process_name":"rdpclip.exe","unique_pid":30,"user_name":"vagrant","user_domain":"vagrant","ppid":968,"unique_ppid":19,"command_line":"rdpclip","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"25d284eb2f12254c001afe9a82575a81","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"517110bd83835338c037269e603db55d"},"pid":2776,"ppid":524,"name":"taskhost.exe","executable":"C:\\Windows\\System32\\taskhost.exe","args":["taskhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":31,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2776,"process_path":"C:\\Windows\\System32\\taskhost.exe","process_name":"taskhost.exe","unique_pid":31,"user_name":"vagrant","user_domain":"vagrant","ppid":524,"unique_ppid":8,"command_line":"\"taskhost.exe\"","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"517110bd83835338c037269e603db55d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"NETWORK SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126081000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"e17e0188bb90fae42d83e98707efa59c"},"pid":2804,"ppid":524,"name":"sppsvc.exe","executable":"C:\\Windows\\System32\\sppsvc.exe","args":["C:\\Windows\\system32\\sppsvc.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":32,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485996810000000,"pid":2804,"process_path":"C:\\Windows\\System32\\sppsvc.exe","process_name":"sppsvc.exe","unique_pid":32,"user_name":"NETWORK SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\sppsvc.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"e17e0188bb90fae42d83e98707efa59c","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":896,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"f162d5f5e845b9dc352dd1bad8cef1bc"},"pid":2464,"ppid":896,"name":"dwm.exe","executable":"C:\\Windows\\System32\\dwm.exe","args":["C:\\Windows\\system32\\Dwm.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":33,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2464,"process_path":"C:\\Windows\\System32\\dwm.exe","process_name":"dwm.exe","unique_pid":33,"user_name":"vagrant","user_domain":"vagrant","ppid":896,"unique_ppid":16,"command_line":"\"C:\\Windows\\system32\\Dwm.exe\"","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"f162d5f5e845b9dc352dd1bad8cef1bc","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":3052},"hash":{"md5":"ac4c51eb24aa95b77f705ab159189e24"},"pid":2460,"ppid":3052,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe","args":["C:\\Windows\\Explorer.EXE"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":34,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2460,"process_path":"C:\\Windows\\explorer.exe","process_name":"explorer.exe","unique_pid":34,"user_name":"vagrant","user_domain":"vagrant","ppid":3052,"command_line":"C:\\Windows\\Explorer.EXE","md5":"ac4c51eb24aa95b77f705ab159189e24","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126115000,"process":{"thread":{},"parent":{"pid":2460,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe"},"hash":{"md5":"404202d6f0628331aaade8c8f9ef6feb"},"pid":2604,"ppid":2460,"name":"vmtoolsd.exe","executable":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","args":["C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","-n","vmusr"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":35,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997150000000,"pid":2604,"process_path":"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe","process_name":"vmtoolsd.exe","unique_pid":35,"user_name":"vagrant","user_domain":"vagrant","ppid":2460,"unique_ppid":34,"command_line":"\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr","parent_process_name":"explorer.exe","parent_process_path":"C:\\Windows\\explorer.exe","md5":"404202d6f0628331aaade8c8f9ef6feb","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126121000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"ad31942bdf3d594c404874613bc2fe4d"},"pid":1620,"ppid":524,"name":"SearchIndexer.exe","executable":"C:\\Windows\\System32\\SearchIndexer.exe","args":["C:\\Windows\\system32\\SearchIndexer.exe","/Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":36,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997210000000,"pid":1620,"process_path":"C:\\Windows\\System32\\SearchIndexer.exe","process_name":"SearchIndexer.exe","unique_pid":36,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"ad31942bdf3d594c404874613bc2fe4d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"LOCAL SERVICE"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126175000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3684,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","LocalServiceAndNoImpersonation"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":37,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997750000000,"pid":3684,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":37,"user_name":"LOCAL SERVICE","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504126175000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3712,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\System32\\svchost.exe","-k","secsvcs"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":38,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131485997750000000,"pid":3712,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":38,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\System32\\svchost.exe -k secsvcs","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504710219000,"process":{"thread":{},"parent":{"pid":2460,"name":"explorer.exe","executable":"C:\\Windows\\explorer.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":2864,"ppid":2460,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe","args":["C:\\Windows\\system32\\cmd.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":39,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491838190000000,"pid":2864,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":39,"user_name":"vagrant","user_domain":"vagrant","ppid":2460,"unique_ppid":34,"command_line":"\"C:\\Windows\\system32\\cmd.exe\" ","parent_process_name":"explorer.exe","parent_process_path":"C:\\Windows\\explorer.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504710219000,"process":{"thread":{},"parent":{"pid":3048,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe"},"hash":{"md5":"bd51024fb014064bc9fe8c715c18392f"},"pid":2228,"ppid":3048,"name":"conhost.exe","executable":"C:\\Windows\\System32\\conhost.exe","args":["\\??\\C:\\Windows\\system32\\conhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":40,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491838190000000,"pid":2228,"process_path":"C:\\Windows\\System32\\conhost.exe","process_name":"conhost.exe","unique_pid":40,"user_name":"vagrant","user_domain":"vagrant","ppid":3048,"unique_ppid":28,"command_line":"\\??\\C:\\Windows\\system32\\conhost.exe","parent_process_name":"csrss.exe","parent_process_path":"C:\\Windows\\System32\\csrss.exe","md5":"bd51024fb014064bc9fe8c715c18392f","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1504720431000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"c78655bc80301d76ed4fef1c1ea40a7d"},"pid":3820,"ppid":524,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe","args":["C:\\Windows\\system32\\svchost.exe","-k","SDRSVC"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":41,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131491940310000000,"pid":3820,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":41,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\svchost.exe -k SDRSVC","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"c78655bc80301d76ed4fef1c1ea40a7d","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463013000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"773212b2aaa24c1e31f10246b15b276c"},"pid":3384,"ppid":524,"name":"TrustedInstaller.exe","executable":"C:\\Windows\\servicing\\TrustedInstaller.exe","args":["C:\\Windows\\servicing\\TrustedInstaller.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":42,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509366130000000,"pid":3384,"process_path":"C:\\Windows\\servicing\\TrustedInstaller.exe","process_name":"TrustedInstaller.exe","unique_pid":42,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\servicing\\TrustedInstaller.exe","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"773212b2aaa24c1e31f10246b15b276c","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463023000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"8f4ecbbfe943030acfd9e892b2513ec1"},"pid":1860,"ppid":648,"name":"WmiPrvSE.exe","executable":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","args":["C:\\Windows\\system32\\wbem\\wmiprvse.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":43,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509366230000000,"pid":1860,"process_path":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","process_name":"WmiPrvSE.exe","unique_pid":43,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wbem\\wmiprvse.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"8f4ecbbfe943030acfd9e892b2513ec1","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463590000,"process":{"thread":{},"parent":{"pid":924,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"65ea57712340c09b1b0c427b4848ae05"},"pid":660,"ppid":924,"name":"taskeng.exe","executable":"C:\\Windows\\System32\\taskeng.exe","args":["taskeng.exe","{6108575A-1CC2-4917-BB5D-5929CDC39B9C}"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":44,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509371900000000,"pid":660,"process_path":"C:\\Windows\\System32\\taskeng.exe","process_name":"taskeng.exe","unique_pid":44,"user_name":"vagrant","user_domain":"vagrant","ppid":924,"unique_ppid":17,"command_line":"taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"65ea57712340c09b1b0c427b4848ae05","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463637000,"process":{"thread":{},"parent":{"pid":524,"name":"services.exe","executable":"C:\\Windows\\System32\\services.exe"},"hash":{"md5":"a190da6546501cb4146bbcc0b6a3f48b"},"pid":760,"ppid":524,"name":"msiexec.exe","executable":"C:\\Windows\\System32\\msiexec.exe","args":["C:\\Windows\\system32\\msiexec.exe","/V"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":45,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509372370000000,"pid":760,"process_path":"C:\\Windows\\System32\\msiexec.exe","process_name":"msiexec.exe","unique_pid":45,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":524,"unique_ppid":8,"command_line":"C:\\Windows\\system32\\msiexec.exe /V","parent_process_name":"services.exe","parent_process_path":"C:\\Windows\\System32\\services.exe","md5":"a190da6546501cb4146bbcc0b6a3f48b","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463798000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"3e5cfefdda537ddbed9f5c6c7e926cdd"},"pid":2824,"ppid":648,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe","args":["C:\\Windows\\system32\\wsmprovhost.exe","-Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":46,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509373980000000,"pid":2824,"process_path":"C:\\Windows\\System32\\wsmprovhost.exe","process_name":"wsmprovhost.exe","unique_pid":46,"user_name":"vagrant","user_domain":"vagrant","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"3e5cfefdda537ddbed9f5c6c7e926cdd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"3e5cfefdda537ddbed9f5c6c7e926cdd"},"pid":3408,"ppid":648,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe","args":["C:\\Windows\\system32\\wsmprovhost.exe","-Embedding"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":47,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":3408,"process_path":"C:\\Windows\\System32\\wsmprovhost.exe","process_name":"wsmprovhost.exe","unique_pid":47,"user_name":"vagrant","user_domain":"vagrant","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\system32\\wsmprovhost.exe -Embedding","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"3e5cfefdda537ddbed9f5c6c7e926cdd","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":3408,"name":"wsmprovhost.exe","executable":"C:\\Windows\\System32\\wsmprovhost.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":420,"ppid":3408,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","worker.py","--target","c:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":48,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","ppid":3408,"unique_ppid":47,"command_line":"\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py","parent_process_name":"wsmprovhost.exe","parent_process_path":"C:\\Windows\\System32\\wsmprovhost.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463802000,"process":{"thread":{},"parent":{"pid":372,"name":"csrss.exe","executable":"C:\\Windows\\System32\\csrss.exe"},"hash":{"md5":"bd51024fb014064bc9fe8c715c18392f"},"pid":3080,"ppid":372,"name":"conhost.exe","executable":"C:\\Windows\\System32\\conhost.exe","args":["\\??\\C:\\Windows\\system32\\conhost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":49,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374020000000,"pid":3080,"process_path":"C:\\Windows\\System32\\conhost.exe","process_name":"conhost.exe","unique_pid":49,"user_name":"vagrant","user_domain":"vagrant","ppid":372,"unique_ppid":4,"command_line":"\\??\\C:\\Windows\\system32\\conhost.exe","parent_process_name":"csrss.exe","parent_process_path":"C:\\Windows\\System32\\csrss.exe","md5":"bd51024fb014064bc9fe8c715c18392f","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463810000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":1688,"ppid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","myappserver.py","--log-file","C:\\workspace\\dev\\myapp.out","--update-server-port","8446","--sout","C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":50,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374100000000,"pid":1688,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":50,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463810000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":1720,"ppid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":51,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374100000000,"pid":1720,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":51,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"already_running","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463815000,"process":{"thread":{},"parent":{"pid":648,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"hash":{"md5":"6a8649f3205b311e208ac35a04e99700"},"pid":2164,"ppid":648,"name":"LauncherProcess.exe","executable":"C:\\Windows\\System32\\LauncherProcess.exe","args":["C:\\Windows\\System32\\LauncherProcess.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":52,"opcode":3,"event_type_full":"process_event","event_subtype_full":"already_running","timestamp":131509374150000000,"pid":2164,"process_path":"C:\\Windows\\System32\\LauncherProcess.exe","process_name":"LauncherProcess.exe","unique_pid":52,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","ppid":648,"unique_ppid":11,"command_line":"C:\\Windows\\System32\\LauncherProcess.exe","parent_process_name":"svchost.exe","parent_process_path":"C:\\Windows\\System32\\svchost.exe","md5":"6a8649f3205b311e208ac35a04e99700","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":1788,"ppid":420,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe","args":["C:\\Windows\\system32\\cmd.exe","/c","c:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":53,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374294209140,"pid":1788,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":53,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"command_line":"C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":1788,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":2256,"ppid":1788,"name":"python.exe","executable":"C:\\Python27\\python.exe","args":["C:\\Python27\\python.exe","C:\\workspace\\red_ttp\\process_name_masquerade.py"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":54,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374294365140,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","ppid":1788,"unique_ppid":53,"command_line":"\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ","parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":55,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374295457140,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463829000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":2760,"ppid":2256,"name":"svchost.exe","executable":"C:\\workspace\\red_ttp\\svchost.exe","args":["svchost.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":56,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374295613140,"pid":2760,"process_path":"C:\\workspace\\red_ttp\\svchost.exe","process_name":"svchost.exe","unique_pid":56,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"svchost.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"registry_modify_event","category":"registry","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463830000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":57,"opcode":1,"event_type_full":"registry_event","event_subtype_full":"registry_modify_event","timestamp":131509374306065200,"pid":2460,"process_path":"C:\\Windows\\explorer.exe","process_name":"explorer.exe","unique_pid":34,"user_name":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":2760,"ppid":2256,"name":"svchost.exe","executable":"C:\\workspace\\red_ttp\\svchost.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":58,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374345689460,"pid":2760,"process_path":"C:\\workspace\\red_ttp\\svchost.exe","process_name":"svchost.exe","unique_pid":56,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":59,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374345689460,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":60,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374345689460,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":61,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374345689460,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463834000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3696,"ppid":2256,"name":"lsass.exe","executable":"C:\\workspace\\red_ttp\\lsass.exe","args":["lsass.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":62,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374345689460,"pid":3696,"process_path":"C:\\workspace\\red_ttp\\lsass.exe","process_name":"lsass.exe","unique_pid":62,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"lsass.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"request_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463835000,"dns":{"question":{"name":"teredo.ipv6.microsoft.com.","registered_domain":"microsoft.com."}},"network":{"protocol":"dns"},"process":{"thread":{},"parent":{},"pid":924,"name":"svchost.exe","executable":"C:\\Windows\\System32\\svchost.exe"},"source":{},"destination":{},"winlog":{"opcode":3008},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":63,"opcode":3008,"event_type_full":"dns_event","event_subtype_full":"request_event","timestamp":131509374350369490,"pid":924,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":17,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"teredo.ipv6.microsoft.com.","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3696,"ppid":2256,"name":"lsass.exe","executable":"C:\\workspace\\red_ttp\\lsass.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":64,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374395921780,"pid":3696,"process_path":"C:\\workspace\\red_ttp\\lsass.exe","process_name":"lsass.exe","unique_pid":62,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":65,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374395921780,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":66,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374395921780,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":67,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374395921780,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463839000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1832,"ppid":2256,"name":"services.exe","executable":"C:\\workspace\\red_ttp\\services.exe","args":["services.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":68,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374395921780,"pid":1832,"process_path":"C:\\workspace\\red_ttp\\services.exe","process_name":"services.exe","unique_pid":68,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"services.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1832,"ppid":2256,"name":"services.exe","executable":"C:\\workspace\\red_ttp\\services.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":69,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374446778110,"pid":1832,"process_path":"C:\\workspace\\red_ttp\\services.exe","process_name":"services.exe","unique_pid":68,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":70,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374446778110,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":71,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374446778110,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":72,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374446778110,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463844000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3948,"ppid":2256,"name":"csrss.exe","executable":"C:\\workspace\\red_ttp\\csrss.exe","args":["csrss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":73,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374446778110,"pid":3948,"process_path":"C:\\workspace\\red_ttp\\csrss.exe","process_name":"csrss.exe","unique_pid":73,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"csrss.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3948,"ppid":2256,"name":"csrss.exe","executable":"C:\\workspace\\red_ttp\\csrss.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":74,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374497010430,"pid":3948,"process_path":"C:\\workspace\\red_ttp\\csrss.exe","process_name":"csrss.exe","unique_pid":73,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374497010430,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":76,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374497010430,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":77,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374497010430,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463849000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3720,"ppid":2256,"name":"smss.exe","executable":"C:\\workspace\\red_ttp\\smss.exe","args":["smss.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":78,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374497010430,"pid":3720,"process_path":"C:\\workspace\\red_ttp\\smss.exe","process_name":"smss.exe","unique_pid":78,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"smss.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"registry_modify_event","category":"registry","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463852000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":79,"opcode":1,"event_type_full":"registry_event","event_subtype_full":"registry_modify_event","timestamp":131509374520566580,"pid":536,"process_path":"C:\\Windows\\System32\\lsass.exe","process_name":"lsass.exe","unique_pid":9,"user_name":"SYSTEM","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":3720,"ppid":2256,"name":"smss.exe","executable":"C:\\workspace\\red_ttp\\smss.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":80,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374547086750,"pid":3720,"process_path":"C:\\workspace\\red_ttp\\smss.exe","process_name":"smss.exe","unique_pid":78,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":81,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374547086750,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":82,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374547086750,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":83,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374547086750,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463854000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1680,"ppid":2256,"name":"wininit.exe","executable":"C:\\workspace\\red_ttp\\wininit.exe","args":["wininit.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":84,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374547086750,"pid":1680,"process_path":"C:\\workspace\\red_ttp\\wininit.exe","process_name":"wininit.exe","unique_pid":84,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"wininit.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":1680,"ppid":2256,"name":"wininit.exe","executable":"C:\\workspace\\red_ttp\\wininit.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":85,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374597163070,"pid":1680,"process_path":"C:\\workspace\\red_ttp\\wininit.exe","process_name":"wininit.exe","unique_pid":84,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":86,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374597163070,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":87,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374597163070,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":88,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374597163070,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463859000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":4080,"ppid":2256,"name":"explorer.exe","executable":"C:\\workspace\\red_ttp\\explorer.exe","args":["explorer.exe"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":89,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131509374597163070,"pid":4080,"process_path":"C:\\workspace\\red_ttp\\explorer.exe","process_name":"explorer.exe","unique_pid":89,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"command_line":"explorer.exe","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":2256,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"f49c54c4997a0401db0f6640a6111c52"},"pid":4080,"ppid":2256,"name":"explorer.exe","executable":"C:\\workspace\\red_ttp\\explorer.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":90,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":4080,"process_path":"C:\\workspace\\red_ttp\\explorer.exe","process_name":"explorer.exe","unique_pid":89,"user_name":"vagrant","user_domain":"vagrant","ppid":2256,"unique_ppid":54,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"f49c54c4997a0401db0f6640a6111c52","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_delete_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":91,"opcode":2,"event_type_full":"file_event","event_subtype_full":"file_delete_event","timestamp":131509374647239400,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"NT AUTHORITY","name":"SYSTEM"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":92,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":896,"process_path":"C:\\Windows\\System32\\svchost.exe","process_name":"svchost.exe","unique_pid":16,"user_name":"SYSTEM","user_domain":"NT AUTHORITY","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":1788,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"21f73cd55626f0ec9fbce53eafbef128"},"pid":2256,"ppid":1788,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":93,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":2256,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":54,"user_name":"vagrant","user_domain":"vagrant","ppid":1788,"unique_ppid":53,"exit_code":0,"parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"21f73cd55626f0ec9fbce53eafbef128","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"process":{"thread":{},"parent":{"pid":420,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"5746bd7e255dd6a8afa06f7c42c1ba41"},"pid":1788,"ppid":420,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":94,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131509374647239400,"pid":1788,"process_path":"C:\\Windows\\System32\\cmd.exe","process_name":"cmd.exe","unique_pid":53,"user_name":"vagrant","user_domain":"vagrant","ppid":420,"unique_ppid":48,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"5746bd7e255dd6a8afa06f7c42c1ba41","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":95,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"file_create_event","category":"file","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1506463864000,"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":96,"opcode":0,"event_type_full":"file_event","event_subtype_full":"file_create_event","timestamp":131509374647239400,"pid":420,"process_path":"C:\\Python27\\python.exe","process_name":"python.exe","unique_pid":48,"user_name":"vagrant","user_domain":"vagrant","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1516116808000,"process":{"thread":{},"parent":{"pid":392,"name":"cmd.exe","executable":"C:\\Windows\\System32\\cmd.exe"},"hash":{"md5":"63dd6fbaabf881385899fd39df13dce3"},"pid":3608,"ppid":392,"name":"net.exe","executable":"C:\\Windows\\System32\\net.exe","args":["net","localgroup","administrators","findme2"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":97,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131605904083494370,"pid":3608,"process_path":"C:\\Windows\\System32\\net.exe","process_name":"net.exe","unique_pid":750058,"user_name":"vagrant","user_domain":"vagrant","ppid":392,"unique_ppid":707545,"command_line":"net localgroup administrators findme2","parent_process_name":"cmd.exe","parent_process_path":"C:\\Windows\\System32\\cmd.exe","md5":"63dd6fbaabf881385899fd39df13dce3","authentication_id":854482244,"original_file_name":"NET.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1516116808000,"process":{"thread":{},"parent":{"pid":3608,"name":"net.exe","executable":"C:\\Windows\\System32\\net.exe"},"hash":{"md5":"3b6928bc39e5530cead1e99269e7b1ee"},"pid":1348,"ppid":3608,"name":"net1.exe","executable":"C:\\Windows\\System32\\net1.exe","args":["C:\\Windows\\system32\\net1","localgroup","administrators","findme2"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":98,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131605904083806370,"pid":1348,"process_path":"C:\\Windows\\System32\\net1.exe","process_name":"net1.exe","unique_pid":750059,"user_name":"vagrant","user_domain":"vagrant","ppid":3608,"unique_ppid":750058,"command_line":"C:\\Windows\\system32\\net1 localgroup administrators findme2","parent_process_name":"net.exe","parent_process_path":"C:\\Windows\\System32\\net.exe","md5":"3b6928bc39e5530cead1e99269e7b1ee","authentication_id":854482244,"original_file_name":"net1.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"creation_event","category":"process","type":"process_start","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764548000,"process":{"thread":{},"parent":{"pid":1196,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"4b736b85e5de65e572f28a91e31b99bf"},"pid":860,"ppid":1196,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","args":["C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe","tmp-file.csproj"]},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75273,"opcode":1,"event_type_full":"process_event","event_subtype_full":"creation_event","timestamp":131762381484502110,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","ppid":1196,"unique_ppid":75248,"command_line":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj","parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"4b736b85e5de65e572f28a91e31b99bf","authentication_id":13728872,"original_file_name":"MSBuild.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"termination_event","category":"process","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"process":{"thread":{},"parent":{"pid":1196,"name":"python.exe","executable":"C:\\Python27\\python.exe"},"hash":{"md5":"4b736b85e5de65e572f28a91e31b99bf"},"pid":860,"ppid":1196,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75303,"opcode":2,"event_type_full":"process_event","event_subtype_full":"termination_event","timestamp":131762381493483680,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","ppid":1196,"unique_ppid":75248,"exit_code":0,"parent_process_name":"python.exe","parent_process_path":"C:\\Python27\\python.exe","md5":"4b736b85e5de65e572f28a91e31b99bf","original_file_name":"MSBuild.exe","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"ipv4_connection_attempt_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"network":{"community_id":"1:s6xjF74V/BrREHI7j91ddQ0zcY8=","transport":"tcp"},"process":{"thread":{},"parent":{},"pid":860,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"source":{"address":"10.6.48.157","ip":"10.6.48.157","port":52178},"destination":{"address":"10.6.48.157","port":8000,"ip":"10.6.48.157"},"winlog":{"opcode":12},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75304,"opcode":12,"event_type_full":"network_event","event_subtype_full":"ipv4_connection_attempt_event","timestamp":131762381493039760,"pid":860,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":75273,"user_name":"vagrant","user_domain":"vagrant","protocol":"tcp","destination_address":"10.6.48.157","destination_port":8000,"source_port":52178,"source_address":"10.6.48.157","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} -{"user":{"group":{},"domain":"vagrant","name":"vagrant"},"host":{"os":{"platform":"windows","name":"Windows"},"ip":"127.0.0.1","hostname":"localhost","name":"localhost"},"event":{"module":"endgame","dataset":"esensor","action":"ipv4_connection_attempt_event","category":"network","kind":"event"},"labels":{"account_id":"f6c123dc-b6d9-4849-937b-08c444ce7d96","endpoint_id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66"},"agent":{"type":"endgame","id":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","version":"3.54.0"},"ecs":{"version":"1.1.0"},"@timestamp":1531764549000,"network":{"community_id":"1:s6xjF74V/BrREHI7j91ddQ0zcY8=","transport":"tcp"},"process":{"thread":{},"parent":{},"pid":10000,"name":"MSBuild.exe","executable":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe"},"source":{"address":"10.6.48.157","ip":"10.6.48.157","port":52178},"destination":{"address":"10.6.48.157","port":8000,"ip":"10.6.48.157"},"winlog":{"opcode":12},"endgame":{"name":"localhost","eid":"6a19472c-f0ab-4f3a-b83d-dc3698a5ff66","MID":"","ip":"127.0.0.1","sver":"3.54.0","os_type":"windows","serial_event_id":75305,"opcode":12,"event_type_full":"network_event","event_subtype_full":"ipv4_connection_attempt_event","timestamp":131762381493039760,"pid":10000,"process_path":"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","process_name":"MSBuild.exe","unique_pid":99999,"user_name":"vagrant","user_domain":"vagrant","protocol":"tcp","destination_address":"10.6.48.157","destination_port":8000,"source_port":52178,"source_address":"10.6.48.157","xml_message":"","provider_name":"","provider_guid":"","channel_name":"","subject_user_sid":"","subject_user_name":"","subject_domain_name":"","subject_logon_id":"","target_domain_name":"","target_user_name":"","target_logon_id":"","ip_address":"","computer_name":"","privilege_list":"","logon_type":null,"system_thread_id":null,"system_pid":null,"system_process_name":"","query_name":"","query_type":null,"query_results":null,"metadata":{"collection_time":0}}} diff --git a/x-pack/plugin/eql/src/test/resources/test_data.json b/x-pack/plugin/eql/src/test/resources/test_data.json new file mode 100644 index 0000000000000..4a08e7f7a5542 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_data.json @@ -0,0 +1,2080 @@ +[ + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "pid": 0, + "process_name": "System Idle Process", + "serial_event_id": 1, + "subtype": "create", + "timestamp": 116444736000000000, + "unique_pid": 1 + }, + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "parent_process_name": "System Idle Process", + "pid": 4, + "process_name": "System", + "serial_event_id": 2, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 2, + "unique_ppid": 1, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\\SystemRoot\\System32\\smss.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63d3c30b497347495b8ea78a38188969", + "opcode": 3, + "parent_process_name": "System", + "pid": 284, + "ppid": 4, + "process_name": "smss.exe", + "process_path": "C:\\Windows\\System32\\smss.exe", + "serial_event_id": 3, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 3, + "unique_ppid": 2, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 372, + "ppid": 364, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 4, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 4, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "94355c28c1970635a31b3fe52eb7ceba", + "opcode": 3, + "pid": 424, + "ppid": 364, + "process_name": "wininit.exe", + "process_path": "C:\\Windows\\System32\\wininit.exe", + "serial_event_id": 5, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 5, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 436, + "ppid": 416, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 6, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 6, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 472, + "ppid": 416, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 7, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 7, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\services.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "24acb7e5be595468e3b9aa488b9b4fcb", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 524, + "ppid": 424, + "process_name": "services.exe", + "process_path": "C:\\Windows\\System32\\services.exe", + "serial_event_id": 8, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 8, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsass.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "7554a1b82b4a222fd4cc292abd38a558", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 536, + "ppid": 424, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "serial_event_id": 9, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 9, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsm.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "9662ee182644511439f1c53745dc1c88", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 544, + "ppid": 424, + "process_name": "lsm.exe", + "process_path": "C:\\Windows\\System32\\lsm.exe", + "serial_event_id": 10, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 10, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 648, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 11, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 11, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3c4d41c4f8cdd2ca945e91a61e6cfbaf", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 708, + "ppid": 524, + "process_name": "vmacthlp.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe", + "serial_event_id": 12, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 12, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 752, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 13, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 13, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"LogonUI.exe\" /flags:0x0", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "715f03b4c7223349768013ea95d9e5b7", + "opcode": 3, + "parent_process_name": "winlogon.exe", + "parent_process_path": "C:\\Windows\\System32\\winlogon.exe", + "pid": 828, + "ppid": 472, + "process_name": "LogonUI.exe", + "process_path": "C:\\Windows\\System32\\LogonUI.exe", + "serial_event_id": 14, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 14, + "unique_ppid": 7, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 848, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 15, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 15, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 896, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 16, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 16, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 924, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 17, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 17, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 264, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 18, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 18, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 968, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 19, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 19, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\spoolsv.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "b96c17b5dc1424d56eea3a99e97428cd", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1108, + "ppid": 524, + "process_name": "spoolsv.exe", + "process_path": "C:\\Windows\\System32\\spoolsv.exe", + "serial_event_id": 20, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 20, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1136, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 21, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 21, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ccd745aa6425c7637a34ff12ed8a1c18", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1320, + "ppid": 524, + "process_name": "VGAuthService.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe", + "serial_event_id": 22, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 22, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1344, + "ppid": 524, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 23, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 23, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3f61b1a4fe078bb7705b508cfcbb987e", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1376, + "ppid": 524, + "process_name": "ManagementAgentHost.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe", + "serial_event_id": 24, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 24, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1692, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 25, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 25, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1840, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 26, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 26, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\msdtc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "de0ece52236cfa3ed2dbfc03f28253a8", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 960, + "ppid": 524, + "process_name": "msdtc.exe", + "process_path": "C:\\Windows\\System32\\msdtc.exe", + "serial_event_id": 27, + "subtype": "create", + "timestamp": 131485996550000000, + "unique_pid": 27, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 3048, + "ppid": 3040, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 28, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 28, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 2108, + "ppid": 3040, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 29, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 29, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "rdpclip", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "25d284eb2f12254c001afe9a82575a81", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2704, + "ppid": 968, + "process_name": "rdpclip.exe", + "process_path": "C:\\Windows\\System32\\rdpclip.exe", + "serial_event_id": 30, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 30, + "unique_ppid": 19, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"taskhost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "517110bd83835338c037269e603db55d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2776, + "ppid": 524, + "process_name": "taskhost.exe", + "process_path": "C:\\Windows\\System32\\taskhost.exe", + "serial_event_id": 31, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 31, + "unique_ppid": 8, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\sppsvc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "e17e0188bb90fae42d83e98707efa59c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2804, + "ppid": 524, + "process_name": "sppsvc.exe", + "process_path": "C:\\Windows\\System32\\sppsvc.exe", + "serial_event_id": 32, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 32, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"C:\\Windows\\system32\\Dwm.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f162d5f5e845b9dc352dd1bad8cef1bc", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2464, + "ppid": 896, + "process_name": "dwm.exe", + "process_path": "C:\\Windows\\System32\\dwm.exe", + "serial_event_id": 33, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 33, + "unique_ppid": 16, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\Explorer.EXE", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "opcode": 3, + "pid": 2460, + "ppid": 3052, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "serial_event_id": 34, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 34, + "unique_ppid": 0, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2604, + "ppid": 2460, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 35, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 35, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\SearchIndexer.exe /Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ad31942bdf3d594c404874613bc2fe4d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1620, + "ppid": 524, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\Windows\\System32\\SearchIndexer.exe", + "serial_event_id": 36, + "subtype": "create", + "timestamp": 131485997210000000, + "unique_pid": 36, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3684, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 37, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 37, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k secsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3712, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 38, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 38, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\" ", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2864, + "ppid": 2460, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 39, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 39, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 2228, + "ppid": 3048, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 40, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 40, + "unique_ppid": 28, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k SDRSVC", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3820, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 41, + "subtype": "create", + "timestamp": 131491940310000000, + "unique_pid": 41, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "773212b2aaa24c1e31f10246b15b276c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3384, + "ppid": 524, + "process_name": "TrustedInstaller.exe", + "process_path": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "serial_event_id": 42, + "subtype": "create", + "timestamp": 131509366130000000, + "unique_pid": 42, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1860, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 43, + "subtype": "create", + "timestamp": 131509366230000000, + "unique_pid": 43, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "65ea57712340c09b1b0c427b4848ae05", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 660, + "ppid": 924, + "process_name": "taskeng.exe", + "process_path": "C:\\Windows\\System32\\taskeng.exe", + "serial_event_id": 44, + "subtype": "create", + "timestamp": 131509371900000000, + "unique_pid": 44, + "unique_ppid": 17, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\msiexec.exe /V", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "a190da6546501cb4146bbcc0b6a3f48b", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 760, + "ppid": 524, + "process_name": "msiexec.exe", + "process_path": "C:\\Windows\\System32\\msiexec.exe", + "serial_event_id": 45, + "subtype": "create", + "timestamp": 131509372370000000, + "unique_pid": 45, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2824, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 46, + "subtype": "create", + "timestamp": 131509373980000000, + "unique_pid": 46, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 3408, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 47, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 47, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "wsmprovhost.exe", + "parent_process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "pid": 420, + "ppid": 3408, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 48, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 48, + "unique_ppid": 47, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 3080, + "ppid": 372, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 49, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 49, + "unique_ppid": 4, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1688, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 50, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 50, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1720, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 51, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 51, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\System32\\LauncherProcess.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "6a8649f3205b311e208ac35a04e99700", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2164, + "ppid": 648, + "process_name": "LauncherProcess.exe", + "process_path": "C:\\Windows\\System32\\LauncherProcess.exe", + "serial_event_id": 52, + "subtype": "create", + "timestamp": 131509374150000000, + "unique_pid": 52, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 53, + "subtype": "create", + "timestamp": 131509374294209140, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 1, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 54, + "subtype": "create", + "timestamp": 131509374294365140, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 55, + "subtype": "create", + "timestamp": 131509374295457140, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "svchost.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 56, + "subtype": "create", + "timestamp": 131509374295613140, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 20, + "bytes_written_string_list": [ + "en-US", + "en" + ], + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "key_type": "multiSz", + "opcode": 1, + "pid": 2460, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "registry_key": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E", + "registry_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "registry_type": "multi_string", + "registry_value": "LanguageList", + "serial_event_id": 57, + "timestamp": 131509374306065200, + "unique_pid": 34, + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 58, + "subtype": "terminate", + "timestamp": 131509374345689460, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 59, + "subtype": "modify", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SVCHOST.EXE-CB1B3AA2.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CB1B3AA2.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 60, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 61, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "lsass.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 62, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "request_event", + "event_type": "dns", + "event_type_full": "dns_event", + "opcode": 3008, + "pid": 924, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "query_name": "teredo.ipv6.microsoft.com.", + "serial_event_id": 63, + "timestamp": 131509374350369490, + "unique_pid": 17, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 64, + "subtype": "terminate", + "timestamp": 131509374395921780, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 65, + "subtype": "modify", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "LSASS.EXE-02265BD5.pf", + "file_path": "C:\\Windows\\Prefetch\\LSASS.EXE-02265BD5.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 66, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 67, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "services.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 68, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 69, + "subtype": "terminate", + "timestamp": 131509374446778110, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 70, + "subtype": "modify", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SERVICES.EXE-01D9177B.pf", + "file_path": "C:\\Windows\\Prefetch\\SERVICES.EXE-01D9177B.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 71, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 72, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "csrss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 73, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 74, + "subtype": "terminate", + "timestamp": 131509374497010430, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 75, + "subtype": "modify", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 76, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "CSRSS.EXE-006B4E4D.pf", + "file_path": "C:\\Windows\\Prefetch\\CSRSS.EXE-006B4E4D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 77, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "smss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 78, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 80, + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "key_type": "binary", + "opcode": 1, + "pid": 536, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "registry_key": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9", + "registry_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "registry_type": "binary", + "registry_value": "F", + "serial_event_id": 79, + "timestamp": 131509374520566580, + "unique_pid": 9, + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 80, + "subtype": "terminate", + "timestamp": 131509374547086750, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 81, + "subtype": "modify", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SMSS.EXE-8C66D82D.pf", + "file_path": "C:\\Windows\\Prefetch\\SMSS.EXE-8C66D82D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 82, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 83, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 84, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 85, + "subtype": "terminate", + "timestamp": 131509374597163070, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 86, + "subtype": "modify", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "WININIT.EXE-F4D46129.pf", + "file_path": "C:\\Windows\\Prefetch\\WININIT.EXE-F4D46129.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 87, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 88, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "explorer.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 89, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 90, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 91, + "subtype": "modify", + "timestamp": 131509374647239400, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "EXPLORER.EXE-854AF04C.pf", + "file_path": "C:\\Windows\\Prefetch\\EXPLORER.EXE-854AF04C.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 92, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 2, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 93, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 94, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\dev\\TestLogs\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 95, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 96, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "net localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63dd6fbaabf881385899fd39df13dce3", + "opcode": 1, + "original_file_name": "NET.exe", + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3608, + "ppid": 392, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "serial_event_id": 97, + "subtype": "create", + "timestamp": 131605904083494370, + "unique_pid": 750058, + "unique_ppid": 707545, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "C:\\Windows\\system32\\net1 localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3b6928bc39e5530cead1e99269e7b1ee", + "opcode": 1, + "original_file_name": "net1.exe", + "parent_process_name": "net.exe", + "parent_process_path": "C:\\Windows\\System32\\net.exe", + "pid": 1348, + "ppid": 3608, + "process_name": "net1.exe", + "process_path": "C:\\Windows\\System32\\net1.exe", + "serial_event_id": 98, + "subtype": "create", + "timestamp": 131605904083806370, + "unique_pid": 750059, + "unique_ppid": 750058, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 13728872, + "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 1, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75273, + "subtype": "create", + "timestamp": 131762381484502110, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 2, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75303, + "subtype": "terminate", + "timestamp": 131762381493483680, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "opcode": 12, + "pid": 860, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75304, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 75273, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "mysterious_field": { + "num": 100, + "outer_cross_match": "s3-c-x-y", + "subarray": [ + { + "a": "s0-a", + "b": [ + "s0-b" + ], + "c": [ + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c0-x-z" + }, + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c1-x-z" + } + ], + "cross_match": "s0-c1-x-z" + }, + { + "a": "s1-a", + "b": [ + "s1-b" + ], + "c": [] + }, + { + "a": "s2-a", + "b": [ + "s2-b" + ], + "c": [] + }, + { + "a": "s3-a", + "b": [ + "s3-b" + ], + "c": [ + { + "x": { + "y": "s3-c-x-y" + }, + "z": "s3-c-x-z" + } + ] + } + ], + "this_is_for_testing_nested_data": "true" + }, + "opcode": 12, + "pid": 10000, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75305, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 99999, + "user_domain": "vagrant", + "user_name": "vagrant" + } +] From 09260e685f970ea46a7f4cc2702c45acb54e485b Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 19 Feb 2020 15:16:41 -0500 Subject: [PATCH 7/9] Convert EqlActionIT to parameterized test --- .../xpack/eql/action/EqlActionIT.java | 66 ++++++++++++++----- 1 file changed, 48 insertions(+), 18 deletions(-) diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java index f7c56811a38d2..9fe49106015a3 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.eql.action; +import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import org.elasticsearch.Build; @@ -15,8 +16,11 @@ import org.elasticsearch.action.support.WriteRequest; import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.search.SearchHit; +import org.junit.After; +import org.junit.Before; import org.junit.BeforeClass; +import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -24,19 +28,22 @@ public class EqlActionIT extends AbstractEqlIntegTestCase { + static final String indexPrefix = "endgame"; + static final String testIndexName = indexPrefix + "-1.4.0"; + protected static final String PARAM_FORMATTING = "%1$s.test"; + + @BeforeClass public static void checkForSnapshot() { assumeTrue("Only works on snapshot builds for now", Build.CURRENT.isSnapshot()); } - public void testEqlSearchAction() throws Exception { - final String indexPrefix = "endgame"; - final String testIndexName = indexPrefix + "-1.4.0"; - + @Before + public void setUpData() throws Exception { // Insert test data ObjectMapper mapper = new ObjectMapper(); BulkRequestBuilder bulkBuilder = client().prepareBulk(); - JsonNode rootNode = mapper.readTree(this.getClass().getResourceAsStream("/test_data.json")); + JsonNode rootNode = mapper.readTree(EqlActionIT.class.getResourceAsStream("/test_data.json")); Iterator entries = rootNode.elements(); while (entries.hasNext()) { JsonNode entry = entries.next(); @@ -46,12 +53,23 @@ public void testEqlSearchAction() throws Exception { assertThat(bulkResponse.hasFailures() ? bulkResponse.buildFailureMessage() : "", bulkResponse.hasFailures(), equalTo(false)); ensureYellow(testIndexName); + } + + @After + public void tearDownData() { + client().admin().indices().prepareDelete(testIndexName).get(); + } + + @ParametersFactory(shuffle = false, argumentFormatting = PARAM_FORMATTING) + public static List readTestSpecs() throws Exception { + List testSpecs = new ArrayList<>(); // Load EQL validation specs List specs = EqlSpecLoader.load("/test_queries.toml", true); List unsupportedSpecs = EqlSpecLoader.load("/test_queries_unsupported.toml", false); // Validate only currently supported specs + int num = 1; // Seq number of the test for (EqlSpec spec : specs) { boolean supported = true; // Check if spec is supported, simple iteration, cause the list is short. @@ -63,21 +81,33 @@ public void testEqlSearchAction() throws Exception { } if (supported) { - logger.info("execute: " + spec.query()); - EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) - .indices(testIndexName).rule(spec.query()).get(); + testSpecs.add(new Object[]{num++, spec}); + } + } + return testSpecs; + } - List events = response.hits().events(); - assertNotNull(events); + private final int num; + private final EqlSpec spec; - final int len = events.size(); - final long ids[] = new long[len]; - for (int i = 0; i < events.size(); i++) { - ids[i] = events.get(i).docId(); - } - final String msg = "unexpected result for spec: [" + spec.toString() + "]"; - assertArrayEquals(msg, spec.expectedEventIds(), ids); - } + public EqlActionIT(int num, EqlSpec spec) { + this.num = num; + this.spec = spec; + } + + public final void test() { + EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) + .indices(testIndexName).rule(spec.query()).get(); + + List events = response.hits().events(); + assertNotNull(events); + + final int len = events.size(); + final long ids[] = new long[len]; + for (int i = 0; i < events.size(); i++) { + ids[i] = events.get(i).docId(); } + final String msg = "unexpected result for spec: [" + spec.toString() + "]"; + assertArrayEquals(msg, spec.expectedEventIds(), ids); } } From 6db4617e64cb95d3616d0c98b6f3ae8eab4ccd3b Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 19 Feb 2020 22:11:47 -0500 Subject: [PATCH 8/9] Adjust the HL client test for a change in emulated EQL search response. The fake response change was done in order to test the EQL validation harness imlementation. This code will be replaced once we have the actualy EQL implementation wired. --- .../src/test/java/org/elasticsearch/client/EqlIT.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java index c887e5459bc80..8dff2b3fabd41 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java @@ -40,9 +40,9 @@ public void testBasicSearch() throws Exception { assertNotNull(response); assertFalse(response.isTimeout()); assertNotNull(response.hits()); - assertNull(response.hits().events()); + assertNull(response.hits().sequences()); assertNull(response.hits().counts()); - assertNotNull(response.hits().sequences()); - assertThat(response.hits().sequences().size(), equalTo(2)); + assertNotNull(response.hits().events()); + assertThat(response.hits().events().size(), equalTo(1)); } } From 384cfd8cd74817088c36c6f34d3d17f3d8d47843 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Thu, 20 Feb 2020 10:03:05 -0500 Subject: [PATCH 9/9] Addressed Ross' remaining code review comment --- .../eql/src/test/resources/test_queries_unsupported.toml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml index 6a5071faae4a8..f8a96eaef12aa 100644 --- a/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml +++ b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml @@ -3,6 +3,15 @@ # This file is expected to become empty once the feature parity is reached with the # official EQL implementation +# The query below is the first query from the test_queries.toml +# and is currently "emulated" as supported with the hardcoded response +# in order to allow at least one round-trip test with the test harness. +# This will be removed once the EQL implementation is wired and actually supports this query. + +# [[queries]] +# query = 'process where serial_event_id = 1' +# expected_event_ids = [1] + [[queries]] query = 'process where serial_event_id < 4' expected_event_ids = [1, 2, 3]