From f9f39214c2f0325e4dcf47e8a5f8ba3e234f1df3 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Thu, 3 Sep 2020 17:44:15 -0400 Subject: [PATCH 01/10] Moving generator to safe type version --- .../common/endpoint/generate_data.ts | 116 ++++++++++-------- .../endpoint/models/ecs_safety_helpers.ts | 4 +- .../common/endpoint/models/event.ts | 21 ++-- .../common/endpoint/types/index.ts | 87 ++++++++++++- .../routes/resolver/queries/alerts.ts | 6 +- .../endpoint/routes/resolver/queries/base.ts | 8 +- .../routes/resolver/queries/children.ts | 6 +- .../routes/resolver/queries/events.ts | 6 +- .../routes/resolver/queries/lifecycle.ts | 6 +- .../routes/resolver/queries/multi_searcher.ts | 6 +- .../endpoint/routes/resolver/queries/stats.ts | 4 +- .../resolver/utils/alerts_query_handler.ts | 4 +- .../resolver/utils/ancestry_query_handler.ts | 49 ++++---- .../resolver/utils/children_helper.test.ts | 10 +- .../routes/resolver/utils/children_helper.ts | 28 +++-- .../utils/children_lifecycle_query_handler.ts | 10 +- .../resolver/utils/children_pagination.ts | 7 +- .../endpoint/routes/resolver/utils/node.ts | 33 ++--- .../routes/resolver/utils/pagination.ts | 17 ++- 19 files changed, 272 insertions(+), 156 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts index 0955f196df176..bc691785f6213 100644 --- a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts +++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts @@ -7,7 +7,7 @@ import uuid from 'uuid'; import seedrandom from 'seedrandom'; import { AlertEvent, - EndpointEvent, + SafeResolverEvent, EndpointStatus, Host, HostMetadata, @@ -15,9 +15,10 @@ import { HostPolicyResponseActionStatus, OSFields, PolicyData, + SafeEndpointEvent, } from './types'; import { factory as policyFactory } from './models/policy_config'; -import { parentEntityId } from './models/event'; +import { ancestryArray, entityIDSafeVersion, parentEntityIDSafeVersion } from './models/event'; import { GetAgentPoliciesResponseItem, GetPackagesResponse, @@ -28,8 +29,9 @@ import { InstallationStatus, KibanaAssetReference, } from '../../../ingest_manager/common/types/models'; +import { firstNonNullValue } from './models/ecs_safety_helpers'; -export type Event = AlertEvent | EndpointEvent; +export type Event = AlertEvent | SafeEndpointEvent; /** * This value indicates the limit for the size of the ancestry array. The endpoint currently saves up to 20 values * in its messages. To simulate a limit on the array size I'm using 2 here so that we can't rely on there being a large @@ -426,13 +428,13 @@ export class EndpointDocGenerator { * @param ts - Timestamp to put in the event * @param entityID - entityID of the originating process * @param parentEntityID - optional entityID of the parent process, if it exists - * @param ancestryArray - an array of ancestors for the generated alert + * @param ancestry - an array of ancestors for the generated alert */ public generateAlert( ts = new Date().getTime(), entityID = this.randomString(10), parentEntityID?: string, - ancestryArray: string[] = [] + ancestry: string[] = [] ): AlertEvent { return { ...this.commonInfo, @@ -493,7 +495,7 @@ export class EndpointDocGenerator { sha256: 'fake sha256', }, Ext: { - ancestry: ancestryArray, + ancestry, code_signature: [ { trusted: false, @@ -555,7 +557,7 @@ export class EndpointDocGenerator { * Creates an event, customized by the options parameter * @param options - Allows event field values to be specified */ - public generateEvent(options: EventOptions = {}): EndpointEvent { + public generateEvent(options: EventOptions = {}): Event { // this will default to an empty array for the ancestry field if options.ancestry isn't included const ancestry: string[] = options.ancestry?.slice(0, options?.ancestryArrayLimit ?? ANCESTRY_LIMIT) ?? []; @@ -643,7 +645,11 @@ export class EndpointDocGenerator { public generateTree(options: TreeOptions = {}): Tree { const optionsWithDef = getTreeOptionsWithDef(options); const addEventToMap = (nodeMap: Map, event: Event) => { - const nodeId = event.process.entity_id; + const nodeId = entityIDSafeVersion(event); + if (!nodeId) { + return nodeMap; + } + // if a node already exists for the entity_id we'll use that one, otherwise let's create a new empty node // and add the event to the right array. let node = nodeMap.get(nodeId); @@ -652,18 +658,13 @@ export class EndpointDocGenerator { } // place the event in the right array depending on its category - if (event.event.kind === 'event') { - if ( - (Array.isArray(event.event.category) && - event.event.category.length === 1 && - event.event.category[0] === 'process') || - event.event.category === 'process' - ) { + if (firstNonNullValue(event.event?.kind) === 'event') { + if (firstNonNullValue(event.event?.category) === 'process') { node.lifecycle.push(event); } else { node.relatedEvents.push(event); } - } else if (event.event.kind === 'alert') { + } else if (firstNonNullValue(event.event?.kind) === 'alert') { node.relatedAlerts.push(event); } @@ -673,7 +674,7 @@ export class EndpointDocGenerator { const groupNodesByParent = (children: Map) => { const nodesByParent: Map> = new Map(); for (const node of children.values()) { - const parentID = parentEntityId(node.lifecycle[0]); + const parentID = parentEntityIDSafeVersion(node.lifecycle[0]); if (parentID) { let groupedNodes = nodesByParent.get(parentID); @@ -715,9 +716,13 @@ export class EndpointDocGenerator { const ancestryNodes: Map = ancestry.reduce(addEventToMap, new Map()); const alert = ancestry[ancestry.length - 1]; - const origin = ancestryNodes.get(alert.process.entity_id); + const alertEntityID = entityIDSafeVersion(alert); + if (!alertEntityID) { + throw Error("could not find the originating alert's entity id"); + } + const origin = ancestryNodes.get(alertEntityID); if (!origin) { - throw Error(`could not find origin while building tree: ${alert.process.entity_id}`); + throw Error(`could not find origin while building tree: ${alertEntityID}`); } const children = Array.from(this.descendantsTreeGenerator(alert, optionsWithDef)); @@ -799,7 +804,7 @@ export class EndpointDocGenerator { }); events.push(root); let ancestor = root; - let timestamp = root['@timestamp'] + 1000; + let timestamp = (firstNonNullValue(root['@timestamp']) ?? 0) + 1000; const addRelatedAlerts = ( node: Event, @@ -836,8 +841,8 @@ export class EndpointDocGenerator { events.push( this.generateEvent({ timestamp: timestamp + termProcessDuration * 1000, - entityID: root.process.entity_id, - parentEntityID: root.process.parent?.entity_id, + entityID: entityIDSafeVersion(root), + parentEntityID: parentEntityIDSafeVersion(root), eventCategory: ['process'], eventType: ['end'], }) @@ -845,13 +850,20 @@ export class EndpointDocGenerator { } for (let i = 0; i < opts.ancestors; i++) { + const ancestorEntityID = entityIDSafeVersion(ancestor); + const ancestry: string[] = []; + if (ancestorEntityID) { + ancestry.push(ancestorEntityID); + } + + ancestry.push(...(ancestryArray(ancestor) ?? [])); ancestor = this.generateEvent({ timestamp, - parentEntityID: ancestor.process.entity_id, + parentEntityID: entityIDSafeVersion(ancestor), // add the parent to the ancestry array - ancestry: [ancestor.process.entity_id, ...(ancestor.process.Ext?.ancestry ?? [])], + ancestry, ancestryArrayLimit: opts.ancestryArraySize, - parentPid: ancestor.process.pid, + parentPid: firstNonNullValue(ancestor.process?.pid), pid: this.randomN(5000), }); events.push(ancestor); @@ -862,11 +874,11 @@ export class EndpointDocGenerator { events.push( this.generateEvent({ timestamp: timestamp + termProcessDuration * 1000, - entityID: ancestor.process.entity_id, - parentEntityID: ancestor.process.parent?.entity_id, + entityID: entityIDSafeVersion(ancestor), + parentEntityID: parentEntityIDSafeVersion(ancestor), eventCategory: ['process'], eventType: ['end'], - ancestry: ancestor.process.Ext?.ancestry, + ancestry: ancestryArray(ancestor), ancestryArrayLimit: opts.ancestryArraySize, }) ); @@ -890,9 +902,9 @@ export class EndpointDocGenerator { events.push( this.generateAlert( timestamp, - ancestor.process.entity_id, - ancestor.process.parent?.entity_id, - ancestor.process.Ext?.ancestry + entityIDSafeVersion(ancestor), + parentEntityIDSafeVersion(ancestor), + ancestryArray(ancestor) ) ); return events; @@ -922,7 +934,7 @@ export class EndpointDocGenerator { maxChildren, }; const lineage: NodeState[] = [rootState]; - let timestamp = root['@timestamp']; + let timestamp = firstNonNullValue(root['@timestamp']) ?? 0; while (lineage.length > 0) { const currentState = lineage[lineage.length - 1]; // If we get to a state node and it has made all the children, move back up a level @@ -937,13 +949,17 @@ export class EndpointDocGenerator { // Otherwise, add a child and any nodes associated with it currentState.childrenCreated++; timestamp = timestamp + 1000; + const currentStateEntityID = entityIDSafeVersion(currentState.event); + const ancestry: string[] = []; + if (currentStateEntityID) { + ancestry.push(currentStateEntityID); + } + ancestry.push(...(ancestryArray(currentState.event) ?? [])); + const child = this.generateEvent({ timestamp, - parentEntityID: currentState.event.process.entity_id, - ancestry: [ - currentState.event.process.entity_id, - ...(currentState.event.process.Ext?.ancestry ?? []), - ], + parentEntityID: currentStateEntityID, + ancestry, ancestryArrayLimit: opts.ancestryArraySize, }); @@ -962,11 +978,11 @@ export class EndpointDocGenerator { processDuration = this.randomN(1000000); // This lets termination events be up to 1 million seconds after the creation event (~11 days) yield this.generateEvent({ timestamp: timestamp + processDuration * 1000, - entityID: child.process.entity_id, - parentEntityID: child.process.parent?.entity_id, + entityID: entityIDSafeVersion(child), + parentEntityID: parentEntityIDSafeVersion(child), eventCategory: ['process'], eventType: ['end'], - ancestry: child.process.Ext?.ancestry, + ancestry, ancestryArrayLimit: opts.ancestryArraySize, }); } @@ -998,7 +1014,8 @@ export class EndpointDocGenerator { ordered: boolean = false ) { let relatedEventsInfo: RelatedEventInfo[]; - let ts = node['@timestamp'] + 1; + const nodeTimestamp = firstNonNullValue(node['@timestamp']) ?? 0; + let ts = nodeTimestamp + 1; if (typeof relatedEvents === 'number') { relatedEventsInfo = [{ category: RelatedEventCategory.Random, count: relatedEvents }]; } else { @@ -1017,16 +1034,16 @@ export class EndpointDocGenerator { if (ordered) { ts += this.randomN(processDuration) * 1000; } else { - ts = node['@timestamp'] + this.randomN(processDuration) * 1000; + ts = nodeTimestamp + this.randomN(processDuration) * 1000; } yield this.generateEvent({ timestamp: ts, - entityID: node.process.entity_id, - parentEntityID: node.process.parent?.entity_id, + entityID: entityIDSafeVersion(node), + parentEntityID: parentEntityIDSafeVersion(node), eventCategory: eventInfo.category, eventType: eventInfo.creationType, - ancestry: node.process.Ext?.ancestry, + ancestry: ancestryArray(node), }); } } @@ -1044,12 +1061,13 @@ export class EndpointDocGenerator { alertCreationTime: number = 6 * 3600 ) { for (let i = 0; i < relatedAlerts; i++) { - const ts = node['@timestamp'] + this.randomN(alertCreationTime) * 1000; + const ts = + (firstNonNullValue(node['@timestamp']) ?? 0) + this.randomN(alertCreationTime) * 1000; yield this.generateAlert( ts, - node.process.entity_id, - node.process.parent?.entity_id, - node.process.Ext?.ancestry + entityIDSafeVersion(node), + parentEntityIDSafeVersion(node), + ancestryArray(node) ); } } diff --git a/x-pack/plugins/security_solution/common/endpoint/models/ecs_safety_helpers.ts b/x-pack/plugins/security_solution/common/endpoint/models/ecs_safety_helpers.ts index 8b419e90a6ee9..5dc75bb707d0e 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/ecs_safety_helpers.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/ecs_safety_helpers.ts @@ -46,12 +46,12 @@ export function values(valueOrCollection: ECSField): T[] { if (Array.isArray(valueOrCollection)) { const nonNullValues: T[] = []; for (const value of valueOrCollection) { - if (value !== null) { + if (value !== null && value !== undefined) { nonNullValues.push(value); } } return nonNullValues; - } else if (valueOrCollection !== null) { + } else if (valueOrCollection !== null && valueOrCollection !== undefined) { // if there is a single non-null value, wrap it in an array and return it. return [valueOrCollection]; } else { diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts index a0e9be58911c6..38d1fba94ce4c 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.ts @@ -9,7 +9,7 @@ import { SafeResolverEvent, SafeLegacyEndpointEvent, } from '../types'; -import { firstNonNullValue } from './ecs_safety_helpers'; +import { firstNonNullValue, values } from './ecs_safety_helpers'; /* * Determine if a `ResolverEvent` is the legacy variety. Can be used to narrow `ResolverEvent` to `LegacyEndpointEvent`. @@ -105,14 +105,7 @@ export function eventId(event: ResolverEvent): number | undefined | string { return event.event.id; } -export function eventSequence(event: ResolverEvent): number | undefined { - if (isLegacyEvent(event)) { - return firstNonNullValue(event.endgame.serial_event_id); - } - return firstNonNullValue(event.event?.sequence); -} - -export function eventSequenceSafeVersion(event: SafeResolverEvent): number | undefined { +export function eventSequence(event: SafeResolverEvent): number | undefined { if (isLegacyEventSafeVersion(event)) { return firstNonNullValue(event.endgame.serial_event_id); } @@ -156,16 +149,16 @@ export function parentEntityIDSafeVersion(event: SafeResolverEvent): string | un return firstNonNullValue(event.process?.parent?.entity_id); } -export function ancestryArray(event: ResolverEvent): string[] | undefined { - if (isLegacyEvent(event)) { +export function ancestryArray(event: SafeResolverEvent): string[] | undefined { + if (isLegacyEventSafeVersion(event)) { return undefined; } // this is to guard against the endpoint accidentally not sending the ancestry array // otherwise the request will fail when really we should just try using the parent entity id - return event.process.Ext?.ancestry; + return values(event.process?.Ext?.ancestry); } -export function getAncestryAsArray(event: ResolverEvent | undefined): string[] { +export function getAncestryAsArray(event: SafeResolverEvent | undefined): string[] { if (!event) { return []; } @@ -175,7 +168,7 @@ export function getAncestryAsArray(event: ResolverEvent | undefined): string[] { return ancestors; } - const parentID = parentEntityId(event); + const parentID = parentEntityIDSafeVersion(event); if (parentID) { return [parentID]; } diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts index 8e507cbc921a2..55b6f2a041813 100644 --- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts +++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts @@ -112,6 +112,27 @@ export interface ResolverChildNode extends ResolverLifecycleNode { nextChild?: string | null; } +/** + * Safe version of `ResolverChildNode`. + */ +export interface SafeResolverChildNode extends SafeResolverLifecycleNode { + /** + * nextChild can have 3 different states: + * + * undefined: This indicates that you should not use this node for additional queries. It does not mean that node does + * not have any more direct children. The node could have more direct children but to determine that, use the + * ResolverChildren node's nextChild. + * + * null: Indicates that we have received all the children of the node. There may be more descendants though. + * + * string: Indicates this is a leaf node and it can be used to continue querying for additional descendants + * using this node's entity_id + * + * For more information see the resolver docs on pagination [here](../../server/endpoint/routes/resolver/docs/README.md#L129) + */ + nextChild?: string | null; +} + /** * The response structure for the children route. The structure is an array of nodes where each node * has an array of lifecycle events. @@ -131,6 +152,24 @@ export interface ResolverChildren { nextChild: string | null; } +/** + * Safe version of `ResolverChildren`. + */ +export interface SafeResolverChildren { + childNodes: SafeResolverChildNode[]; + /** + * nextChild can have 2 different states: + * + * null: Indicates that we have received all the descendants that can be retrieved using this node. To retrieve more + * nodes in the tree use a cursor provided in one of the returned children. If no other cursor exists then the tree + * is complete. + * + * string: Indicates this node has more descendants that can be retrieved, pass this cursor in while using this node's + * entity_id for the request. + */ + nextChild: string | null; +} + /** * A flattened tree representing the nodes in a resolver graph. */ @@ -148,6 +187,23 @@ export interface ResolverTree { stats: ResolverNodeStats; } +/** + * Safe version of `ResolverTree`. + */ +export interface SafeResolverTree { + /** + * Origin of the tree. This is in the middle of the tree. Typically this would be the same + * process node that generated an alert. + */ + entityID: string; + children: ResolverChildren; + relatedEvents: Omit; + relatedAlerts: Omit; + ancestry: ResolverAncestry; + lifecycle: ResolverEvent[]; + stats: ResolverNodeStats; +} + /** * The lifecycle events (start, end etc) for a node. */ @@ -160,6 +216,18 @@ export interface ResolverLifecycleNode { stats?: ResolverNodeStats; } +/** + * Safe version of `ResolverLifecycleNode`. + */ +export interface SafeResolverLifecycleNode { + entityID: string; + lifecycle: SafeResolverEvent[]; + /** + * stats are only set when the entire tree is being fetched + */ + stats?: ResolverNodeStats; +} + /** * The response structure when searching for ancestors of a node. */ @@ -175,6 +243,21 @@ export interface ResolverAncestry { nextAncestor: string | null; } +/** + * Safe version of `ResolverAncestry`. + */ +export interface SafeResolverAncestry { + /** + * An array of ancestors with the lifecycle events grouped together + */ + ancestors: SafeResolverLifecycleNode[]; + /** + * A cursor for retrieving additional ancestors for a particular node. `null` indicates that there were no additional + * ancestors when the request returned. More could have been ingested by ES after the fact though. + */ + nextAncestor: string | null; +} + /** * Response structure for the related events route. */ @@ -198,7 +281,7 @@ export interface SafeResolverRelatedEvents { */ export interface ResolverRelatedAlerts { entityID: string; - alerts: ResolverEvent[]; + alerts: SafeResolverEvent[]; nextAlert: string | null; } @@ -578,7 +661,7 @@ export type ResolverEvent = EndpointEvent | LegacyEndpointEvent; * All mappings in Elasticsearch support arrays. They can also return null values or be missing. For example, a `keyword` mapping could return `null` or `[null]` or `[]` or `'hi'`, or `['hi', 'there']`. We need to handle these cases in order to avoid throwing an error. * When dealing with an value that comes from ES, wrap the underlying type in `ECSField`. For example, if you have a `keyword` or `text` value coming from ES, cast it to `ECSField`. */ -export type ECSField = T | null | Array; +export type ECSField = T | null | undefined | Array; /** * A more conservative version of `ResolverEvent` that treats fields as optional and use `ECSField` to type all ECS fields. diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/alerts.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/alerts.ts index 54c6cf432aa89..8f68cba893108 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/alerts.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/alerts.ts @@ -5,7 +5,7 @@ */ import { SearchResponse } from 'elasticsearch'; import { esKuery } from '../../../../../../../../src/plugins/data/server'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; import { ResolverQuery } from './base'; import { PaginationBuilder } from '../utils/pagination'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; @@ -13,7 +13,7 @@ import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/com /** * Builds a query for retrieving alerts for a node. */ -export class AlertsQuery extends ResolverQuery { +export class AlertsQuery extends ResolverQuery { private readonly kqlQuery: JsonObject[] = []; constructor( private readonly pagination: PaginationBuilder, @@ -68,7 +68,7 @@ export class AlertsQuery extends ResolverQuery { }; } - formatResponse(response: SearchResponse): ResolverEvent[] { + formatResponse(response: SearchResponse): SafeResolverEvent[] { return this.getResults(response); } } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/base.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/base.ts index 0d8a42d7a26f3..a2bdf358745c2 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/base.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/base.ts @@ -6,7 +6,7 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; import { legacyEventIndexPattern } from './legacy_event_index_pattern'; import { MSearchQuery } from './multi_searcher'; @@ -19,7 +19,7 @@ import { MSearchQuery } from './multi_searcher'; * @param R the is the type after transforming ES's response. Making this definable let's us set whether it is a resolver event * or something else. */ -export abstract class ResolverQuery implements MSearchQuery { +export abstract class ResolverQuery implements MSearchQuery { /** * * @param indexPattern the index pattern to use in the query for finding indices with documents in ES. @@ -77,7 +77,7 @@ export abstract class ResolverQuery implements MSearchQuer * @param ids a single more multiple unique node ids (e.g. entity_id or unique_pid) */ async searchAndFormat(client: ILegacyScopedClusterClient, ids: string | string[]): Promise { - const res: SearchResponse = await this.search(client, ids); + const res: SearchResponse = await this.search(client, ids); return this.formatResponse(res); } @@ -113,5 +113,5 @@ export abstract class ResolverQuery implements MSearchQuer * @param response a SearchResponse from ES resulting from executing this query * @returns the translated ES response into a structured object */ - public abstract formatResponse(response: SearchResponse): T; + public abstract formatResponse(response: SearchResponse): T; } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts index 6fb38a32f9581..8c7daf9451217 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/children.ts @@ -4,7 +4,7 @@ * you may not use this file except in compliance with the Elastic License. */ import { SearchResponse } from 'elasticsearch'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; import { ResolverQuery } from './base'; import { ChildrenPaginationBuilder } from '../utils/children_pagination'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; @@ -12,7 +12,7 @@ import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/com /** * Builds a query for retrieving descendants of a node. */ -export class ChildrenQuery extends ResolverQuery { +export class ChildrenQuery extends ResolverQuery { constructor( private readonly pagination: ChildrenPaginationBuilder, indexPattern: string | string[], @@ -126,7 +126,7 @@ export class ChildrenQuery extends ResolverQuery { }; } - formatResponse(response: SearchResponse): ResolverEvent[] { + formatResponse(response: SearchResponse): SafeResolverEvent[] { return this.getResults(response); } } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/events.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/events.ts index 0969a3c360e4a..bd054d548a93a 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/events.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/events.ts @@ -5,7 +5,7 @@ */ import { SearchResponse } from 'elasticsearch'; import { esKuery } from '../../../../../../../../src/plugins/data/server'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; import { ResolverQuery } from './base'; import { PaginationBuilder } from '../utils/pagination'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; @@ -13,7 +13,7 @@ import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/com /** * Builds a query for retrieving related events for a node. */ -export class EventsQuery extends ResolverQuery { +export class EventsQuery extends ResolverQuery { private readonly kqlQuery: JsonObject[] = []; constructor( @@ -83,7 +83,7 @@ export class EventsQuery extends ResolverQuery { }; } - formatResponse(response: SearchResponse): ResolverEvent[] { + formatResponse(response: SearchResponse): SafeResolverEvent[] { return this.getResults(response); } } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/lifecycle.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/lifecycle.ts index 0b5728958e91f..ecbc5d8344928 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/lifecycle.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/lifecycle.ts @@ -6,12 +6,12 @@ import { SearchResponse } from 'elasticsearch'; import { ResolverQuery } from './base'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; /** * Builds a query for retrieving life cycle information about a node (start, stop, etc). */ -export class LifecycleQuery extends ResolverQuery { +export class LifecycleQuery extends ResolverQuery { protected legacyQuery(endpointID: string, uniquePIDs: string[]): JsonObject { return { query: { @@ -59,7 +59,7 @@ export class LifecycleQuery extends ResolverQuery { }; } - formatResponse(response: SearchResponse): ResolverEvent[] { + formatResponse(response: SearchResponse): SafeResolverEvent[] { return this.getResults(response); } } diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/multi_searcher.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/multi_searcher.ts index 02dbd92d9252b..76203973a6211 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/multi_searcher.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/multi_searcher.ts @@ -6,7 +6,7 @@ import { ILegacyScopedClusterClient } from 'kibana/server'; import { MSearchResponse, SearchResponse } from 'elasticsearch'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; /** @@ -37,7 +37,7 @@ export interface QueryInfo { /** * a function to handle the response */ - handler: (response: SearchResponse) => void; + handler: (response: SearchResponse) => void; } /** @@ -65,7 +65,7 @@ export class MultiSearcher { for (const info of queries) { searchQuery.push(...info.query.buildMSearch(info.ids)); } - const res: MSearchResponse = await this.client.callAsCurrentUser('msearch', { + const res: MSearchResponse = await this.client.callAsCurrentUser('msearch', { body: searchQuery, }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/stats.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/stats.ts index b8fa409e2ca21..50e56258b7448 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/stats.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/queries/stats.ts @@ -5,7 +5,7 @@ */ import { SearchResponse } from 'elasticsearch'; import { ResolverQuery } from './base'; -import { ResolverEvent, EventStats } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent, EventStats } from '../../../../../common/endpoint/types'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; export interface StatsResult { @@ -185,7 +185,7 @@ export class StatsQuery extends ResolverQuery { }; } - public formatResponse(response: SearchResponse): StatsResult { + public formatResponse(response: SearchResponse): StatsResult { let alerts: Record = {}; if (response.aggregations?.alerts?.ids?.buckets) { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/alerts_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/alerts_query_handler.ts index efffbc10473d4..f34218ddbde9b 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/alerts_query_handler.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/alerts_query_handler.ts @@ -6,7 +6,7 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; -import { ResolverRelatedAlerts, ResolverEvent } from '../../../../../common/endpoint/types'; +import { ResolverRelatedAlerts, SafeResolverEvent } from '../../../../../common/endpoint/types'; import { createRelatedAlerts } from './node'; import { AlertsQuery } from '../queries/alerts'; import { PaginationBuilder } from './pagination'; @@ -45,7 +45,7 @@ export class RelatedAlertsQueryHandler implements SingleQueryHandler) => { + private handleResponse = (response: SearchResponse) => { const results = this.query.formatResponse(response); this.relatedAlerts = createRelatedAlerts( this.entityID, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/ancestry_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/ancestry_query_handler.ts index 7dd47658bc4c1..b796913118c99 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/ancestry_query_handler.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/ancestry_query_handler.ts @@ -7,14 +7,14 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; import { - parentEntityId, - entityId, + parentEntityIDSafeVersion, + entityIDSafeVersion, getAncestryAsArray, } from '../../../../../common/endpoint/models/event'; import { - ResolverAncestry, - ResolverEvent, - ResolverLifecycleNode, + SafeResolverAncestry, + SafeResolverEvent, + SafeResolverLifecycleNode, } from '../../../../../common/endpoint/types'; import { createAncestry, createLifecycle } from './node'; import { LifecycleQuery } from '../queries/lifecycle'; @@ -24,8 +24,8 @@ import { QueryHandler } from './fetch'; /** * Retrieve the ancestry portion of a resolver tree. */ -export class AncestryQueryHandler implements QueryHandler { - private readonly ancestry: ResolverAncestry = createAncestry(); +export class AncestryQueryHandler implements QueryHandler { + private readonly ancestry: SafeResolverAncestry = createAncestry(); private ancestorsToFind: string[]; private readonly query: LifecycleQuery; @@ -33,7 +33,7 @@ export class AncestryQueryHandler implements QueryHandler { private levels: number, indexPattern: string, legacyEndpointID: string | undefined, - originNode: ResolverLifecycleNode | undefined + originNode: SafeResolverLifecycleNode | undefined ) { this.ancestorsToFind = getAncestryAsArray(originNode?.lifecycle[0]).slice(0, levels); this.query = new LifecycleQuery(indexPattern, legacyEndpointID); @@ -41,21 +41,28 @@ export class AncestryQueryHandler implements QueryHandler { // add the origin node to the response if it exists if (originNode) { this.ancestry.ancestors.push(originNode); - this.ancestry.nextAncestor = parentEntityId(originNode.lifecycle[0]) || null; + this.ancestry.nextAncestor = parentEntityIDSafeVersion(originNode.lifecycle[0]) || null; } } - private toMapOfNodes(results: ResolverEvent[]) { - return results.reduce((nodes: Map, event: ResolverEvent) => { - const nodeId = entityId(event); - let node = nodes.get(nodeId); - if (!node) { - node = createLifecycle(nodeId, []); - } + private toMapOfNodes(results: SafeResolverEvent[]) { + return results.reduce( + (nodes: Map, event: SafeResolverEvent) => { + const nodeId = entityIDSafeVersion(event); + if (!nodeId) { + return nodes; + } + + let node = nodes.get(nodeId); + if (!node) { + node = createLifecycle(nodeId, []); + } - node.lifecycle.push(event); - return nodes.set(nodeId, node); - }, new Map()); + node.lifecycle.push(event); + return nodes.set(nodeId, node); + }, + new Map() + ); } private setNoMore() { @@ -64,7 +71,7 @@ export class AncestryQueryHandler implements QueryHandler { this.levels = 0; } - private handleResponse = (searchResp: SearchResponse) => { + private handleResponse = (searchResp: SearchResponse) => { const results = this.query.formatResponse(searchResp); if (results.length === 0) { this.setNoMore(); @@ -97,7 +104,7 @@ export class AncestryQueryHandler implements QueryHandler { * Hence: [D, E, B, C, A] */ this.ancestry.ancestors.push(...ancestryNodes.values()); - this.ancestry.nextAncestor = parentEntityId(results[0]) || null; + this.ancestry.nextAncestor = parentEntityIDSafeVersion(results[0]) || null; this.levels = this.levels - ancestryNodes.size; // the results come back in ascending order on timestamp so the first entry in the // results should be the further ancestor (most distant grandparent) diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts index 78e4219aad75c..b490589ee9e78 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts @@ -10,7 +10,7 @@ import { TreeNode, } from '../../../../../common/endpoint/generate_data'; import { ChildrenNodesHelper } from './children_helper'; -import { eventId, isProcessRunning } from '../../../../../common/endpoint/models/event'; +import { eventIDSafeVersion, isProcessRunning } from '../../../../../common/endpoint/models/event'; function getStartEvents(events: Event[]): Event[] { const startEvents: Event[] = []; @@ -179,7 +179,9 @@ describe('Children helper', () => { childrenNodes.childNodes.forEach((node) => { node.lifecycle.forEach((event) => { - expect(childrenEvents.find((child) => child.event.id === eventId(event))).toEqual(event); + expect( + childrenEvents.find((child) => child.event.id === eventIDSafeVersion(event)) + ).toEqual(event); }); }); }); @@ -191,7 +193,9 @@ describe('Children helper', () => { const childrenNodes = helper.getNodes(); childrenNodes.childNodes.forEach((node) => { node.lifecycle.forEach((event) => { - expect(childrenEvents.find((child) => child.event.id === eventId(event))).toEqual(event); + expect( + childrenEvents.find((child) => child.event.id === eventIDSafeVersion(event)) + ).toEqual(event); }); }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts index b82b972b887b5..0449e1152381a 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts @@ -9,11 +9,12 @@ import { parentEntityId, isProcessRunning, getAncestryAsArray, + entityIDSafeVersion, } from '../../../../../common/endpoint/models/event'; import { - ResolverChildNode, - ResolverEvent, - ResolverChildren, + SafeResolverChildren, + SafeResolverChildNode, + SafeResolverEvent, } from '../../../../../common/endpoint/types'; import { createChild } from './node'; import { ChildrenPaginationBuilder } from './children_pagination'; @@ -22,7 +23,7 @@ import { ChildrenPaginationBuilder } from './children_pagination'; * This class helps construct the children structure when building a resolver tree. */ export class ChildrenNodesHelper { - private readonly entityToNodeCache: Map = new Map(); + private readonly entityToNodeCache: Map = new Map(); constructor(private readonly rootID: string, private readonly limit: number) { this.entityToNodeCache.set(rootID, createChild(rootID)); @@ -31,8 +32,8 @@ export class ChildrenNodesHelper { /** * Constructs a ResolverChildren response based on the children that were previously add. */ - getNodes(): ResolverChildren { - const cacheCopy: Map = new Map(this.entityToNodeCache); + getNodes(): SafeResolverChildren { + const cacheCopy: Map = new Map(this.entityToNodeCache); const rootNode = cacheCopy.get(this.rootID); let rootNextChild = null; @@ -51,7 +52,7 @@ export class ChildrenNodesHelper { * Get the entity_ids of the nodes that are cached. */ getEntityIDs(): string[] { - const cacheCopy: Map = new Map(this.entityToNodeCache); + const cacheCopy: Map = new Map(this.entityToNodeCache); cacheCopy.delete(this.rootID); return Array.from(cacheCopy.keys()); } @@ -69,9 +70,9 @@ export class ChildrenNodesHelper { * * @param lifecycle an array of resolver lifecycle events for different process nodes returned from ES. */ - addLifecycleEvents(lifecycle: ResolverEvent[]) { + addLifecycleEvents(lifecycle: SafeResolverEvent[]) { for (const event of lifecycle) { - const entityID = entityId(event); + const entityID = entityIDSafeVersion(event); if (entityID) { const cachedChild = this.getOrCreateChildNode(entityID); cachedChild.lifecycle.push(event); @@ -86,12 +87,15 @@ export class ChildrenNodesHelper { * @param queriedNodes the entity_ids of the nodes that returned these start events * @param startEvents an array of start events returned by ES */ - addStartEvents(queriedNodes: Set, startEvents: ResolverEvent[]): Set | undefined { + addStartEvents( + queriedNodes: Set, + startEvents: SafeResolverEvent[] + ): Set | undefined { let largestAncestryArray = 0; const nodesToQueryNext: Map> = new Map(); - const nonLeafNodes: Set = new Set(); + const nonLeafNodes: Set = new Set(); - const isDistantGrandchild = (event: ResolverEvent) => { + const isDistantGrandchild = (event: SafeResolverEvent) => { const ancestry = getAncestryAsArray(event); return ancestry.length > 0 && queriedNodes.has(ancestry[ancestry.length - 1]); }; diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_lifecycle_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_lifecycle_query_handler.ts index ab610dc9776ca..f9f73c2ad75ff 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_lifecycle_query_handler.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_lifecycle_query_handler.ts @@ -6,7 +6,7 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; -import { ResolverEvent, ResolverChildren } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent, SafeResolverChildren } from '../../../../../common/endpoint/types'; import { LifecycleQuery } from '../queries/lifecycle'; import { QueryInfo } from '../queries/multi_searcher'; import { SingleQueryHandler } from './fetch'; @@ -16,8 +16,8 @@ import { createChildren } from './node'; /** * Returns the children of a resolver tree. */ -export class ChildrenLifecycleQueryHandler implements SingleQueryHandler { - private lifecycle: ResolverChildren | undefined; +export class ChildrenLifecycleQueryHandler implements SingleQueryHandler { + private lifecycle: SafeResolverChildren | undefined; private readonly query: LifecycleQuery; constructor( private readonly childrenHelper: ChildrenNodesHelper, @@ -27,7 +27,7 @@ export class ChildrenLifecycleQueryHandler implements SingleQueryHandler) => { + private handleResponse = (response: SearchResponse) => { this.childrenHelper.addLifecycleEvents(this.query.formatResponse(response)); this.lifecycle = this.childrenHelper.getNodes(); }; @@ -50,7 +50,7 @@ export class ChildrenLifecycleQueryHandler implements SingleQueryHandler 0) { return PaginationBuilder.buildCursor(results); } From 3216705254c38b05980dd59cfaf69e51e7a1c058 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Fri, 4 Sep 2020 16:30:18 -0400 Subject: [PATCH 02/10] Finished generator and alert --- .../common/endpoint/generate_data.test.ts | 136 +- .../common/endpoint/generate_data.ts | 17 +- .../common/endpoint/index_data.ts | 2 +- .../common/endpoint/models/event.test.ts | 35 +- .../common/endpoint/models/event.ts | 30 +- .../common/endpoint/types/index.ts | 242 +- .../resolver/utils/children_helper.test.ts | 4 +- .../routes/resolver/utils/children_helper.ts | 9 +- .../resolver/utils/children_pagination.ts | 5 +- .../utils/children_start_query_handler.ts | 4 +- .../resolver/utils/events_query_handler.ts | 8 +- .../endpoint/routes/resolver/utils/fetch.ts | 16 +- .../resolver/utils/lifecycle_query_handler.ts | 10 +- .../routes/resolver/utils/pagination.test.ts | 10 +- .../routes/resolver/utils/pagination.ts | 8 +- .../routes/resolver/utils/tree.test.ts | 24 +- .../endpoint/routes/resolver/utils/tree.ts | 28 +- .../endpoint/resolver/api_feature/data.json | 15462 ++++++++++++++++ .../resolver/api_feature/data.json.gz | Bin 18309 -> 0 bytes .../apis/resolver/alerts.ts | 19 +- .../apis/resolver/common.ts | 37 +- 21 files changed, 15790 insertions(+), 316 deletions(-) create mode 100644 x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json delete mode 100644 x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts index be3a1e82356c8..08ad9c6bafdf8 100644 --- a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts @@ -13,6 +13,12 @@ import { ECSCategory, ANCESTRY_LIMIT, } from './generate_data'; +import { firstNonNullValue, values } from './models/ecs_safety_helpers'; +import { + entityIDSafeVersion, + parentEntityIDSafeVersion, + timestampSafeVersion, +} from './models/event'; interface Node { events: Event[]; @@ -30,7 +36,7 @@ describe('data generator', () => { const event1 = generator.generateEvent(); const event2 = generator.generateEvent(); - expect(event2.event.sequence).toBe(event1.event.sequence + 1); + expect(event2.event?.sequence).toBe((firstNonNullValue(event1.event?.sequence) ?? 0) + 1); }); it('creates the same documents with same random seed', () => { @@ -76,37 +82,37 @@ describe('data generator', () => { const timestamp = new Date().getTime(); const alert = generator.generateAlert(timestamp); expect(alert['@timestamp']).toEqual(timestamp); - expect(alert.event.action).not.toBeNull(); + expect(alert.event?.action).not.toBeNull(); expect(alert.Endpoint).not.toBeNull(); expect(alert.agent).not.toBeNull(); expect(alert.host).not.toBeNull(); - expect(alert.process.entity_id).not.toBeNull(); + expect(alert.process?.entity_id).not.toBeNull(); }); it('creates process event documents', () => { const timestamp = new Date().getTime(); const processEvent = generator.generateEvent({ timestamp }); expect(processEvent['@timestamp']).toEqual(timestamp); - expect(processEvent.event.category).toEqual(['process']); - expect(processEvent.event.kind).toEqual('event'); - expect(processEvent.event.type).toEqual(['start']); + expect(processEvent.event?.category).toEqual(['process']); + expect(processEvent.event?.kind).toEqual('event'); + expect(processEvent.event?.type).toEqual(['start']); expect(processEvent.agent).not.toBeNull(); expect(processEvent.host).not.toBeNull(); - expect(processEvent.process.entity_id).not.toBeNull(); - expect(processEvent.process.name).not.toBeNull(); + expect(processEvent.process?.entity_id).not.toBeNull(); + expect(processEvent.process?.name).not.toBeNull(); }); it('creates other event documents', () => { const timestamp = new Date().getTime(); const processEvent = generator.generateEvent({ timestamp, eventCategory: 'dns' }); expect(processEvent['@timestamp']).toEqual(timestamp); - expect(processEvent.event.category).toEqual('dns'); - expect(processEvent.event.kind).toEqual('event'); - expect(processEvent.event.type).toEqual(['start']); + expect(processEvent.event?.category).toEqual('dns'); + expect(processEvent.event?.kind).toEqual('event'); + expect(processEvent.event?.type).toEqual(['start']); expect(processEvent.agent).not.toBeNull(); expect(processEvent.host).not.toBeNull(); - expect(processEvent.process.entity_id).not.toBeNull(); - expect(processEvent.process.name).not.toBeNull(); + expect(processEvent.process?.entity_id).not.toBeNull(); + expect(processEvent.process?.name).not.toBeNull(); }); describe('creates events with an empty ancestry array', () => { @@ -128,7 +134,7 @@ describe('data generator', () => { it('creates all events with an empty ancestry array', () => { for (const event of tree.allEvents) { - expect(event.process.Ext!.ancestry!.length).toEqual(0); + expect(event.process?.Ext?.ancestry?.length).toEqual(0); } }); }); @@ -194,22 +200,23 @@ describe('data generator', () => { const inRelated = node.relatedEvents.includes(event); const inRelatedAlerts = node.relatedAlerts.includes(event); - return (inRelated || inRelatedAlerts || inLifecycle) && event.process.entity_id === node.id; + return (inRelated || inRelatedAlerts || inLifecycle) && event.process?.entity_id === node.id; }; const verifyAncestry = (event: Event, genTree: Tree) => { - if (event.process.Ext!.ancestry!.length > 0) { - expect(event.process.parent?.entity_id).toBe(event.process.Ext!.ancestry![0]); + const ancestry = values(event.process?.Ext?.ancestry); + if (ancestry.length > 0) { + expect(event.process?.parent?.entity_id).toBe(ancestry[0]); } - for (let i = 0; i < event.process.Ext!.ancestry!.length; i++) { - const ancestor = event.process.Ext!.ancestry![i]; + for (let i = 0; i < ancestry.length; i++) { + const ancestor = ancestry[i]; const parent = genTree.children.get(ancestor) || genTree.ancestry.get(ancestor); - expect(ancestor).toBe(parent?.lifecycle[0].process.entity_id); + expect(ancestor).toBe(parent?.lifecycle[0].process?.entity_id); // the next ancestor should be the grandparent - if (i + 1 < event.process.Ext!.ancestry!.length) { - const grandparent = event.process.Ext!.ancestry![i + 1]; - expect(grandparent).toBe(parent?.lifecycle[0].process.parent?.entity_id); + if (i + 1 < ancestry.length) { + const grandparent = ancestry[i + 1]; + expect(grandparent).toBe(parent?.lifecycle[0].process?.parent?.entity_id); } } }; @@ -217,13 +224,14 @@ describe('data generator', () => { it('creates related events in ascending order', () => { // the order should not change since it should already be in ascending order const relatedEventsAsc = _.cloneDeep(tree.origin.relatedEvents).sort( - (event1, event2) => event1['@timestamp'] - event2['@timestamp'] + (event1, event2) => + (timestampSafeVersion(event1) ?? 0) - (timestampSafeVersion(event2) ?? 0) ); expect(tree.origin.relatedEvents).toStrictEqual(relatedEventsAsc); }); it('has ancestry array defined', () => { - expect(tree.origin.lifecycle[0].process.Ext!.ancestry!.length).toBe(ANCESTRY_LIMIT); + expect(values(tree.origin.lifecycle[0].process?.Ext?.ancestry).length).toBe(ANCESTRY_LIMIT); for (const event of tree.allEvents) { verifyAncestry(event, tree); } @@ -252,12 +260,9 @@ describe('data generator', () => { const counts: Record = {}; for (const event of node.relatedEvents) { - if (Array.isArray(event.event.category)) { - for (const cat of event.event.category) { - counts[cat] = counts[cat] + 1 || 1; - } - } else { - counts[event.event.category] = counts[event.event.category] + 1 || 1; + const categories = values(event.event?.category); + for (const cat of categories) { + counts[cat] = counts[cat] + 1 || 1; } } expect(counts[ECSCategory.Driver]).toEqual(1); @@ -316,15 +321,18 @@ describe('data generator', () => { expect(tree.allEvents.length).toBeGreaterThan(0); tree.allEvents.forEach((event) => { - const ancestor = tree.ancestry.get(event.process.entity_id); - if (ancestor) { - expect(eventInNode(event, ancestor)).toBeTruthy(); - return; - } + const entityID = entityIDSafeVersion(event); + if (entityID) { + const ancestor = tree.ancestry.get(entityID); + if (ancestor) { + expect(eventInNode(event, ancestor)).toBeTruthy(); + return; + } - const children = tree.children.get(event.process.entity_id); - if (children) { - expect(eventInNode(event, children)).toBeTruthy(); + const children = tree.children.get(entityID); + if (children) { + expect(eventInNode(event, children)).toBeTruthy(); + } } }); }); @@ -351,9 +359,8 @@ describe('data generator', () => { let events: Event[]; const isCategoryProcess = (event: Event) => { - return ( - _.isEqual(event.event.category, ['process']) || _.isEqual(event.event.category, 'process') - ); + const category = values(event.event?.category); + return _.isEqual(category, ['process']); }; beforeEach(() => { @@ -366,12 +373,16 @@ describe('data generator', () => { it('with n-1 process events', () => { for (let i = events.length - 2; i > 0; ) { - const parentEntityIdOfChild = events[i].process.parent?.entity_id; - for (; --i >= -1 && (events[i].event.kind !== 'event' || !isCategoryProcess(events[i])); ) { + const parentEntityIdOfChild = parentEntityIDSafeVersion(events[i]); + for ( + ; + --i >= -1 && (events[i].event?.kind !== 'event' || !isCategoryProcess(events[i])); + + ) { // related event - skip it } expect(i).toBeGreaterThanOrEqual(0); - expect(parentEntityIdOfChild).toEqual(events[i].process.entity_id); + expect(parentEntityIdOfChild).toEqual(entityIDSafeVersion(events[i])); } }); @@ -380,7 +391,7 @@ describe('data generator', () => { for ( ; previousProcessEventIndex >= -1 && - (events[previousProcessEventIndex].event.kind !== 'event' || + (events[previousProcessEventIndex].event?.kind !== 'event' || !isCategoryProcess(events[previousProcessEventIndex])); previousProcessEventIndex-- ) { @@ -388,14 +399,14 @@ describe('data generator', () => { } expect(previousProcessEventIndex).toBeGreaterThanOrEqual(0); // The alert should be last and have the same entity_id as the previous process event - expect(events[events.length - 1].process.entity_id).toEqual( - events[previousProcessEventIndex].process.entity_id + expect(events[events.length - 1].process?.entity_id).toEqual( + events[previousProcessEventIndex].process?.entity_id ); - expect(events[events.length - 1].process.parent?.entity_id).toEqual( - events[previousProcessEventIndex].process.parent?.entity_id + expect(events[events.length - 1].process?.parent?.entity_id).toEqual( + events[previousProcessEventIndex].process?.parent?.entity_id ); - expect(events[events.length - 1].event.kind).toEqual('alert'); - expect(events[events.length - 1].event.category).toEqual('malware'); + expect(events[events.length - 1].event?.kind).toEqual('alert'); + expect(events[events.length - 1].event?.category).toEqual('malware'); }); }); @@ -403,14 +414,17 @@ describe('data generator', () => { // First pass we gather up all the events by entity_id const tree: Record = {}; events.forEach((event) => { - if (event.process.entity_id in tree) { - tree[event.process.entity_id].events.push(event); - } else { - tree[event.process.entity_id] = { - events: [event], - children: [], - parent_entity_id: event.process.parent?.entity_id, - }; + const entityID = entityIDSafeVersion(event); + if (entityID) { + if (entityID in tree) { + tree[entityID].events.push(event); + } else { + tree[entityID] = { + events: [event], + children: [], + parent_entity_id: parentEntityIDSafeVersion(event), + }; + } } }); // Second pass add child references to each node @@ -420,7 +434,7 @@ describe('data generator', () => { } } // The root node must be first in the array or this fails - return tree[events[0].process.entity_id]; + return tree[entityIDSafeVersion(events[0]) ?? '']; } function countResolverEvents(rootNode: Node, generations: number): number { diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts index bc691785f6213..11f37d01aca96 100644 --- a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts +++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts @@ -7,7 +7,6 @@ import uuid from 'uuid'; import seedrandom from 'seedrandom'; import { AlertEvent, - SafeResolverEvent, EndpointStatus, Host, HostMetadata, @@ -18,7 +17,12 @@ import { SafeEndpointEvent, } from './types'; import { factory as policyFactory } from './models/policy_config'; -import { ancestryArray, entityIDSafeVersion, parentEntityIDSafeVersion } from './models/event'; +import { + ancestryArray, + entityIDSafeVersion, + parentEntityIDSafeVersion, + timestampSafeVersion, +} from './models/event'; import { GetAgentPoliciesResponseItem, GetPackagesResponse, @@ -804,7 +808,7 @@ export class EndpointDocGenerator { }); events.push(root); let ancestor = root; - let timestamp = (firstNonNullValue(root['@timestamp']) ?? 0) + 1000; + let timestamp = (timestampSafeVersion(root) ?? 0) + 1000; const addRelatedAlerts = ( node: Event, @@ -934,7 +938,7 @@ export class EndpointDocGenerator { maxChildren, }; const lineage: NodeState[] = [rootState]; - let timestamp = firstNonNullValue(root['@timestamp']) ?? 0; + let timestamp = timestampSafeVersion(root) ?? 0; while (lineage.length > 0) { const currentState = lineage[lineage.length - 1]; // If we get to a state node and it has made all the children, move back up a level @@ -1014,7 +1018,7 @@ export class EndpointDocGenerator { ordered: boolean = false ) { let relatedEventsInfo: RelatedEventInfo[]; - const nodeTimestamp = firstNonNullValue(node['@timestamp']) ?? 0; + const nodeTimestamp = timestampSafeVersion(node) ?? 0; let ts = nodeTimestamp + 1; if (typeof relatedEvents === 'number') { relatedEventsInfo = [{ category: RelatedEventCategory.Random, count: relatedEvents }]; @@ -1061,8 +1065,7 @@ export class EndpointDocGenerator { alertCreationTime: number = 6 * 3600 ) { for (let i = 0; i < relatedAlerts; i++) { - const ts = - (firstNonNullValue(node['@timestamp']) ?? 0) + this.randomN(alertCreationTime) * 1000; + const ts = (timestampSafeVersion(node) ?? 0) + this.randomN(alertCreationTime) * 1000; yield this.generateAlert( ts, entityIDSafeVersion(node), diff --git a/x-pack/plugins/security_solution/common/endpoint/index_data.ts b/x-pack/plugins/security_solution/common/endpoint/index_data.ts index 9a61738cd84b4..a82815ea6ea27 100644 --- a/x-pack/plugins/security_solution/common/endpoint/index_data.ts +++ b/x-pack/plugins/security_solution/common/endpoint/index_data.ts @@ -86,7 +86,7 @@ async function indexAlerts( // eslint-disable-next-line @typescript-eslint/no-explicit-any (array: Array>, doc) => { let index = eventIndex; - if (doc.event.kind === 'alert') { + if (doc.event?.kind === 'alert') { index = alertIndex; } array.push({ create: { _index: index } }, doc); diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts index 6e6e0f443015b..6ea04f9bc77c2 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts @@ -5,7 +5,7 @@ */ import { EndpointDocGenerator } from '../generate_data'; import { descriptiveName, isProcessRunning } from './event'; -import { ResolverEvent } from '../types'; +import { ResolverEvent, SafeResolverEvent } from '../types'; describe('Generated documents', () => { let generator: EndpointDocGenerator; @@ -13,24 +13,31 @@ describe('Generated documents', () => { generator = new EndpointDocGenerator('seed'); }); + // TODO what should I do about the cast? We can create a new safe descriptive name but + // the front end won't use that until the rest of it is converted describe('Event descriptive names', () => { it('returns the right name for a registry event', () => { const extensions = { registry: { key: `HKLM/Windows/Software/abc` } }; const event = generator.generateEvent({ eventCategory: 'registry', extensions }); - expect(descriptiveName(event)).toEqual({ subject: `HKLM/Windows/Software/abc` }); + expect(descriptiveName(event as ResolverEvent)).toEqual({ + subject: `HKLM/Windows/Software/abc`, + }); }); it('returns the right name for a network event', () => { const randomIP = `${generator.randomIP()}`; const extensions = { network: { direction: 'outbound', forwarded_ip: randomIP } }; const event = generator.generateEvent({ eventCategory: 'network', extensions }); - expect(descriptiveName(event)).toEqual({ subject: `${randomIP}`, descriptor: 'outbound' }); + expect(descriptiveName(event as ResolverEvent)).toEqual({ + subject: `${randomIP}`, + descriptor: 'outbound', + }); }); it('returns the right name for a file event', () => { const extensions = { file: { path: 'C:\\My Documents\\business\\January\\processName' } }; const event = generator.generateEvent({ eventCategory: 'file', extensions }); - expect(descriptiveName(event)).toEqual({ + expect(descriptiveName(event as ResolverEvent)).toEqual({ subject: 'C:\\My Documents\\business\\January\\processName', }); }); @@ -38,27 +45,29 @@ describe('Generated documents', () => { it('returns the right name for a dns event', () => { const extensions = { dns: { question: { name: `${generator.randomIP()}` } } }; const event = generator.generateEvent({ eventCategory: 'dns', extensions }); - expect(descriptiveName(event)).toEqual({ subject: extensions.dns.question.name }); + expect(descriptiveName(event as ResolverEvent)).toEqual({ + subject: extensions.dns.question.name, + }); }); }); describe('Process running events', () => { it('is a running event when event.type is a string', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: 'start', }); expect(isProcessRunning(event)).toBeTruthy(); }); it('is a running event when event.type is an array of strings', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: ['start'], }); expect(isProcessRunning(event)).toBeTruthy(); }); it('is a running event when event.type is an array of strings and contains start', () => { - let event: ResolverEvent = generator.generateEvent({ + let event: SafeResolverEvent = generator.generateEvent({ eventType: ['bogus', 'start', 'creation'], }); expect(isProcessRunning(event)).toBeTruthy(); @@ -70,35 +79,35 @@ describe('Generated documents', () => { }); it('is not a running event when event.type is only and end type', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: ['end'], }); expect(isProcessRunning(event)).toBeFalsy(); }); it('is not a running event when event.type is empty', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: [], }); expect(isProcessRunning(event)).toBeFalsy(); }); it('is not a running event when event.type is bogus', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: ['bogus'], }); expect(isProcessRunning(event)).toBeFalsy(); }); it('is a running event when event.type contains info', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: ['info'], }); expect(isProcessRunning(event)).toBeTruthy(); }); it('is a running event when event.type contains change', () => { - const event: ResolverEvent = generator.generateEvent({ + const event: SafeResolverEvent = generator.generateEvent({ eventType: ['bogus', 'change'], }); expect(isProcessRunning(event)).toBeTruthy(); diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts index 38d1fba94ce4c..d7cd555170fcc 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.ts @@ -9,7 +9,7 @@ import { SafeResolverEvent, SafeLegacyEndpointEvent, } from '../types'; -import { firstNonNullValue, values } from './ecs_safety_helpers'; +import { firstNonNullValue, hasValue, values } from './ecs_safety_helpers'; /* * Determine if a `ResolverEvent` is the legacy variety. Can be used to narrow `ResolverEvent` to `LegacyEndpointEvent`. @@ -27,32 +27,24 @@ export function isLegacyEvent(event: ResolverEvent): event is LegacyEndpointEven return (event as LegacyEndpointEvent).endgame !== undefined; } -export function isProcessRunning(event: ResolverEvent): boolean { - if (isLegacyEvent(event)) { - return ( - event.event?.type === 'process_start' || - event.event?.action === 'fork_event' || - event.event?.type === 'already_running' - ); - } - - if (Array.isArray(event.event.type)) { +export function isProcessRunning(event: SafeResolverEvent): boolean { + if (isLegacyEventSafeVersion(event)) { return ( - event.event.type.includes('start') || - event.event.type.includes('change') || - event.event.type.includes('info') + hasValue(event.event?.type, 'process_start') || + hasValue(event.event?.action, 'fork_event') || + hasValue(event.event?.type, 'already_running') ); } return ( - event.event.type === 'start' || event.event.type === 'change' || event.event.type === 'info' + hasValue(event.event?.type, 'start') || + hasValue(event.event?.type, 'change') || + hasValue(event.event?.type, 'info') ); } -export function timestampSafeVersion(event: SafeResolverEvent): string | undefined | number { - return isLegacyEventSafeVersion(event) - ? firstNonNullValue(event.endgame?.timestamp_utc) - : firstNonNullValue(event?.['@timestamp']); +export function timestampSafeVersion(event: SafeResolverEvent): undefined | number { + return firstNonNullValue(event?.['@timestamp']); } /** diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts index 55b6f2a041813..64bdbb1193f53 100644 --- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts +++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts @@ -196,11 +196,11 @@ export interface SafeResolverTree { * process node that generated an alert. */ entityID: string; - children: ResolverChildren; - relatedEvents: Omit; + children: SafeResolverChildren; + relatedEvents: Omit; relatedAlerts: Omit; - ancestry: ResolverAncestry; - lifecycle: ResolverEvent[]; + ancestry: SafeResolverAncestry; + lifecycle: SafeResolverEvent[]; stats: ResolverNodeStats; } @@ -338,148 +338,130 @@ interface Hashes { /** * A hash in MD5 format. */ - md5: string; + md5: ECSField; /** * A hash in SHA-1 format. */ - sha1: string; + sha1: ECSField; /** * A hash in SHA-256 format. */ - sha256: string; + sha256: ECSField; } interface MalwareClassification { - identifier: string; - score: number; - threshold: number; - version: string; + identifier: ECSField; + score: ECSField; + threshold: ECSField; + version: ECSField; } -interface ThreadFields { - id: number; - Ext: { - service_name: string; - start: number; - start_address: number; - start_address_module: string; - }; -} +type ThreadFields = Partial<{ + id: ECSField; + Ext: Partial<{ + service_name: ECSField; + start: ECSField; + start_address: ECSField; + start_address_module: ECSField; + }>; +}>; -interface DllFields { - hash: Hashes; - path: string; - pe: { - architecture: string; - }; - code_signature: { - subject_name: string; - trusted: boolean; - }; - Ext: { - compile_time: number; - malware_classification: MalwareClassification; - mapped_address: number; - mapped_size: number; - }; -} +type DllFields = Partial<{ + hash: Partial; + path: ECSField; + pe: Partial<{ + architecture: ECSField; + }>; + code_signature: Partial<{ + subject_name: ECSField; + trusted: ECSField; + }>; + Ext: Partial<{ + compile_time: ECSField; + malware_classification: Partial; + mapped_address: ECSField; + mapped_size: ECSField; + }>; +}>; /** * Describes an Alert Event. */ -export interface AlertEvent { - '@timestamp': number; - agent: { - id: string; - version: string; - type: string; - }; - ecs: { - version: string; - }; - event: { - id: string; - action: string; - category: string; - kind: string; - dataset: string; - module: string; - type: string; - sequence: number; - }; - Endpoint: { - policy: { - applied: { - id: string; - status: HostPolicyResponseActionStatus; - name: string; - }; - }; - }; - process: { - command_line?: string; - pid: number; - ppid?: number; - entity_id: string; - parent?: { - pid: number; - entity_id: string; - }; - name: string; - hash: Hashes; - executable: string; - start: number; - thread?: ThreadFields[]; - uptime: number; - Ext?: { - /* - * The array has a special format. The entity_ids towards the beginning of the array are closer ancestors and the - * values towards the end of the array are more distant ancestors (grandparents). Therefore - * ancestry_array[0] == process.parent.entity_id and ancestry_array[1] == process.parent.parent.entity_id - */ - ancestry?: string[]; - code_signature: Array<{ - subject_name: string; - trusted: boolean; +export type AlertEvent = Partial<{ + event: Partial<{ + action: ECSField; + dataset: ECSField; + module: ECSField; + }>; + Endpoint: Partial<{ + policy: Partial<{ + applied: Partial<{ + id: ECSField; + // TODO this is an enum is this right? + status: ECSField; + name: ECSField; }>; - malware_classification?: MalwareClassification; - token: { - domain: string; - type: string; - user: string; - sid: string; - integrity_level: number; - integrity_level_name: string; - privileges?: Array<{ - description: string; - name: string; - enabled: boolean; - }>; - }; - user: string; - }; - }; - file: { - owner: string; - name: string; - path: string; - accessed: number; - mtime: number; - created: number; - size: number; - hash: Hashes; - Ext: { - malware_classification: MalwareClassification; - temp_file_path: string; - code_signature: Array<{ - trusted: boolean; - subject_name: string; + }>; + }>; + process: Partial<{ + command_line: ECSField; + ppid: ECSField; + executable: ECSField; + start: ECSField; + thread: ECSField; + uptime: number; + Ext: Partial<{ + // TODO this was an array of objects is this right? + code_signature: ECSField< + Partial<{ + subject_name: ECSField; + trusted: ECSField; + }> + >; + malware_classification: Partial; + token: Partial<{ + domain: ECSField; + type: ECSField; + user: ECSField; + sid: ECSField; + integrity_level: ECSField; + integrity_level_name: ECSField; + // TODO array + privileges: ECSField< + Partial<{ + description: string; + name: string; + enabled: boolean; + }> + >; }>; - }; - }; - host: Host; - dll?: DllFields[]; -} + user: ECSField; + }>; + }>; + file: Partial<{ + owner: ECSField; + name: ECSField; + accessed: ECSField; + mtime: ECSField; + created: ECSField; + size: ECSField; + hash: Partial; + Ext: Partial<{ + malware_classification: Partial; + temp_file_path: ECSField; + // TODO was an array + code_signature: ECSField< + Partial<{ + trusted: ECSField; + subject_name: ECSField; + }> + >; + }>; + }>; + // TODO was an array + dll: ECSField; +}> & + SafeEndpointEvent; /** * The status of the Endpoint Agent as reported by the Agent or the @@ -724,9 +706,7 @@ export type SafeEndpointEvent = Partial<{ subject_name: ECSField; }>; pid: ECSField; - hash: Partial<{ - md5: ECSField; - }>; + hash: Partial; parent: Partial<{ entity_id: ECSField; name: ECSField; diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts index b490589ee9e78..d33e9a2d70af6 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.test.ts @@ -180,7 +180,7 @@ describe('Children helper', () => { childrenNodes.childNodes.forEach((node) => { node.lifecycle.forEach((event) => { expect( - childrenEvents.find((child) => child.event.id === eventIDSafeVersion(event)) + childrenEvents.find((child) => eventIDSafeVersion(child) === eventIDSafeVersion(event)) ).toEqual(event); }); }); @@ -194,7 +194,7 @@ describe('Children helper', () => { childrenNodes.childNodes.forEach((node) => { node.lifecycle.forEach((event) => { expect( - childrenEvents.find((child) => child.event.id === eventIDSafeVersion(event)) + childrenEvents.find((child) => eventIDSafeVersion(child) === eventIDSafeVersion(event)) ).toEqual(event); }); }); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts index 0449e1152381a..e9174548898dd 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_helper.ts @@ -5,8 +5,7 @@ */ import { - entityId, - parentEntityId, + parentEntityIDSafeVersion, isProcessRunning, getAncestryAsArray, entityIDSafeVersion, @@ -101,8 +100,8 @@ export class ChildrenNodesHelper { }; for (const event of startEvents) { - const parentID = parentEntityId(event); - const entityID = entityId(event); + const parentID = parentEntityIDSafeVersion(event); + const entityID = entityIDSafeVersion(event); if (parentID && entityID && isProcessRunning(event)) { // don't actually add the start event to the node, because that'll be done in // a different call @@ -162,7 +161,7 @@ export class ChildrenNodesHelper { return nodesToQueryNext.get(largestAncestryArray); } - private setPaginationForNodes(nodes: Set, startEvents: ResolverEvent[]) { + private setPaginationForNodes(nodes: Set, startEvents: SafeResolverEvent[]) { for (const nodeEntityID of nodes.values()) { const cachedNode = this.entityToNodeCache.get(nodeEntityID); if (cachedNode) { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts index 936080c3421ba..4cc8aaf42d12b 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination.ts @@ -4,9 +4,8 @@ * you may not use this file except in compliance with the Elastic License. */ -import { firstNonNullValue } from '../../../../../common/endpoint/models/ecs_safety_helpers'; import { SafeResolverEvent } from '../../../../../common/endpoint/types'; -import { eventSequence } from '../../../../../common/endpoint/models/event'; +import { eventSequence, timestampSafeVersion } from '../../../../../common/endpoint/models/event'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; import { urlEncodeCursor, SortFields, urlDecodeCursor } from './pagination'; @@ -70,7 +69,7 @@ export class ChildrenPaginationBuilder { const lastResult = results[results.length - 1]; const sequence = eventSequence(lastResult); const cursor = { - timestamp: firstNonNullValue(lastResult['@timestamp']) ?? 0, + timestamp: timestampSafeVersion(lastResult) ?? 0, sequence: sequence === undefined ? 0 : sequence, }; return urlEncodeCursor(cursor); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts index 30d46d12afbe5..327be8d3696fd 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/children_start_query_handler.ts @@ -6,7 +6,7 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; -import { ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent } from '../../../../../common/endpoint/types'; import { ChildrenQuery } from '../queries/children'; import { QueryInfo } from '../queries/multi_searcher'; import { QueryHandler } from './fetch'; @@ -46,7 +46,7 @@ export class ChildrenStartQueryHandler implements QueryHandler) => { + private handleResponse = (response: SearchResponse) => { const results = this.query.formatResponse(response); this.nodesToQuery = this.childrenHelper.addStartEvents(this.nodesToQuery, results) ?? new Set(); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/events_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/events_query_handler.ts index 8792f917fb4d6..5c4d9a4741ad7 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/events_query_handler.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/events_query_handler.ts @@ -6,7 +6,7 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; -import { ResolverRelatedEvents, ResolverEvent } from '../../../../../common/endpoint/types'; +import { SafeResolverRelatedEvents, SafeResolverEvent } from '../../../../../common/endpoint/types'; import { createRelatedEvents } from './node'; import { EventsQuery } from '../queries/events'; import { PaginationBuilder } from './pagination'; @@ -28,8 +28,8 @@ export interface RelatedEventsParams { /** * This retrieves the related events for the origin node of a resolver tree. */ -export class RelatedEventsQueryHandler implements SingleQueryHandler { - private relatedEvents: ResolverRelatedEvents | undefined; +export class RelatedEventsQueryHandler implements SingleQueryHandler { + private relatedEvents: SafeResolverRelatedEvents | undefined; private readonly query: EventsQuery; private readonly limit: number; private readonly entityID: string; @@ -46,7 +46,7 @@ export class RelatedEventsQueryHandler implements SingleQueryHandler) => { + private handleResponse = (response: SearchResponse) => { const results = this.query.formatResponse(response); this.relatedEvents = createRelatedEvents( this.entityID, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts index 1b88f965909eb..15a9639872f2a 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/fetch.ts @@ -6,11 +6,11 @@ import { ILegacyScopedClusterClient } from 'kibana/server'; import { - ResolverChildren, - ResolverRelatedEvents, - ResolverAncestry, + SafeResolverChildren, + SafeResolverRelatedEvents, + SafeResolverAncestry, ResolverRelatedAlerts, - ResolverLifecycleNode, + SafeResolverLifecycleNode, } from '../../../../../common/endpoint/types'; import { Tree } from './tree'; import { LifecycleQuery } from '../queries/lifecycle'; @@ -190,7 +190,7 @@ export class Fetcher { * * @param limit upper limit of ancestors to retrieve */ - public async ancestors(limit: number): Promise { + public async ancestors(limit: number): Promise { const originNode = await this.getNode(this.id); const ancestryHandler = new AncestryQueryHandler( limit, @@ -207,7 +207,7 @@ export class Fetcher { * @param limit the number of children to retrieve for a single level * @param after a cursor to use as the starting point for retrieving children */ - public async children(limit: number, after?: string): Promise { + public async children(limit: number, after?: string): Promise { const childrenHandler = new ChildrenStartQueryHandler( limit, this.id, @@ -237,7 +237,7 @@ export class Fetcher { limit: number, after?: string, filter?: string - ): Promise { + ): Promise { const eventsHandler = new RelatedEventsQueryHandler({ limit, entityID: this.id, @@ -285,7 +285,7 @@ export class Fetcher { return tree; } - private async getNode(entityID: string): Promise { + private async getNode(entityID: string): Promise { const query = new LifecycleQuery(this.eventsIndexPattern, this.endpointID); const results = await query.searchAndFormat(this.client, entityID); if (results.length === 0) { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/lifecycle_query_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/lifecycle_query_handler.ts index ab0501e099490..d4dc12d5e8b66 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/lifecycle_query_handler.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/lifecycle_query_handler.ts @@ -6,7 +6,7 @@ import { SearchResponse } from 'elasticsearch'; import { ILegacyScopedClusterClient } from 'kibana/server'; -import { ResolverEvent, ResolverLifecycleNode } from '../../../../../common/endpoint/types'; +import { SafeResolverEvent, SafeResolverLifecycleNode } from '../../../../../common/endpoint/types'; import { LifecycleQuery } from '../queries/lifecycle'; import { QueryInfo } from '../queries/multi_searcher'; import { SingleQueryHandler } from './fetch'; @@ -15,8 +15,8 @@ import { createLifecycle } from './node'; /** * Retrieve the lifecycle events for a node. */ -export class LifecycleQueryHandler implements SingleQueryHandler { - private lifecycle: ResolverLifecycleNode | undefined; +export class LifecycleQueryHandler implements SingleQueryHandler { + private lifecycle: SafeResolverLifecycleNode | undefined; private readonly query: LifecycleQuery; constructor( private readonly entityID: string, @@ -26,7 +26,7 @@ export class LifecycleQueryHandler implements SingleQueryHandler) => { + private handleResponse = (response: SearchResponse) => { const results = this.query.formatResponse(response); if (results.length !== 0) { this.lifecycle = createLifecycle(this.entityID, results); @@ -51,7 +51,7 @@ export class LifecycleQueryHandler implements SingleQueryHandler { const generator = new EndpointDocGenerator(); - const getSearchAfterInfo = (events: EndpointEvent[]) => { + const getSearchAfterInfo = (events: SafeEndpointEvent[]) => { const lastEvent = events[events.length - 1]; - return [lastEvent['@timestamp'], lastEvent.event.id]; + return [timestampSafeVersion(lastEvent), eventIDSafeVersion(lastEvent)]; }; describe('cursor', () => { const root = generator.generateEvent(); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/pagination.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/pagination.ts index 90198bd2fb7cb..af0311a262f30 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/pagination.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/pagination.ts @@ -4,9 +4,11 @@ * you may not use this file except in compliance with the Elastic License. */ -import { firstNonNullValue } from '../../../../../common/endpoint/models/ecs_safety_helpers'; import { SafeResolverEvent } from '../../../../../common/endpoint/types'; -import { eventIDSafeVersion } from '../../../../../common/endpoint/models/event'; +import { + eventIDSafeVersion, + timestampSafeVersion, +} from '../../../../../common/endpoint/models/event'; import { JsonObject } from '../../../../../../../../src/plugins/kibana_utils/common'; import { ChildrenPaginationCursor } from './children_pagination'; @@ -120,7 +122,7 @@ export class PaginationBuilder { static buildCursor(results: SafeResolverEvent[]): string | null { const lastResult = results[results.length - 1]; const cursor = { - timestamp: firstNonNullValue(lastResult['@timestamp']) ?? 0, + timestamp: timestampSafeVersion(lastResult) ?? 0, eventID: eventIDSafeVersion(lastResult) === undefined ? '' : String(eventIDSafeVersion(lastResult)), }; diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts index 21db11f3affd3..8ec2e0a122cc3 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts @@ -7,28 +7,28 @@ import { EndpointDocGenerator } from '../../../../../common/endpoint/generate_data'; import { Tree } from './tree'; import { - ResolverAncestry, - ResolverEvent, - ResolverRelatedEvents, + SafeResolverAncestry, + SafeResolverEvent, + SafeResolverRelatedEvents, } from '../../../../../common/endpoint/types'; -import { entityId } from '../../../../../common/endpoint/models/event'; +import { entityId, entityIDSafeVersion } from '../../../../../common/endpoint/models/event'; describe('Tree', () => { const generator = new EndpointDocGenerator(); describe('ancestry', () => { // transform the generator's array of events into the format expected by the tree class - const ancestorInfo: ResolverAncestry = { + const ancestorInfo: SafeResolverAncestry = { ancestors: generator .createAlertEventAncestry({ ancestors: 5, percentTerminated: 0, percentWithRelated: 0 }) .filter((event) => { - return event.event.kind === 'event'; + return event.event?.kind === 'event'; }) .map((event) => { return { - entityID: event.process.entity_id, + entityID: entityIDSafeVersion(event) ?? '', // The generator returns Events, but the tree needs a ResolverEvent - lifecycle: [event as ResolverEvent], + lifecycle: [event as SafeResolverEvent], }; }), nextAncestor: 'hello', @@ -39,7 +39,7 @@ describe('Tree', () => { const ids = tree.ids(); ids.forEach((id) => { const foundAncestor = ancestorInfo.ancestors.find( - (ancestor) => entityId(ancestor.lifecycle[0]) === id + (ancestor) => entityIDSafeVersion(ancestor.lifecycle[0]) === id ); expect(foundAncestor).not.toBeUndefined(); }); @@ -50,12 +50,12 @@ describe('Tree', () => { describe('related events', () => { it('adds related events to the tree', () => { const root = generator.generateEvent(); - const events: ResolverRelatedEvents = { - entityID: root.process.entity_id, + const events: SafeResolverRelatedEvents = { + entityID: entityIDSafeVersion(root) ?? '', events: Array.from(generator.relatedEventsGenerator(root)), nextEvent: null, }; - const tree = new Tree(root.process.entity_id, { relatedEvents: events }); + const tree = new Tree(entityIDSafeVersion(root) ?? '', { relatedEvents: events }); const rendered = tree.render(); expect(rendered.relatedEvents.nextEvent).toBeNull(); expect(rendered.relatedEvents.events).toStrictEqual(events.events); diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.ts index 3f941851a4143..dd493d70ffcd3 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.ts @@ -6,26 +6,26 @@ import _ from 'lodash'; import { - ResolverEvent, + SafeResolverEvent, ResolverNodeStats, - ResolverRelatedEvents, - ResolverAncestry, - ResolverTree, - ResolverChildren, + SafeResolverRelatedEvents, + SafeResolverAncestry, + SafeResolverTree, + SafeResolverChildren, ResolverRelatedAlerts, } from '../../../../../common/endpoint/types'; import { createTree } from './node'; interface Node { entityID: string; - lifecycle: ResolverEvent[]; + lifecycle: SafeResolverEvent[]; stats?: ResolverNodeStats; } export interface Options { - relatedEvents?: ResolverRelatedEvents; - ancestry?: ResolverAncestry; - children?: ResolverChildren; + relatedEvents?: SafeResolverRelatedEvents; + ancestry?: SafeResolverAncestry; + children?: SafeResolverChildren; relatedAlerts?: ResolverRelatedAlerts; } @@ -37,7 +37,7 @@ export interface Options { */ export class Tree { protected cache: Map = new Map(); - protected tree: ResolverTree; + protected tree: SafeResolverTree; constructor(protected readonly id: string, options: Options = {}) { const tree = createTree(this.id); @@ -55,7 +55,7 @@ export class Tree { * * @returns the origin ResolverNode */ - public render(): ResolverTree { + public render(): SafeResolverTree { return this.tree; } @@ -73,7 +73,7 @@ export class Tree { * * @param relatedEventsInfo is the related events and pagination information to add to the tree. */ - private addRelatedEvents(relatedEventsInfo: ResolverRelatedEvents | undefined) { + private addRelatedEvents(relatedEventsInfo: SafeResolverRelatedEvents | undefined) { if (!relatedEventsInfo) { return; } @@ -101,7 +101,7 @@ export class Tree { * * @param ancestorInfo is the ancestors and pagination information to add to the tree. */ - private addAncestors(ancestorInfo: ResolverAncestry | undefined) { + private addAncestors(ancestorInfo: SafeResolverAncestry | undefined) { if (!ancestorInfo) { return; } @@ -132,7 +132,7 @@ export class Tree { } } - private addChildren(children: ResolverChildren | undefined) { + private addChildren(children: SafeResolverChildren | undefined) { if (!children) { return; } diff --git a/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json b/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json new file mode 100644 index 0000000000000..dac69338b5810 --- /dev/null +++ b/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json @@ -0,0 +1,15462 @@ +{ + "type": "doc", + "value": { + "id": "PrQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455906000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93922, + "source_address": "10.6.188.90", + "source_port": 39168, + "timestamp": 132259295066186690, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:qQSXbeii7LO0D0/G1E/OA4IO+ME=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39168 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "V7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": ".test_file.swp", + "file_path": "/home/vagrant/.test_file.swp", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "opcode": 0, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93947, + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "timestamp": 132259295566271300, + "unique_pid": 93946 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "WLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": ".test_file.swpx", + "file_path": "/home/vagrant/.test_file.swpx", + "opcode": 0, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93948, + "timestamp": 132259295566273140, + "unique_pid": 93946 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "XLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93952, + "source_address": "10.6.188.90", + "source_port": 39178, + "timestamp": 132259295569057230, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:x/k69HbBnwDOOYTE4Y4gAaOGicE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39178 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "Y7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": ".viminfo.tmp", + "file_path": "/home/vagrant/.viminfo.tmp", + "opcode": 0, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93959, + "timestamp": 132259295597350900, + "unique_pid": 93946 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "abQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455962000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "cat test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "1484a27859e2ca20ad667cc06d595d22", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4073, + "ppid": 2876, + "process_name": "cat", + "process_path": "/usr/bin/cat", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93965, + "session_id": 2876, + "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", + "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e", + "tid": 4073, + "timestamp": 132259295623426690, + "unique_pid": 93965, + "unique_ppid": 93964 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "cat", + "test_file" + ], + "executable": "/usr/bin/cat", + "hash": { + "md5": "1484a27859e2ca20ad667cc06d595d22", + "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", + "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e" + }, + "name": "cat", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4073, + "ppid": 2876, + "thread": { + "id": 4073 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "bLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455966000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93968, + "source_address": "10.6.188.90", + "source_port": 39180, + "timestamp": 132259295669262820, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:ROcCcBYA2acrPPjZYkJWHFlu+XE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39180 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "crQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455993000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "opcode": 9, + "parent_process_name": "kthreadd", + "pid": 4173, + "ppid": 2, + "process_name": "kthreadd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93974, + "session_id": 0, + "tid": 4173, + "timestamp": 132259295931345280, + "unique_pid": 93974, + "unique_ppid": 1002 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "hash": { + }, + "name": "kthreadd", + "parent": { + "name": "kthreadd", + "pid": 2 + }, + "pid": 4173, + "ppid": 2, + "thread": { + "id": 4173 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "eLQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456016000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93980, + "source_address": "10.6.188.90", + "source_port": 39190, + "timestamp": 132259296169882030, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:BIOpxpEYP5YYcuCO5qYDSV8YtRY=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39190 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ebQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456026000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93981, + "source_address": "10.6.188.90", + "source_port": 39192, + "timestamp": 132259296269995940, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:lbSE4iBc2vccmwP76xpAEhEtpOI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39192 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "frQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456037000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93986, + "source_address": "10.6.188.90", + "source_port": 39194, + "timestamp": 132259296370096260, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:ZTJetA9OpyyxYgSIcv1TLHYSGn4=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39194 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "grQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456057000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93990, + "source_address": "10.6.188.90", + "source_port": 39198, + "timestamp": 132259296570400690, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:k4ExX42GiiCWUs+yjiUX9rdD44w=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39198 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "g7QhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456067000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93991, + "source_address": "10.6.188.90", + "source_port": 39200, + "timestamp": 132259296670433000, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:f31y4JXVMEBz67FSPFANQiGDWr4=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39200 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "h7QhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456087000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93995, + "source_address": "10.6.188.90", + "source_port": 39204, + "timestamp": 132259296870722460, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:Yh9Dwx7JLLDm52vLWCALomXGtig=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39204 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "jrQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456117000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94002, + "source_address": "10.6.188.90", + "source_port": 39210, + "timestamp": 132259297171099710, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:Pv9EtQNqSZS5UMcgm5//J7FB9Hw=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39210 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "kLQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456127000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94004, + "source_address": "10.6.188.90", + "source_port": 39212, + "timestamp": 132259297271158340, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:bFkUyYg72aBaSClHXHckTj+N4vM=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39212 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "kbQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456127000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "imjournal.state.tmp", + "file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 0, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94005, + "timestamp": 132259297271158860, + "unique_pid": 1088 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "l7QiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456157000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94011, + "source_address": "10.6.188.90", + "source_port": 39218, + "timestamp": 132259297571487410, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:5C8qwNUj15cr9IOHbpNPYR3yvUw=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39218 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "mbQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456167000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94013, + "source_address": "10.6.188.90", + "source_port": 39220, + "timestamp": 132259297671640510, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:lf2OPCbBd44D+gv1/r7bvBbGBU0=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39220 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "nLQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456177000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94016, + "source_address": "10.6.188.90", + "source_port": 39222, + "timestamp": 132259297771736350, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:BtBNXVnfTQ/YKQ37qYojIqkstak=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39222 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "nbQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456187000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94017, + "source_address": "10.6.188.90", + "source_port": 39224, + "timestamp": 132259297871762110, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:SvQjmX4wKsaRboaSlceoLn5QTi4=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39224 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "nrQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456187000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94018, + "source_address": "10.6.188.90", + "source_port": 39224, + "timestamp": 132259297871795260, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:SvQjmX4wKsaRboaSlceoLn5QTi4=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39224 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "obQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456207000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94021, + "source_address": "10.6.188.90", + "source_port": 39228, + "timestamp": 132259298072055170, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:NswqKHbvS0MjyKQDw0V/YL8UDL8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39228 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "prQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456227000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94026, + "source_address": "10.6.188.90", + "source_port": 39232, + "timestamp": 132259298272310880, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:AvCkUU9w3PGKPyGxKLWlBKmIA2Y=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39232 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "q7QjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456247000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94031, + "source_address": "10.6.188.90", + "source_port": 39236, + "timestamp": 132259298472496690, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:7UCrAikx6KeWHWr3fKjEvGaZqlE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39236 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "r7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456249000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "other", + "file_path": "/home/vagrant/other", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "opcode": 0, + "pid": 4999, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94035, + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "timestamp": 132259298495543260, + "unique_pid": 94034 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "sbQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456252000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 5009, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94037, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 5009, + "timestamp": 132259298521672800, + "unique_pid": 94037, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 5009, + "ppid": 2876, + "thread": { + "id": 5009 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "s7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456252000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "something", + "file_path": "/home/vagrant/something", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "opcode": 0, + "pid": 5009, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94039, + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "timestamp": 132259298521684770, + "unique_pid": 94038 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "trQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456255000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch blah", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 5019, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94042, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 5019, + "timestamp": 132259298552388430, + "unique_pid": 94042, + "unique_ppid": 94041 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "touch", + "blah" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 5019, + "ppid": 2876, + "thread": { + "id": 5019 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "urQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456257000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94046, + "source_address": "10.6.188.90", + "source_port": 39238, + "timestamp": 132259298572673280, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:qIkWxmjHs6UAHG4fbvAldTVa7qc=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39238 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "vbQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456277000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94049, + "source_address": "10.6.188.90", + "source_port": 39242, + "timestamp": 132259298773181330, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:zvd73pnlGPFHP1cc55Dp8ZZEByI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39242 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "v7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456287000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94051, + "source_address": "10.6.188.90", + "source_port": 39244, + "timestamp": 132259298873329660, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:4lQtBep8SV0kUo9F097vLiWA7N8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39244 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "xLQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456297000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94056, + "source_address": "10.6.188.90", + "source_port": 39246, + "timestamp": 132259298973516510, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:Tq7txtg21u7NqrdKlb2BHRz6DSo=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39246 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "xrQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456307000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94058, + "source_address": "10.6.188.90", + "source_port": 39248, + "timestamp": 132259299073645710, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:R71JqiDPuyT5y6GvVD7KN6BBtmk=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39248 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "yrQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456327000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94062, + "source_address": "10.6.188.90", + "source_port": 39252, + "timestamp": 132259299273880800, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:i+rc/D2/y5VC773gyG1oPzuHXeY=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39252 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "PLQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455896000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93920, + "source_address": "10.6.188.90", + "source_port": 39166, + "timestamp": 132259294966045890, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:bZPkpEuO2COZhdjeOwODPdoHYIs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39166 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "S7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455942000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4006, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93935, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 4006, + "timestamp": 132259295420506050, + "unique_pid": 93935, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4006, + "ppid": 2876, + "thread": { + "id": 4006 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ULQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455946000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93940, + "source_address": "10.6.188.90", + "source_port": 39176, + "timestamp": 132259295468940580, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:cV1Kq/qwraGtvdeC0MCuTqAgEbs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39176 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "VrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "vim test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "7d3e711e8b1cab7880f38821bd294822", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4052, + "ppid": 2876, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93946, + "session_id": 2876, + "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", + "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5", + "tid": 4052, + "timestamp": 132259295561690740, + "unique_pid": 93946, + "unique_ppid": 93945 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "vim", + "test_file" + ], + "executable": "/usr/bin/vim", + "hash": { + "md5": "7d3e711e8b1cab7880f38821bd294822", + "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", + "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5" + }, + "name": "vim", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4052, + "ppid": 2876, + "thread": { + "id": 4052 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "X7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": "4913", + "file_path": "/home/vagrant/4913", + "opcode": 2, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93955, + "timestamp": 132259295597321440, + "unique_pid": 93946 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "YbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "test_file", + "file_path": "/home/vagrant/test_file", + "md5": "9b8e321f3484f680055d6602129cb373", + "opcode": 0, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93957, + "sha1": "46aded9c78e41c22462ae3e5f5dfa289ea648f40", + "sha256": "bb166c7d92902ad63da1351e2d4589f77faf33d78c99548f57f188715753f5ad", + "timestamp": 132259295597322290, + "unique_pid": 93946 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "YrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": "test_file~", + "file_path": "/home/vagrant/test_file~", + "opcode": 2, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93958, + "timestamp": 132259295597348030, + "unique_pid": 93946 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ZLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": ".viminfo", + "file_path": "/home/vagrant/.viminfo", + "opcode": 2, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93960, + "timestamp": 132259295597353540, + "unique_pid": 93946 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "arQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455962000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "cat test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "1484a27859e2ca20ad667cc06d595d22", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4073, + "ppid": 2876, + "process_name": "cat", + "process_path": "/usr/bin/cat", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93966, + "session_id": 2876, + "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", + "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e", + "tid": 4073, + "timestamp": 132259295623437380, + "unique_pid": 93965, + "unique_ppid": 93964 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "cat", + "test_file" + ], + "executable": "/usr/bin/cat", + "hash": { + "md5": "1484a27859e2ca20ad667cc06d595d22", + "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", + "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e" + }, + "name": "cat", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4073, + "ppid": 2876, + "thread": { + "id": 4073 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "brQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455976000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93970, + "source_address": "10.6.188.90", + "source_port": 39182, + "timestamp": 132259295769364300, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:lelA7m0aSdSZkXnpf1vl5dbBWf8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39182 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "c7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455996000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93975, + "source_address": "10.6.188.90", + "source_port": 39186, + "timestamp": 132259295969537170, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:7fs/H+rEFwDPcsa4fhrcu3Lxl4c=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39186 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "drQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456006000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93978, + "source_address": "10.6.188.90", + "source_port": 39188, + "timestamp": 132259296069739970, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:pgtobMrPyFzhc1ETGHeB5BlJo10=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39188 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "e7QgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456027000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "imjournal.state.tmp", + "file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 0, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93983, + "timestamp": 132259296270031400, + "unique_pid": 1088 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "k7QiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456137000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94007, + "source_address": "10.6.188.90", + "source_port": 39214, + "timestamp": 132259297371205400, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:dL9Mnb03cfdmWJb2cPqE+c8mdMM=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39214 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "lLQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456137000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94008, + "source_address": "10.6.188.90", + "source_port": 39214, + "timestamp": 132259297371232640, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:dL9Mnb03cfdmWJb2cPqE+c8mdMM=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39214 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "lbQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456147000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94009, + "source_address": "10.6.188.90", + "source_port": 39216, + "timestamp": 132259297471345460, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:XfuQ8Mt5f4MMlOeRkgvWnUsU9eI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39216 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "mLQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456157000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94012, + "source_address": "10.6.188.90", + "source_port": 39218, + "timestamp": 132259297571517140, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:5C8qwNUj15cr9IOHbpNPYR3yvUw=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39218 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "orQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456207000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94022, + "source_address": "10.6.188.90", + "source_port": 39228, + "timestamp": 132259298072089800, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:NswqKHbvS0MjyKQDw0V/YL8UDL8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39228 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "o7QjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456217000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94023, + "source_address": "10.6.188.90", + "source_port": 39230, + "timestamp": 132259298172124850, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:ot0vqafYqkth9pB4IbMfvUiyGOg=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39230 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "pLQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456217000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94024, + "source_address": "10.6.188.90", + "source_port": 39230, + "timestamp": 132259298172155300, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:ot0vqafYqkth9pB4IbMfvUiyGOg=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39230 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "sLQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456249000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch other", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4999, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94036, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 4999, + "timestamp": 132259298495543520, + "unique_pid": 94034, + "unique_ppid": 94033 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "touch", + "other" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4999, + "ppid": 2876, + "thread": { + "id": 4999 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "srQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456252000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch something", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 5009, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94038, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 5009, + "timestamp": 132259298521676380, + "unique_pid": 94038, + "unique_ppid": 94037 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "touch", + "something" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 5009, + "ppid": 2876, + "thread": { + "id": 5009 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "tbQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456255000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 5019, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94041, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 5019, + "timestamp": 132259298552385890, + "unique_pid": 94041, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 5019, + "ppid": 2876, + "thread": { + "id": 5019 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "vLQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456267000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94048, + "source_address": "10.6.188.90", + "source_port": 39240, + "timestamp": 132259298673066580, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:dbYg1YFAx5nMokqv+Y85cupgtsI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39240 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "x7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456307000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94059, + "source_address": "10.6.188.90", + "source_port": 39248, + "timestamp": 132259299073677600, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:R71JqiDPuyT5y6GvVD7KN6BBtmk=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39248 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "zLQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456327000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "imjournal.state.tmp", + "file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 0, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94064, + "timestamp": 132259299273914560, + "unique_pid": 1088 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "0bQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456347000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94069, + "source_address": "10.6.188.90", + "source_port": 39256, + "timestamp": 132259299474120830, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:Lqo1F38zJ2d1FltAA6flNs0D7E0=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39256 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "07QlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456357000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94071, + "source_address": "10.6.188.90", + "source_port": 39258, + "timestamp": 132259299574261710, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:BKnKNvILlxXib1Z6uznABCGhyOc=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39258 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "1LQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456367000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94072, + "source_address": "10.6.188.90", + "source_port": 39260, + "timestamp": 132259299674377310, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:Kd5q2SM/lcIJw3tR4PWzhZiKAmw=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39260 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "QLQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455916000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93924, + "source_address": "10.6.188.90", + "source_port": 39170, + "timestamp": 132259295166328900, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:TG2D1zmAzdOwEFpDw4x5Ap8f528=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39170 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "RrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455936000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93930, + "source_address": "10.6.188.90", + "source_port": 39174, + "timestamp": 132259295366625840, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:XYG9hAJrmAOWjiDZcOinQ1ogIZU=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39174 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "SbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455939000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 3996, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93933, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 3996, + "timestamp": 132259295397007820, + "unique_pid": 93933, + "unique_ppid": 93932 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "touch", + "test_file" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 3996, + "ppid": 2876, + "thread": { + "id": 3996 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "SrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455939000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 3996, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93934, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 3996, + "timestamp": 132259295397008300, + "unique_pid": 93933, + "unique_ppid": 93932 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "touch", + "test_file" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 3996, + "ppid": 2876, + "thread": { + "id": 3996 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "TbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455942000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": "test_file", + "file_path": "/home/vagrant/test_file", + "opcode": 2, + "pid": 4006, + "process_name": "rm", + "process_path": "/usr/bin/rm", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93937, + "timestamp": 132259295420548860, + "unique_pid": 93936 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "TrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455942000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "rm test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "a53cece4b9a67959e2143873e47a9cc5", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4006, + "ppid": 2876, + "process_name": "rm", + "process_path": "/usr/bin/rm", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93938, + "session_id": 2876, + "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", + "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96", + "tid": 4006, + "timestamp": 132259295420548940, + "unique_pid": 93936, + "unique_ppid": 93935 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "rm", + "test_file" + ], + "executable": "/usr/bin/rm", + "hash": { + "md5": "a53cece4b9a67959e2143873e47a9cc5", + "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", + "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96" + }, + "name": "rm", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4006, + "ppid": 2876, + "thread": { + "id": 4006 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "T7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455946000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93939, + "source_address": "10.6.188.90", + "source_port": 39176, + "timestamp": 132259295468904240, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:cV1Kq/qwraGtvdeC0MCuTqAgEbs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39176 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "UbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455953000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4042, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93941, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 4042, + "timestamp": 132259295535692540, + "unique_pid": 93941, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4042, + "ppid": 2876, + "thread": { + "id": 4042 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "UrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455953000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4042, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93942, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 4042, + "timestamp": 132259295535696000, + "unique_pid": 93942, + "unique_ppid": 93941 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "touch", + "test_file" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4042, + "ppid": 2876, + "thread": { + "id": 4042 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "U7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455953000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "test_file", + "file_path": "/home/vagrant/test_file", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "opcode": 0, + "pid": 4042, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93943, + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "timestamp": 132259295535703730, + "unique_pid": 93942 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "XbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93953, + "source_address": "10.6.188.90", + "source_port": 39178, + "timestamp": 132259295569084080, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:x/k69HbBnwDOOYTE4Y4gAaOGicE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39178 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "a7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455966000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93967, + "source_address": "10.6.188.90", + "source_port": 39180, + "timestamp": 132259295669235570, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:ROcCcBYA2acrPPjZYkJWHFlu+XE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39180 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "bbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455976000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93969, + "source_address": "10.6.188.90", + "source_port": 39182, + "timestamp": 132259295769303410, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:lelA7m0aSdSZkXnpf1vl5dbBWf8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39182 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "dbQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456006000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93977, + "source_address": "10.6.188.90", + "source_port": 39188, + "timestamp": 132259296069708860, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:pgtobMrPyFzhc1ETGHeB5BlJo10=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39188 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "fbQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456037000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93985, + "source_address": "10.6.188.90", + "source_port": 39194, + "timestamp": 132259296370065460, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:ZTJetA9OpyyxYgSIcv1TLHYSGn4=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39194 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "gLQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456047000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93988, + "source_address": "10.6.188.90", + "source_port": 39196, + "timestamp": 132259296470250350, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:A7EZ9c3qcFUUygQBYfs4aQ8DzD8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39196 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "hbQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456077000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93993, + "source_address": "10.6.188.90", + "source_port": 39202, + "timestamp": 132259296770576740, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:+Hr2DoNdf0lY2Bq0XIAAgTic6rA=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39202 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "iLQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456087000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93996, + "source_address": "10.6.188.90", + "source_port": 39204, + "timestamp": 132259296870750160, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:Yh9Dwx7JLLDm52vLWCALomXGtig=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39204 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ibQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456097000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93997, + "source_address": "10.6.188.90", + "source_port": 39206, + "timestamp": 132259296970863180, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:4ALCiH0GWvEIZwdCa6rir3Kc6MQ=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39206 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "jbQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456117000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94001, + "source_address": "10.6.188.90", + "source_port": 39210, + "timestamp": 132259297171069220, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:Pv9EtQNqSZS5UMcgm5//J7FB9Hw=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39210 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "m7QiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456177000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94015, + "source_address": "10.6.188.90", + "source_port": 39222, + "timestamp": 132259297771705680, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:BtBNXVnfTQ/YKQ37qYojIqkstak=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39222 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "oLQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456197000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94020, + "source_address": "10.6.188.90", + "source_port": 39226, + "timestamp": 132259297971942020, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:qalUL3DB3b7dExcd8DttJwKoHFo=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39226 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "t7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456255000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "blah", + "file_path": "/home/vagrant/blah", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "opcode": 0, + "pid": 5019, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94043, + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "timestamp": 132259298552397900, + "unique_pid": 94042 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "uLQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456255000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch blah", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 5019, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94044, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 5019, + "timestamp": 132259298552399550, + "unique_pid": 94042, + "unique_ppid": 94041 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "touch", + "blah" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 5019, + "ppid": 2876, + "thread": { + "id": 5019 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "u7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456267000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94047, + "source_address": "10.6.188.90", + "source_port": 39240, + "timestamp": 132259298673032850, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:dbYg1YFAx5nMokqv+Y85cupgtsI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39240 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "vrQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456277000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94050, + "source_address": "10.6.188.90", + "source_port": 39242, + "timestamp": 132259298773211090, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:zvd73pnlGPFHP1cc55Dp8ZZEByI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39242 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "wrQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456294000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "opcode": 9, + "parent_process_name": "kthreadd", + "pid": 5142, + "ppid": 2, + "process_name": "kthreadd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94054, + "session_id": 0, + "tid": 5142, + "timestamp": 132259298940682620, + "unique_pid": 94054, + "unique_ppid": 1002 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "hash": { + }, + "name": "kthreadd", + "parent": { + "name": "kthreadd", + "pid": 2 + }, + "pid": 5142, + "ppid": 2, + "thread": { + "id": 5142 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "yLQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456317000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94060, + "source_address": "10.6.188.90", + "source_port": 39250, + "timestamp": 132259299173701180, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:rq5rVOSAukY8ispGh6zW3tGkrvk=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39250 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "y7QlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456327000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94063, + "source_address": "10.6.188.90", + "source_port": 39252, + "timestamp": 132259299273914320, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:i+rc/D2/y5VC773gyG1oPzuHXeY=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39252 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "0rQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456357000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94070, + "source_address": "10.6.188.90", + "source_port": 39258, + "timestamp": 132259299574232750, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:BKnKNvILlxXib1Z6uznABCGhyOc=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39258 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "1bQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456367000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94073, + "source_address": "10.6.188.90", + "source_port": 39260, + "timestamp": 132259299674404860, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:Kd5q2SM/lcIJw3tR4PWzhZiKAmw=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39260 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "OrQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455886000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93918, + "source_address": "10.6.188.90", + "source_port": 39164, + "timestamp": 132259294865991800, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:diWB9PGnhcbUUARSqTzwinrZEOo=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39164 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "PbQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455896000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93921, + "source_address": "10.6.188.90", + "source_port": 39166, + "timestamp": 132259294966075060, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:bZPkpEuO2COZhdjeOwODPdoHYIs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39166 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "P7QeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455906000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93923, + "source_address": "10.6.188.90", + "source_port": 39168, + "timestamp": 132259295066216100, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:qQSXbeii7LO0D0/G1E/OA4IO+ME=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39168 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "QbQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455916000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93925, + "source_address": "10.6.188.90", + "source_port": 39170, + "timestamp": 132259295166361360, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:TG2D1zmAzdOwEFpDw4x5Ap8f528=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39170 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "QrQeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455926000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93926, + "source_address": "10.6.188.90", + "source_port": 39172, + "timestamp": 132259295266486400, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:QRJUKQoG0ofd1C9VbSo3GUURORE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39172 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "Q7QeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455926000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93927, + "source_address": "10.6.188.90", + "source_port": 39172, + "timestamp": 132259295266523890, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:QRJUKQoG0ofd1C9VbSo3GUURORE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39172 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "R7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455936000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93931, + "source_address": "10.6.188.90", + "source_port": 39174, + "timestamp": 132259295366655680, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:XYG9hAJrmAOWjiDZcOinQ1ogIZU=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39174 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "SLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455939000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 3996, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93932, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 3996, + "timestamp": 132259295396961260, + "unique_pid": 93932, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 3996, + "ppid": 2876, + "thread": { + "id": 3996 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "VLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455953000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4042, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93944, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 4042, + "timestamp": 132259295535705570, + "unique_pid": 93942, + "unique_ppid": 93941 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "touch", + "test_file" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4042, + "ppid": 2876, + "thread": { + "id": 4042 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "VbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4052, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93945, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 4052, + "timestamp": 132259295561315740, + "unique_pid": 93945, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4052, + "ppid": 2876, + "thread": { + "id": 4052 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "WbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": ".test_file.swpx", + "file_path": "/home/vagrant/.test_file.swpx", + "opcode": 2, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93949, + "timestamp": 132259295566273660, + "unique_pid": 93946 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ZbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": ".viminfo", + "file_path": "/home/vagrant/.viminfo", + "md5": "1358fa5366521834200c2024ca7c8878", + "old_file_path": "/home/vagrant/.viminfo.tmp", + "opcode": 3, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93961, + "sha1": "e1d41f2d3daf0655d00ab887b220b69d957dd1dc", + "sha256": "3f159b2702e51020dac0326e83d2805e80847951229c97362c4bb359381d9d47", + "timestamp": 132259295597353730, + "unique_pid": 93946 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "Z7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "vim test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "7d3e711e8b1cab7880f38821bd294822", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4052, + "ppid": 2876, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93963, + "session_id": 2876, + "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", + "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5", + "tid": 4052, + "timestamp": 132259295597377000, + "unique_pid": 93946, + "unique_ppid": 93945 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "vim", + "test_file" + ], + "executable": "/usr/bin/vim", + "hash": { + "md5": "7d3e711e8b1cab7880f38821bd294822", + "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", + "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5" + }, + "name": "vim", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4052, + "ppid": 2876, + "thread": { + "id": 4052 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "aLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455962000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4073, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93964, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 4073, + "timestamp": 132259295623411400, + "unique_pid": 93964, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4073, + "ppid": 2876, + "thread": { + "id": 4073 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "b7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455986000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93971, + "source_address": "10.6.188.90", + "source_port": 39184, + "timestamp": 132259295869393710, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:hbQCrgxuCDyJ9FGRh24A3wQRSXU=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39184 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "cbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455992000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "opcode": 2, + "parent_process_name": "kthreadd", + "pid": 2197, + "ppid": 2, + "process_name": "kthreadd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93973, + "session_id": 0, + "tid": 2197, + "timestamp": 132259295924677120, + "unique_pid": 93695, + "unique_ppid": 1002 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "hash": { + }, + "name": "kthreadd", + "parent": { + "name": "kthreadd", + "pid": 2 + }, + "pid": 2197, + "ppid": 2, + "thread": { + "id": 2197 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "gbQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456057000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93989, + "source_address": "10.6.188.90", + "source_port": 39198, + "timestamp": 132259296570370700, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:k4ExX42GiiCWUs+yjiUX9rdD44w=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39198 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "hLQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456067000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93992, + "source_address": "10.6.188.90", + "source_port": 39200, + "timestamp": 132259296670462340, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:f31y4JXVMEBz67FSPFANQiGDWr4=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39200 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "hrQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456077000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93994, + "source_address": "10.6.188.90", + "source_port": 39202, + "timestamp": 132259296770608000, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:+Hr2DoNdf0lY2Bq0XIAAgTic6rA=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39202 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "irQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456097000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93998, + "source_address": "10.6.188.90", + "source_port": 39206, + "timestamp": 132259296970895500, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:4ALCiH0GWvEIZwdCa6rir3Kc6MQ=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39206 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "i7QhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456107000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93999, + "source_address": "10.6.188.90", + "source_port": 39208, + "timestamp": 132259297070925490, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:ASrGJJL6gzHH6s5QKFaALqDlqPs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39208 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "jLQhNnABvfrOPnsMfFf1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456107000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94000, + "source_address": "10.6.188.90", + "source_port": 39208, + "timestamp": 132259297070959620, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:ASrGJJL6gzHH6s5QKFaALqDlqPs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39208 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "krQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456127000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": "imjournal.state", + "file_path": "/var/lib/rsyslog/imjournal.state", + "md5": "7407dd7a7c0794bf324b40bc4ce735e5", + "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 3, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94006, + "sha1": "0981e9a482f8e5c8ac182ce3840fe3fe03f15156", + "sha256": "9b3a4e78c019c4609acf5ca8bd283bcffcd18283f0ecb0db085bdfd5450bd751", + "timestamp": 132259297271158960, + "unique_pid": 1088 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "lrQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456147000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94010, + "source_address": "10.6.188.90", + "source_port": 39216, + "timestamp": 132259297471374800, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:XfuQ8Mt5f4MMlOeRkgvWnUsU9eI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39216 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "mrQiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456167000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94014, + "source_address": "10.6.188.90", + "source_port": 39220, + "timestamp": 132259297671678660, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:lf2OPCbBd44D+gv1/r7bvBbGBU0=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39220 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "n7QjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456197000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94019, + "source_address": "10.6.188.90", + "source_port": 39226, + "timestamp": 132259297971911760, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:qalUL3DB3b7dExcd8DttJwKoHFo=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39226 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "qbQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456237000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94029, + "source_address": "10.6.188.90", + "source_port": 39234, + "timestamp": 132259298372350350, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:gH73QuXFdi87dATezTZ63qBRVaM=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39234 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "rrQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456249000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch other", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4999, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94034, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 4999, + "timestamp": 132259298495542940, + "unique_pid": 94034, + "unique_ppid": 94033 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "touch", + "other" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4999, + "ppid": 2876, + "thread": { + "id": 4999 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ubQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456257000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94045, + "source_address": "10.6.188.90", + "source_port": 39238, + "timestamp": 132259298572641820, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:qIkWxmjHs6UAHG4fbvAldTVa7qc=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39238 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "w7QkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456297000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94055, + "source_address": "10.6.188.90", + "source_port": 39246, + "timestamp": 132259298973482610, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:Tq7txtg21u7NqrdKlb2BHRz6DSo=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39246 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "xbQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456302000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "opcode": 9, + "parent_process_name": "kthreadd", + "pid": 5172, + "ppid": 2, + "process_name": "kthreadd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94057, + "session_id": 0, + "tid": 5172, + "timestamp": 132259299025925090, + "unique_pid": 94057, + "unique_ppid": 1002 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "hash": { + }, + "name": "kthreadd", + "parent": { + "name": "kthreadd", + "pid": 2 + }, + "pid": 5172, + "ppid": 2, + "thread": { + "id": 5172 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ybQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456317000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94061, + "source_address": "10.6.188.90", + "source_port": 39250, + "timestamp": 132259299173744080, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:rq5rVOSAukY8ispGh6zW3tGkrvk=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39250 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "zbQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456327000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": "imjournal.state", + "file_path": "/var/lib/rsyslog/imjournal.state", + "md5": "0df2c29722fd39026e279293fda3f46e", + "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 3, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94065, + "sha1": "26185c27437c9d6e1f979fe553764ce63de72129", + "sha256": "28925a8b6aef1b58840c1df45c93a64dcdb2e982ab89921bb73c6ac0667454cf", + "timestamp": 132259299273914750, + "unique_pid": 1088 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "zrQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456337000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94066, + "source_address": "10.6.188.90", + "source_port": 39254, + "timestamp": 132259299374006350, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:nHNLxc9DdSQ1K9M+aJfzdkjZRMs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39254 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "O7QeNnABvfrOPnsMvVfW", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455886000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93919, + "source_address": "10.6.188.90", + "source_port": 39164, + "timestamp": 132259294866021940, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:diWB9PGnhcbUUARSqTzwinrZEOo=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39164 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "RLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455926000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "imjournal.state.tmp", + "file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 0, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93928, + "timestamp": 132259295266524240, + "unique_pid": 1088 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "RbQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455926000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": "imjournal.state", + "file_path": "/var/lib/rsyslog/imjournal.state", + "md5": "bd7cecc8c6fdc03ddb110ff5c29ba45c", + "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 3, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93929, + "sha1": "fd3e5ed3a90de5b683c9ad9e336a020cbb0234e1", + "sha256": "38a2ee2d979a3294ad13e9ea6f84fb04febffaa23f682fdad43faa99c34e08d1", + "timestamp": 132259295266524450, + "unique_pid": 1088 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "TLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455942000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "rm test_file", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process exec'd a new image.", + "event_subtype_full": "exec_event", + "event_type_full": "process_event", + "md5": "a53cece4b9a67959e2143873e47a9cc5", + "opcode": 5, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4006, + "ppid": 2876, + "process_name": "rm", + "process_path": "/usr/bin/rm", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93936, + "session_id": 2876, + "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", + "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96", + "tid": 4006, + "timestamp": 132259295420537250, + "unique_pid": 93936, + "unique_ppid": 93935 + }, + "event": { + "action": "exec_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame", + "type": "process_start" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process exec'd a new image.", + "process": { + "args": [ + "rm", + "test_file" + ], + "executable": "/usr/bin/rm", + "hash": { + "md5": "a53cece4b9a67959e2143873e47a9cc5", + "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", + "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96" + }, + "name": "rm", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4006, + "ppid": 2876, + "thread": { + "id": 4006 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "WrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": ".test_file.swp", + "file_path": "/home/vagrant/.test_file.swp", + "opcode": 2, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93950, + "timestamp": 132259295566273810, + "unique_pid": 93946 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "W7QfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455956000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": ".test_file.swp", + "file_path": "/home/vagrant/.test_file.swp", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "opcode": 0, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93951, + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "timestamp": 132259295566274780, + "unique_pid": 93946 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "XrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "4913", + "file_path": "/home/vagrant/4913", + "opcode": 0, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93954, + "timestamp": 132259295597320050, + "unique_pid": 93946 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "YLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": "test_file~", + "file_path": "/home/vagrant/test_file~", + "old_file_path": "/home/vagrant/test_file", + "opcode": 3, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93956, + "timestamp": 132259295597321680, + "unique_pid": 93946 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "ZrQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455959000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_subtype_full": "file_delete_event", + "event_type_full": "file_event", + "file_name": ".test_file.swp", + "file_path": "/home/vagrant/.test_file.swp", + "opcode": 2, + "pid": 4052, + "process_name": "vim", + "process_path": "/usr/bin/vim", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 93962, + "timestamp": 132259295597355420, + "unique_pid": 93946 + }, + "event": { + "action": "file_delete_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "cLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455986000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93972, + "source_address": "10.6.188.90", + "source_port": 39184, + "timestamp": 132259295869425900, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:hbQCrgxuCDyJ9FGRh24A3wQRSXU=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39184 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "dLQfNnABvfrOPnsMqFc1", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581455996000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93976, + "source_address": "10.6.188.90", + "source_port": 39186, + "timestamp": 132259295969595900, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:7fs/H+rEFwDPcsa4fhrcu3Lxl4c=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39186 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "d7QgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456016000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93979, + "source_address": "10.6.188.90", + "source_port": 39190, + "timestamp": 132259296169852080, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:BIOpxpEYP5YYcuCO5qYDSV8YtRY=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39190 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "erQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456027000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93982, + "source_address": "10.6.188.90", + "source_port": 39192, + "timestamp": 132259296270026060, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:lbSE4iBc2vccmwP76xpAEhEtpOI=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39192 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "fLQgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456027000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": "imjournal.state", + "file_path": "/var/lib/rsyslog/imjournal.state", + "md5": "0d2c9f835b50037ecb58db338a4ec091", + "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 3, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93984, + "sha1": "3bf1106640d0742b0f2ae2496a1f75f4960def6f", + "sha256": "08b9fb9819f3beb2766f8e9137f74a3b52df42f93b38793fab3da5e2faf94c69", + "timestamp": 132259296270031650, + "unique_pid": 1088 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "f7QgNnABvfrOPnsMkleV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456047000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 93987, + "source_address": "10.6.188.90", + "source_port": 39196, + "timestamp": 132259296470213310, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:A7EZ9c3qcFUUygQBYfs4aQ8DzD8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39196 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "j7QiNnABvfrOPnsMZ1dV", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456127000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94003, + "source_address": "10.6.188.90", + "source_port": 39212, + "timestamp": 132259297271123660, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:bFkUyYg72aBaSClHXHckTj+N4vM=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39212 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "pbQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456227000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94025, + "source_address": "10.6.188.90", + "source_port": 39232, + "timestamp": 132259298272277800, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:AvCkUU9w3PGKPyGxKLWlBKmIA2Y=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39232 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "p7QjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456227000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_create_event", + "event_type_full": "file_event", + "file_name": "imjournal.state.tmp", + "file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 0, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94027, + "timestamp": 132259298272315200, + "unique_pid": 1088 + }, + "event": { + "action": "file_create_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "qLQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456227000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "file_rename_event", + "event_type_full": "file_event", + "file_name": "imjournal.state", + "file_path": "/var/lib/rsyslog/imjournal.state", + "md5": "648d5f5ef73e8ccdba1a8877c3b773af", + "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", + "opcode": 3, + "pid": 892, + "process_name": "rsyslogd", + "process_path": "/usr/sbin/rsyslogd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94028, + "sha1": "379676478db415c75c225d21c35de4dc913c9822", + "sha256": "f4536a53cf0be4d771e4daca337982e9fc5116e672606d71eb27d0223c414d03", + "timestamp": 132259298272316930, + "unique_pid": 1088 + }, + "event": { + "action": "file_rename_event", + "category": "file", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "qrQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456237000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94030, + "source_address": "10.6.188.90", + "source_port": 39234, + "timestamp": 132259298372381700, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:gH73QuXFdi87dATezTZ63qBRVaM=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39234 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "rLQjNnABvfrOPnsMeFfF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456247000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94032, + "source_address": "10.6.188.90", + "source_port": 39236, + "timestamp": 132259298472528480, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:7UCrAikx6KeWHWr3fKjEvGaZqlE=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39236 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "rbQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456249000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "-bash", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Forked a process", + "event_subtype_full": "fork_event", + "event_type_full": "process_event", + "md5": "59189125c11a18c588b545bb17cd2e32", + "opcode": 9, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 4999, + "ppid": 2876, + "process_name": "bash", + "process_path": "/bin/bash", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94033, + "session_id": 2876, + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", + "tid": 4999, + "timestamp": 132259298495517310, + "unique_pid": 94033, + "unique_ppid": 93802 + }, + "event": { + "action": "fork_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Forked a process", + "process": { + "args": [ + "-bash" + ], + "executable": "/bin/bash", + "hash": { + "md5": "59189125c11a18c588b545bb17cd2e32", + "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", + "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" + }, + "name": "bash", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 4999, + "ppid": 2876, + "thread": { + "id": 4999 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "tLQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456252000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "command_line": "touch something", + "effective_gid": 1000, + "effective_group_name": "vagrant", + "effective_uid": 1000, + "effective_user_name": "vagrant", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "md5": "985a951b1a7a8dbe51973e651a365900", + "opcode": 2, + "parent_process_name": "bash", + "parent_process_path": "/bin/bash", + "pid": 5009, + "ppid": 2876, + "process_name": "touch", + "process_path": "/usr/bin/touch", + "real_gid": 1000, + "real_group_name": "vagrant", + "real_uid": 1000, + "real_user_name": "vagrant", + "serial_event_id": 94040, + "session_id": 2876, + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", + "tid": 5009, + "timestamp": 132259298521686190, + "unique_pid": 94038, + "unique_ppid": 94037 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "args": [ + "touch", + "something" + ], + "executable": "/usr/bin/touch", + "hash": { + "md5": "985a951b1a7a8dbe51973e651a365900", + "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", + "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" + }, + "name": "touch", + "parent": { + "executable": "/bin/bash", + "name": "bash", + "pid": 2876 + }, + "pid": 5009, + "ppid": 2876, + "thread": { + "id": 5009 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 1000, + "name": "vagrant" + }, + "id": "1000", + "name": "vagrant" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "wLQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456287000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94052, + "source_address": "10.6.188.90", + "source_port": 39244, + "timestamp": 132259298873366020, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:4lQtBep8SV0kUo9F097vLiWA7N8=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39244 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "wbQkNnABvfrOPnsMY1cl", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456293000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_message": "Process ended.", + "event_subtype_full": "termination_event", + "event_type_full": "process_event", + "exit_code": 0, + "exit_code_full": 0, + "opcode": 2, + "parent_process_name": "kthreadd", + "pid": 3201, + "ppid": 2, + "process_name": "kthreadd", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94053, + "session_id": 0, + "tid": 3201, + "timestamp": 132259298935177580, + "unique_pid": 93875, + "unique_ppid": 1002 + }, + "event": { + "action": "termination_event", + "category": "process", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "message": "Process ended.", + "process": { + "hash": { + }, + "name": "kthreadd", + "parent": { + "name": "kthreadd", + "pid": 2 + }, + "pid": 3201, + "ppid": 2, + "thread": { + "id": 3201 + } + }, + "rule": { + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "z7QlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456337000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 133, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_disconnect_received_event", + "event_type_full": "network_event", + "opcode": 13, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94067, + "source_address": "10.6.188.90", + "source_port": 39254, + "timestamp": 132259299374037760, + "total_in_bytes": 133, + "total_out_bytes": 645, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_disconnect_received_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "bytes": 778, + "community_id": "1:nHNLxc9DdSQ1K9M+aJfzdkjZRMs=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 645, + "ip": "10.6.188.90", + "port": 39254 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 13 + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "0LQlNnABvfrOPnsMTVeF", + "index": "endgame-4.21.0-000001", + "source": { + "@timestamp": 1581456347000, + "agent": { + "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", + "type": "endgame", + "version": "3.53.6" + }, + "destination": { + "address": "10.3.4.206", + "bytes": 0, + "ip": "10.3.4.206", + "port": 4506 + }, + "ecs": { + "version": "1.4.0" + }, + "endgame": { + "destination_address": "10.3.4.206", + "destination_port": 4506, + "effective_gid": 0, + "effective_group_name": "root", + "effective_uid": 0, + "effective_user_name": "root", + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type_full": "network_event", + "opcode": 12, + "pid": 2083, + "process_name": "python2.7", + "process_path": "/usr/bin/python2.7", + "protocol": "tcp", + "real_gid": 0, + "real_group_name": "root", + "real_uid": 0, + "real_user_name": "root", + "serial_event_id": 94068, + "source_address": "10.6.188.90", + "source_port": 39256, + "timestamp": 132259299474089280, + "total_in_bytes": 0, + "total_out_bytes": 0, + "unique_pid": 1095 + }, + "event": { + "action": "ipv4_connection_attempt_event", + "category": "network", + "dataset": "esensor", + "kind": "event", + "module": "endgame" + }, + "host": { + "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", + "ip": "10.6.188.90", + "name": "adt-dhcp-172-31-4-178.eng.endgames.local", + "os": { + "name": "Linux", + "platform": "linux", + "version": "7.3.1611" + } + }, + "labels": { + "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", + "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" + }, + "network": { + "community_id": "1:Lqo1F38zJ2d1FltAA6flNs0D7E0=", + "transport": "tcp" + }, + "process": { + "executable": "/usr/bin/python2.7", + "name": "python2.7", + "parent": { + }, + "pid": 2083, + "thread": { + } + }, + "rule": { + }, + "source": { + "address": "10.6.188.90", + "bytes": 0, + "ip": "10.6.188.90", + "port": 39256 + }, + "user": { + "group": { + "id": 0, + "name": "root" + }, + "id": "0", + "name": "root" + }, + "winlog": { + "opcode": 12 + } + }, + "type": "_doc" + } +} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz b/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz deleted file mode 100644 index 92e4af68bf22e3e13f31cea08c3514ce465f0a6d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18309 zcmZ^}Wl&ws8Z?>^+@0XIafgjNA;881K{oCl+}&L_PSD^4cXxMp4ek!XFYh_$z4umq z_0{ult*V(?Gqbw;>1omkczE@737rq0jPxD#nJpY_tUsJ&SSqhb%@1r$6lS~DuvCj| zuxQ?X7hDCAeH8PJEn_Ni`V?TZSnZdZ_Hweqz8F_3!PTW&=~ZB10qZ1VUEDJ9aQk+% zTOpj3l(aoy()e7Fzni_q^2X6L$vG!)zsvFz@=}8dD3&bSzL4?q$|bBrjX64P72%23Gr@j+NTkvN z{aErfH(}Y17rrEgTKJ@msgIzFy%lND70h{u^D-H?R-=sQvG$(BzBb9a6rEdU-!;_-)3S}6K(rR;+QL|Vd{oZR0&>oT4jNOS2VnUrJkVur9D82n{@kF zBBONJShAoXtRi04GQ-(&?Dy<~&M-0evqVK`)rKrhotU!IZ1>D=H{yZukk3=$$k(j3 z0u`&w!ij|zU1hoHjospHv^ro_c%sIf8E@8QQ{uO%AnE(f+N$h8Te;dFp->Fuj?JTX zl=Uzrvn<+P=X6z5VHw34?z`oNGLs%?k-!O;BI|K7{I@0M$c;r$tPr)RdBc)K`%L>BNoM{@hM<+{vSE|OlpA6~{oN%?2 z7t%U{`3lu6(nXyzE>C5-w}Z}bIq&B?{{Y7L12$IUjhesY<4U58)GloUKw7$1EW~rugT;XmODqWD( zYi6Q*Rqbf5U!|UhZhwB_P4cMxBS@RN^RFc2@t)M@nNtXqIkZhH2XWzl^~Io(hCB;G zcJe-3e{Qxt(nf0hZCP$r!6IIPmzB`1FlNRR=$nL529!o?Y8Hp$hO}v8#;9_ zZ0)klW%cJjo2)*CH(Sqk*X{e4w|OcvZMLb7*k(VA{DvowA;Yx@ik+vwq3jDC{eF`j zlbzmW5Neuj8~WCqxU9azoxlR){N;9Ak6&^v?_%8Pt*FFFj3oY$XaV-V{a4QNB5lwO(wm&qU21;RLD>9 zQ-H}r6ykh(-Z)n7V5wCI%0_|yp|wur&t}StfIGX5BNB|e6KNl~gm6pjYcY_?{&&To6sX((><>;Fs zXL%HHwc8f%q%o$(3?-Y4%y3+=I^5(`OMY(OtZ}3ogd4{wy3HJFs(?gmd3=f?ic?tT z6Whiq<3{RA9nO4xB4mfx-Ttc#LeU$gI=js6g?F)1P4VyCH7ENSb?@f$i!0|lb5v-P zaC{1!1@cQ2QEGItM1j(T9!R`@Jh6e&^J0W|?pV z(gk13wzBG&3>aO66V3&jJ-Rq}mq8&-j$Q$;;>a7`Y?v@4VYR3!A+fCDZWwWyp(#~~ zqabt`3R{KV3!|b$y#)GT0jrKS6KR=#6(jLLuL&~wu=5A@YK6IUgMO&)vfI!`cA+81 zjztwec>|0<=wh+KV=x!jiTex74yNgpko>P2l$K2GB?Z8NF?_nGy*5?^4#wOPQf)7q2LPnuK z-AA7@X1MwCRHUagrI^Mcf{r35#ZKJ+d}~%T+{>0R$pFLK z?MF_ezo8C)9?O{)qEbi#zNmuoiVyh#W9C89J`9k2*fail+n^!ewH%~2bQ!0s1MB$f(5(8QaA zL2#LkX^8uzTdJf6oRBX7r6@=>0jC&cn6=s%Kl4{>IAx}QXSd3q-i4;Yy zd%|YgOIM%L##qzZK*!5}T^BvgtaXVlBak|3+y>8?>*dF1zdqkW)s|P+F{5axWdhqE zQt_iS=G{=r>Uzy0DPc4LsrZ7OL8;BWsifRU9DE0R+hg`*diRQYqoanIiNc2D2jkYq=}k8Fm1<10{^cSgZcW$1T9QM9F&ZCQ|n90LG6`xT@pomRTm<~MP5g)*V=b*tP zrb&GXPERo}gUJQ9uwjS~__5-Jyni+Rx9342FX5-ww#&j;ei}*sW8G+m7R`MoMW&Ic zXw6StBLLovgTGE-K(Q~t@4ZaZ0URD*U->}M$WfY>ijTvNA5Qfq}Nplg!yX&{Y8f?#Ry(*=R1$T zl)d#nK17S5+b$fyoXP4%BiMd2(i@fwRaM4Vj?r3OEdOuq=zbQaT!&kRek^5-pnZ#Fa#}QMx~0i2iYX0O@KX>yBJo%qzsCr4lqyP zJepwCCn}nv4_nKIR?D`B%+X$acGi);u6NdOGteVg@vwXFhr#P4Q*5VV2j9fCK&?&Q zG#FgQ$O)_31_gowjq`yDgu5!@jqYx=@IZ)RFkgtI>=C3erLMvNzcF|PmT$PA`s;Dr0NEs#30GF$NWn}@Vw@}4 z1mEZdnrs*bFkCfJ6~W!^Dg0Y^<-6ABO zxL4M+ueZyaQ5eDHCZKD1&tNHgzBFSQl8pk;71Yy6pmE4PBSX+z02HIfOZGU87Q?Cvz>g_t@3ye4J>mR}a@_G@V@Uu1u`?XM8Ubieh z4|9F+?S0t4x)Wk)5P`J+6(Cb$FAI-+Ub6E(*RGZ@DK7U45?8eI@)HWN{lz2^i=N{P z2Q}pD`cVn_@B;=hLICzcX7}_Mc^ohhh8)+g6PT@~j6@QQ5Y3qVSwRyzN7il+D=Y|= zle5>v(0kC_2x`lixA&WuJkJ(15(t|<5bIFNQ$8PY*AS=g;Li!Sxrv>lXeVwbE?j-2 zVdokF#9W(7?KR_-S|Qrfc31dt+JuTG8KFh~m82wVLGy1zYWxrZHcdH>NAeaL>tjpX z^PnH0^k`WPW5tCM>QZ@(_RtHAoR8>KBV&|R`PAPvhz$Y(xaAwt_ObMfg>1%Xs!z4X zQe}RMLmA^sImfR=DxQ**gdiS7xR#HO{;I0%=)GmtzP=M|=*X7Ff|AucDr2JvCXx#6 zc68*=K7j3Vch`>Z#Y?kuQ;l(}K#bE-cjR2&yUMuwZ4dGRjcG+&tD;T56**YF*l2RO zZ~Q$K3*&o{BA)DAb%!*1p$^rMG#LU{U3+rXn>edLGANG zY@vFmUo&sq(3iGK`^1g$;q)!ww)z$Os))Z3Qh1sV0lN9n`39%MaxvEiyAf2vrznhu zJVVK0#tQx{e2i+jPsq>awX*0)T(+69AHDproT|UC4y#70qf)Ydto3J)^o^zaQ7H|uXJz5yAnvdr;S5o6#gi1qcy_`;E z&$rn#=IYj}3&h3`-P|ghaa9+X(M?RmMmi!>t#+uHm6S>uCAyC^$VU4BqXIIoODKRJ z^S@gp`8^~T?|C;YN=Sw4xk-efWRhB%lg4g@m}bD*D@>Mqo9USbPyhr#6AxgBrbYpY z&?zuX38M7t>m>%Y2t)*eBn~NcC$b5YbFvS%Rv>hTGhY%cO0O7UscdjudZ+Hf1lbS( zDXKIDNH7b4Fl7_!&GOC+)Q@8l){li$yXqHzdJ@SWGnjh}~T-d!sE8x!t zSzOBWI*#I^+A4g)%i>{eO_ru?xMujFz%HTS+>h@|ivV~KhpflsuIxGQ$6ArRHlkX0_dNBKQXL;nU~kis_B$9NSS8A_tDlWco!tj;1#?bnkNRMFBxtq^Nym zqaZ4Y%3iY^M^!HT43%hV)f{(aIsLG2!XIf}+Uf4)WFntAT74RvT{hTT?6~2%r}oFj z8(MCE|3CvQRwsYf=bfQAaZLK0Q726y_euhC(4eqtP|~bM;cO=oYWacNyLfLG2thWZ zWvj1?_Sy#JD~cylEFztBYGE`mYYt;boU0zEAh*Pk-VO6&AJY(7OlBE4TS#ZowwG1TDrh%QPj66W#* zhK>qF@GDf-qWGEeuTS}$mt&J#(b0&G_RM(dW&m&;`_BjTp5aoHiXC+xA%tw_yBLMx ze_J;TzuG5%d`3kV-7T7R69~0sLVE9CNX_4IEVp z6wzN4WH>nQm@PpTfs4$DJwY$aBbt4|jBYJIB&WUetaS^^HNNmrcK&R1MDp=Z_KKif971*>H2>ZyXn>6%y&j% z{qSC_sK^PpZBU5f zue6r^Y_8M1w|T$kzx?AT$O<0~qw35)cAR`uWO4f@&l@_k`L!zoRq*ZJ{hRW<>vzU! zh_j{lo*q|z*{fb8LW135$?d{ht2v4BU&SyM;_&ND_cx5gUQ;k3M;~%r_;KvtU@|Ot zaxc=bPAIL5?wyfHpUm|gnN;v8$NY}Wif{j~fcJv~LDk`Zm~POG6!(*)DEqWW4nTe& z^>DdM;F)Cl@T^<4w<{#;Wq3Z~)nkVziLcgrJNJDW6o?^?Yxi($vmN?H3ciT^3*;K8 zLQVDsa+bA!bC|p8E2RcKT7{R2#d0A|iztMlncS}G|E=V+ebvhur?LinIg}*yVk7FG zgwG3u$vlFEDQq#e{EN`J`QHGo<*a8={ZNwV!$o=Y2s{+Uj5-l!8_nXc03jzuVl*ge z(=cOKRCP}kV^=+mr-PE=;!7rdm0f;n--#&B!)UH5l5|d_=N^?rq*48_-}F>+t|Y@C z8*T>o5fw%we~24xY6#@PC2@4bQF?D~Rf&QQSQoExMSZWxPWt*RvOzR+uS|8#)S(jh zV<+8}MvXhU!Q~@KedE5h7WCwc;5Ec8@tF7`S()9Yx@5zT_@XPd@{{*^D*p1o&Gu+| z3r9R|nsS&i1&2PIC%TD#5Pn@A^5b!fu7~Cd+RuT4^UCZgj{DljMFUvI)Kk>I^b0>( zm`ve3E7V#t6L#cAgmwJ^Oq3CHpir>bXth>~Y<^#hpdl(X45o%sSv(s8+sMT}+&5gg zgou8|^Kv-i`%0JhK6RDV_1MvLVPli9>;+X~b9B@&sp;&kJv}9#g#)rDednXA>NX%9 zXNAB|1zhPkRq1fj*f=pJ`MUvo+A`Q=Q%}IxcB?w0eSVwuc=xK4b^RxB4Lw1g{?^sY z=Uir#m;B&X($Hvi>Gv;QP8;&P&w_H;90}+t5%{Ni+aGO}+YtqmIQI+qLe>X09PCls zy4RKV6lK-yP=i`^%MCeW??)W%8fvkk13RY=se^?V5(FiN|x`LrlKY};ivYJcTjMlXeV<=s>V*m+?e zFrs(sfMElL>BZg?l79G>q?iz~_tKgAJN|y8378yzZ`p(oipNn-L$3);F%C;9p3&cH z)qoiS6hv}-WRpQR;eFqn9b;Qv<&aM#l|4Q4ac|dq?yhzo^TIQ)Bd@H5h^4_U3@xH*^=>&Wb7M^li zEOE$*Ygh{J1CD2UYR+C^)o86jS0EkglHGql(#X^|SevHE#Re9|tD);|wMWl&-gB9^ z8CJ&RCvhR|1Vl^T`MDes^1e*gOz%f*l#Lf0USlO|kGdu)l8}$P`-@G+b`P{KSn0-X3^1})Z?3jozbw9bT~1PTt?`+ z<(-E-`WuEImiL@ea#*vL-5TMH8lV*DT4x2d67V|Qrpa=MZ>$(;@I`krv&lwla5Gr3 zF!XtET7YUP1?VafpgE6Z{?=9e&^0H6zKWU;=6P47u;sv2B(qKE@L~~%KsxS4yP`iS z2c6{IQu3=GEENtW*P{a(BR(S;7Vw%T#4pJeoZ@vEpuP%9=LVnvQ(=$yYKLxaCV`LL zy41Z5SP-6@#mp8 z3#Io;Sh3afnalEP_Ec-zI8)cD@{90#T8;Cua4F}?-2oH{Y1@GV`dehNn^BR5f3aI* zb!&P7>W{62FUktqz3R#i{z2H^snRt1h@L&Zw@=JoDk!L?MB}RuxD>xwyR(r~PC9qh zX0Yz~gs=P1eA#qierTJ_OYS_MI`-R8ekN%IU;a!E-FQni(IlB{TRU9)n;XY%;-57| zPUBqM4VO2@sY-ywFRc&9(35D-yImfUe;KL(Dy?-g`mPaPd-;@4?DqSs_Xa(|&n*{% zpIBp|)Iwq;_s|d$JHfoq(3^g<24_Mbh{(hisSR8)QQvTTB9d*2t zDCzC7*mQ{6F^|K2@3IgeWCi{60n-RpCYEyAGhs<8z8hAXOfJ^sHGgR4kfC$$$7Ft7 zo|yE=MGFV&(;ZoO4 z8kTa>*Eg%W!}W*>rN4kPnCsH#kb8)vLYCn|swH zyKVXq)}B-Bw=Y>7+{|mrxwI|#9IZTgc#TJFoVjA-`zD~`6v=_kZ(rJ2*!Ban7f7Sx z>`W`d_j+5If2B#4NXDpiGk>S&Tc+C2j<=2n@kPl)bNl_=Yotpg+N$1L{l2fbV*(7p zt%U)ITasxgmzYIK(P;GSJNeDZvI{)+lWTAYeK?}6=M%yyD|Y60{aLc_^=IpJK3fSx z^jMPg$1oH0R9a~+r@#UeMKV^IC_AOOScKF&RB^mbC*-(C#mG2V>%_`PKqr09;}!Za z4Q(E6QyB{6Mzu!sM!qj88yG2wsOWvE$(ZXn2WCbiOK~`ui|MdZ$fc|3RA$$qPBy|3 z+$V&l9^Ql?=W`gQ(gAXnrj1O*wn_d=mOFj}Ejv55ZN_(Zqz9Wc{OzvRTAXO~Kg_r@ z?Y2qcjx~aJfoH`kmaln$ko~ScOu!H)E*U5mAjLiaA!3@A`vOrPj|U8hDgJV_C;udc z2>?@oGS6b=o>$8SJS5RHS6qIgoy4h~ozPHD$_r?MmOml`c$tQ>+B8_{hR*8UI1EZ4 zdH)@71A@%t{u~I{pEIzf48)I;oZ7tgxzg?fh zmtr>rvB&Pz0u)wD0pNDrm^%sL=d^N+(H`f8Ny9xKESL5IjgY%WX5AS42x$U7N*_U! z0%ijNvpR99lEC&TW!>JJ*M+ophd0XuwoidfMlq=!@mnhjSoM>^Bpfx=Q9ku?cVh86 z-4e^W3qCs&fnqj!UJx)D-rtw~Tem;lj$pX5!o1r_1Ahuj?QaPg^Eo4YDFUD33m1)v zKcgbU1uJko1Ao)4$*<`8yhI*X?GLp4-6hn6 zr?Q)q506mi^jww}QyEvz^a|urwzvz9$#n?>mvgub41l?zPyWJ(KH>2T?b+at(Wj^! zfF1c#<}AMeEdNlA#2E3W6Kwn)t@Ck}8mm)a%^iM4>B-BD+InM#a7OtCQGok$M2kXJ zq1YI^5-wq;%Ed+(rn#e06YK)FEn~10AR@4<0~`kGsF$(C+_625omv}Tr>~3Ap_Q}X z858!U^ldPgVDF$dUL};5}w2w_57hNo(RoTj9~6Cwo(`7_`uJ&7c|DNdH6ku zQ8JdKD0)GX4S@%9{IG8mQNY7!&MNG5wolJBlXGG-YGMZ#H;;iKIe7<3;2c6}zjhHi z^aQBg7HrzYm-(vnbM+jc0kpK=d}mA0{h5Eh$Q}`?<3bCXps6YA&GY%e#nX#uj=Qg%%#Bs;x48<33C{xac6%YtUN@`FF^Ay;LSjV%kGZcaVMEBh$K zvJ^x-GV#^a0cO)aqYjnmz9TV`Or0{cuzxHGl@GF*VDww_`rsny@Y_ApN zC6W4P6g@2Hj?*brFbY3wrt>n85YG!myIsA`emIC)fbEgsk)j~C0G7$ZkU*his3e6!ZZB?aArglMxua$o((x_6HsHy~} z^@}|$c;emIQluxq%a?^K*_pYv?>e#;+Yli+w#HSh5eakR&T$DV1?&CwvIwSk)8qU; z^u=xbC~^No2aS-M#q+pD)R&xxw(5dtrU|w?3~<#|`U1wR;i7W?486!8RW6J!B6(S& z&55Ffk>^*mG=3#)qVAm2Upl5Z6FJK{?Gs*G?09bPPAP1A1`2eyG$qXiHbiQ`aG{Wy zJrcu%9GNS{oW@pCU{Yf-ENoF`>o4+?EbFPoaAXf~fuKcc$?faqB;OghJTX){?PU3W zi1TtiSemkv?mGd~2mg^#rMW(>8~C-3oF|v!dBH1mVWIXjJDq!*@gNf8d~C-z64DQT z*qUTnN3So9-jp}xEp|_pZjRrD*9@GTwe6yv(@c<(#7$OTR@R@hl#Iw*eE7jZnc{5u z2)mq$I?5y_;X`YdLgS;AB-<%;fz$~Ose`h#6(99+Ra3snyb7>yj7hYK5zX)my?Uv1 zEOjidS+DuDLCctE>Evdc8j3@#RoP?^AkZLxfCKZ8BVyg$YM+OaSvYOaf3WQ;2B7Kv zn_^{<_fo#xn%U+YO2Eo)VyzKA`^jY<5?NkB+XfJ9a2BK+`kCa@4h_Oeo5b6KmXR0NrWQg-CX>wlX$=A;eLsMqtJfA@2e(&S^0Nk9K&(Y`~56%t`tGvCc zO@sf|HfstmH5ro)Sy2_^OWA8c7Um)WL*aCwqCvm#bbEdF*|GiYl=KFyrpiySTcP$v zgZTez1ypyw@60E1)mqk1jAxcx65eJ{q^B)=t_QBV?BVe8EvzK46jBs!%@f2=Bi9EQ zm*!$i;r_2za7!sxrhBF~Tj!J3mqcO?3Jm79BpbCy zzf`s3gR&p#F1a z-lVQviyC0-NY~|=&qEW-vZPy+Z9)?*N zg#Qc&sElT(7?Q8M^H74kI#;$~gK&W@D95z=#Ky&}_=s5EQ1RE8t4cDZ_@YDlAazOn z*JrZfUt#uBP6^tDPOAAo31<`6=W{P-_w*{?Y$uo2&U`s)bRd;CF>==Ty;0!V30Z^=~?r=7Y|MlAc1 z@}3Wee_dLb3Nd*9!v2;hJgw;PZoNHJULo;m`htI#a9N9pZjWHlt_p8n=7~isVRZ1T zT@a0yUBE7oMzdA+i|u3+cg}_omR}qPO#-)*pg}gC0~2*A-uPh&9u!j%s~N0RO374kPc{Ql53bXdaCTCB!g1T{;H#3)B$%mAchC^~OMeDz&5ghgguVeJZR|aC4pLYz%tDqX^x5n5KR1 zawg+L@Ra2?^ZBgIjB%$I&gTm^*vRMeRrijQo=cZu@XyR!Ra~Syi`!Ei{0xU@Q){i7 zH@S@`t__?|9SbCqWw>^Iu4hr1Pm4s);i-Q%yoJ0Yh5{<0E3qPTd7Y~$PkFW;i7Y{0 zT~%LT7PbnH#xQbDc1CnXI|_C;`CeFwx(nML^o>FWo2r0rFCNlEL#{GYUEN})H&0b(ik0mLEn(P5}W6p^*D2$gq%cikyrO`$bGxx5Ov@}pfHl9x}<@qc&Z9!-fv zK0tl+gCGEXNJ3*Ic-xMr6kctv2vbSY=5^lmJfFIJz65w$@i4Hra!Lf8%zpKFBf4nH zp0T3NT!Z(#g6INxl2Yo`D<86|tb*lsDI=b&_2 zt{}IneAG7}nYj5HU*UX&6SXqhYx>jX9csgNnmX;>Sw)`ly%u!81C^_v110^!MCO zb0-_8z}{;Z;*-^z;K~*0ey}nsc%}$oECB)ZB>;@%$SpOPWeaAYQYRu7%qfcdBfG5` z-rK(fD(u}~;F-OJOz;NaSmF7(CE@1L9L^;=>)eIqg^!2hxRfrW)LcBRC^-)3_D?{1I7Z{3@SxvHSr7_?q0BR)16Htvti0K-tak8C5CAJL5wzBZYS zUUhD3+uJv;vwJ+DIbOsQ>k4p}r@Red;+^`}!wVj;a(!u`t5|m_4&|^B}T+c%zWj(7DiD$Le4^VNqw8Ocq+^s<=gsMPyTb%q-7{BD$? z;CABwdT{-WYrnUDwv;_lUcDTYY`xsYkVJFEw2fPPRiKTJ@|c)QHVDW#ytAZXY7~$Y z%G@6)n)Z-vLce6kxW`mi>+*{%33*6gCf4NdbpUXLe$4uGXZrT199Zzt=We{NIIL`G zTeol7W*q7GpjlTZxFwwM6U8581@JK<208-#V8r#(1R{hdK2;V%AP#Kpd8?S@LO3 zb)xxsVL{nY%Aw|{&L7^RLwBT=Q0CsN0L#B;rB3@U*7MxnrE8U%>yL5mEZ;=Z+sxxR-i{r1-upAO`cE$Y#t7#*dv5GLjrsH6QO4qpHrz&DB~k}?8H`I=;P-oECu zAhaRAKees$GIW+PGxqYbmZ2T0!KD>Kx8IC3<#@!pB4<2+mjL(=`|tV>X#fgo0zmRb zP>G#gsAR)bfMJkfQfF!nc1^nFbh`Ygy;{9t5|D*!)tB6oN)9m(;k|h8^FYVoOUeNz z(*5s%*_~e+1#s_8{fi$kIT0vKYJIdlzj6k)+~3qRJ&jm7^t9Q&&gIs<^8*snj5XG;+JOrmmt!t(ocLW&HrE~Xh3OhyR-bb~m8Z)@R6U9yYs!g)fY55J zF@M+F)ct!GZNq%FEmXsR#BFKtcw?P9p8^zBJ|mCc`t8M!&wN(CK7zSmp1ap8rLvln zwS{yQ_6Dcb0r@L8`~;%rLMkBGUYJ7!%;mkhtr(pMa1ob~^f*A&A|dqjp$sz-kN1t; z*C9I$yZxsDqToY(&jP4!rJsWg5%BIO;(>t=zCm~??rD+1z%JG}zSnY_gd*$MvIbuRerAGRx24wPR-&yB1Z20bZQ zRLG;(3E!|oeUOFrGnDqY?=!x^h~M`orN-vu-2S>OESOB0p%UBveVujo_iI|8wpUcf zOsin}C#lzq6-c{O2j^e4ZHxzc$BD+(eZbJ_o9fpU?C&A5Vnkwz}jPf)%U)8-RMjku2+o&I&ugwdtfbug(P-YU#c zDR!qFBAJLCVpa!OhJVleep4(QCjTixu4t>lZ-CylEWtp0&*s)zloFmsDI1@~6-*x; z|C3XkXDBR6-6O{fqdLUefX?VTvzB1L8nGITV`Ldj3b&MKLsH3Ac~_(E5lEVnUK=8( zY%|kICl9qr`9ljPNVpqAU}AmN(vF_4^#J9SAXwpD!Lqh;ldyVz?)jnoStz0o9X%%) z{+1_jFGlhpC`@tx%J=$n4oS1u?nSx~vcnMlR#Ryn6veE_SdI7?dJajXPBr|kxK0UX z6mRw=D*@>Tf(74x4w-hCl+*O!3ZeAi->euj>!i9o7v7d{HM%GUs1?jM-mAFLgcqBa z4`A1q3pri2NP0BV>`o5f#`Z(rci;rv~J z52D8@nECm;Ji0k{A!J@2Jy!>o4F0`BLGZtd`&y9X(0dSm??_}@Fmf0@su)hskg>_5 zAvpI-=PTw(V_119NTehbwi1*Oc!&*K#<@}zHnWRPBQfCqsD5j2Xie%Ri_PazqQH`L zr;K%ecWHa!lcoqbA{(WVEe{b>Ei;sbaXg2C zDxi6k_E^9ew$jcfN(M1Kq(z@UL6xNX9+iF`AuPaCD8nPHw!y)#lH~E-UrKW?lcPh6 zzJiKH*96>f$uTXV8--00TJ+%-s>)7RNto(e_VpU#X^iTWsh`~?8aPyl6B??9jWr>C ztTX5wdC}yPX+^Fx2$+&lW8m^jE)h2bF_66MiW{zc|E@7+Q1*FnbJXbzD7MSIF)OdM zFe{H>ML{V{$Avgd6c+BldF#+w3_sm)Mdy@c?Nv+r=~mUo>Wl~jyug3_+}AW#Q28ux?L_~YIV&@&CH6TWvB845YDn+zK^r*gA zz(8lTzy6PhoE|CqIu=(ZveqjqRuP)2?)7tTZCYxYoF|PtQ&Em@sE)ZN@_30e+PAI0 zf5VG+K6--OGC5K>9a2B)FC;zNhE8d zRzs4MU*1tuBrPi5q>A165L7dRZEis(_g-TUG-IVb9cu1KBiW|6kHB%}3?X z9%f5fV(6L; z=Lb(e`@ejjk2YkF$ZLunvmuCuK1uhIad~Os^-8q9R-q;0-Yl`4@$y=(s%S~>V4kUY zX*ST)&GREaYy(b{7pF!gu#Ut!jlzK32E!__IiUtT*C}VA63dU0uWesFBO=+0T2Gd? zt8-0*iAD&5D9daogXu6;Hs$d{aP0i(gAKCTvNMUu_9$Mif9)$e;X zf$IBn1()u#p{d)h`JJr72v_~wYI zR>7E1QZ*f)-e1(b`Qk`j10fk`zn%Ly>hG=&2s+NBJ=zSo)$TB2O=j{y+5B>Tz>bl- z21fJXs75xNX{|}lo=V6kReMGZlldA*KqQKpMHpv)H35e{6&(6rH>OD(70c-1E0?xr zj_TvB=KkFB+}z4fmwipb{Z7bO`3{)_aZUQTbTrZmG6)m#KUpQ-4FKqf9K|mi?`QzZ+rdAA?Z$@%wd)AM!;)33} zcp0AR9avMvYOCkQ{akEX2SCbvi;)GlIoy>?w zv%(KmXbi$;*ibNqb(F9er9Wz??MTgm-`H?CB~$D}qH@9wf8~;QgXFDxmyt3w$sAOi zv1Ig<%*XMktN?MSx}mMv4mK=I8Zq>GOg$0ZeaWuSxdaOetOdy*Kfmeb=%|Z4$)^_>%mQO8F-_zt#TK zvF|gUJ#4qor}$8WsF4?~5xylHb{S3zoG-C=G@Vb;e`w>bA00(TDZ^{=Sq`ow?5!jB zMf$kPi?+FkSec2@NxTpuX$OMtDQQMSgSPea#q;x}VS;gWu($QN`*Eyv(ooL@u3aco ze!Gm1!$XB?M1iy2Z=M@>glgojCWi$6Qu-(2&r1W+K?7CWea)Aa8OFx={GKU)PnC0n zyjx?{8q_4A-xA(*9A8?LWmM~(&wH0iuoJmtA;{s=i3XjaDMmP8YhQT-?h$=CX9Hz|mk^jROF5y__TzH{JS4)=jorbUis>=S=z+P1& zf416BnzduBP)E+S@Q^PInNa5I?`S}#2n9tI51&9r8g?9}7<*7GAr4J}?;C7*-4QJ6q*gh^22cvXQ$7&qu4CUkM?t*hj9>9Bn5Pdzr~Y2DPqV^*KJFH^~HLV z82Vy+gxJr3oc?b6Ob8knhKcjgnheEQ{p93;?a{vfqMcGy>JCoWH+0&M7SMhWY6BIQ zwP1KCjY^R`#G~>(LB&K(oTnR+xkg;ZwBgLZ1hsli8y{<{7Hiq`*XHiad>U*rbgn&q zJj-|Zn6LNq`&^xloO#5K{AfH2|ALeR1v(pa9)#@N7P_*+KxDC$s$u~MV1+?_>8NXQxx8e)6u%#NM4i3o z&bXDG|B(rD-~&&rojQ*~_WFVeS&cICiia2>dsjw++U{x<1&Oyr^3?P3Vd5~KYKc+@ zfixrwi2+#TJo-kCG|e=7FA{>(vG<>>{aZI^NiDiUm;=xzS`{}TLQN}To6_Zh9zN$9mZ7-i{uC-PcZ3vw{T9^zP^(OdEe=`| z@RE?Un&8$}WDqg?%qFmOZz5OvqG)9A+c6Vu@lvjkteilP4sV5u_#k9m{0n(r9U?Qm zgb}S%cVBfpm3?>99tcgD)24_E2u%`bjO!-N)4CQj8!n1gt@a z5SuKEuW*cNM3`}c8oHo^KVivg%DrbN_{ur!mFx^~CW1ao8h(r~ac1<@_}mHA>2Ipn zwck&@9Ki@^8&&TF7GQOEUgT^}c)WV9x@X>8NlBxZ$X5H_L!Tq8*O;HXEq<4Scb!PR zd^f05Pzwg$xO32$NEJ)bnMl7Mc}0B9k=gMYNa9)b&}BTzY7xVscGbOTpSWn()jMl; zT*rg-)|`Fo<2lXsh#B_C4{-AME`=E&2@~^(9CMVGHX)|KaA2--{72!y{MOVV;5WU) zmAS&Xd47L?XX0e!4Ud2a*-b4J6j&X~O;zFd|E)!Mnw%*)%v42m*T9jQ;r^ON@LzZ7 z6;zX?`m7!`c5jyBBkAb}B>n%arD4|x_hVxhuWgglfEFMliOZTovzNy(QLM>!9@z0x zB(2&jfod#%=E58?j}Bc&b{e{mM$uD)Vzjgn)Irjqq^g&LLt~gXBzlPe@1T!RGYDa@ zarRz)RTqBlL_=Gfm?QSKYplNq5x+MzP%>O4e-n@w1>$!cv9rV)$RX*VTf0#3IIqlm z_Ru`#`>oNyZDTm!6vtBPT_8q(() z1#8HA8UZXUiXmwdhQ-_hv1Y$a7e-|y!>aE{Y+GRJ6qwW2>BGKnK2JLX-8 zqaSqViXyDed`IO!d~u~PT?qz*?odA%1%Ak;+*%FYvMf&_HB@!H9T&CPe`ZNF|6SL@ z2{Tm`T$AabEzF%!y3f6IW(2xIx>F_x3B*^?z7zI4WrIKv@`N^M1!|E0K)wJ~+-EHM z66MT)BL6bt|4#t+1qu3+cH?CK*Wr;QX2tBSo^E~Kawi|Zz5JJ5zXy_Rlq3nB>#XK< zNb-kmf6J0&*oYg`AV~rw2_y+5Ip-uvvb7{nCrLVvBo&d#U`SQH;1@^|NOFltvURSM#CgYfh3D0DVLcfm#03iUZt8bWoPx&tQDnf zmZN4Z0b4eSJc_g^<^)yX(vvF0K*t972r9%L=|eBJ!G|t`51pGDbHUQv9eIe72IZW$ z1{h@=t#3 zLydV%udOhgx`=E#T1uS$Yn-9!w2B1%|LvVyQ`FHI1Gh6sXgB0<1@2wT3Q1N$K~O&o#QUSUb6u3CVi9upLn zu!rlU0jOiQsbi)65H1fT?R@{cWxGn+{S$Y8axUoY+mELP;)a^u55cS3Mv~*?VP0ZC zgh5ljsvXT{1kwc3d|jlumYufgZ*yrP8_+j z!?OX+j=moJ_|u%<_78wG8z;@J&USnz(o8zNY0~@$r-dG@nKXB~rg;A0n`?XFMR5Ey zzb9sR73ZxDD?08cYUn2;@6+-s=j@)@E2O3t_Od9fMZm7$t+MfaSPJDDD~$ReUDB_MS@@fshM8^?{L4kN)OS3*OzYr2zm!k~<(X=4yU6`E zueQ0z${@SZze4`2BsK!Yaw;d95ltLImRo_OC5c6fA#D-SnJ`FkohTgGo~h+jX$Z3p z3o9_Slxr%DGfZ$q6J!#N9ivQfmJ*4DcA6UEyRp=9ni(sSa5*(HeQ~7KoMRd8(Giws zpBadvu_)fIP&s6^dI>iA-Avt;_5H)Q{WzOFp8vm)i<5U&u;Dc)h@`{QRdt{4)3) z8l|asE{stHMCa$mBxL5)^`h~p-4Gh*5yGzqjYl`%)2qGV%{Mo?>Rw-N8zlerprm{L zU7dYXkH{l8_*S@cS0ZJ1*BxC%V(ur$i%U#5{t{oUxX~OZ*hp`X634NY)CrCa6?x^) zC|;A2vONP{bA*=1>+!$PLhjsB&rO7E7DNdw0NK(QffJH4DTp^;-lBSXby=b%(MDJ) zaGD94syJlRObFysty5wU!8*wjnR1(Xi;GR+aD-cB1s702Gp8X{83Ns?i0g$_bH zN3ltaLN+H@C=u2PD?zr3G(NV<Jz4DkH?J?gd;ylD-bbut&IV@xzPv#fyLfD z%5R!-EG1X-eUenk7@ZY(w(Pn;xFmtd)=XqibxD?-gfZ7zR9K?kwTd$yk*NZw>V>Mp zZI++>6ztjr;8`oc+{;dX8emRN-Ls?(QAkh+R~fj1vg^a+_Fbyq*-ssOq(A&--e>o=_x1eahatGins$|OaFvxv6SW&6 z%^giphtd{M+Ts;qX0Y?((=oFyJ6$u6nM#xD>~tt?0ff1;gjr_E_U#RBQFZ^GSlsH5 k_V-2BKOUlY@&Ex#He1?)Z*>Ct!lf<#2h0nzfx!?409PMg@&Et; diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/alerts.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/alerts.ts index 82d844aae8016..bf7ed711b75a5 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/alerts.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/alerts.ts @@ -4,7 +4,10 @@ * you may not use this file except in compliance with the Elastic License. */ import expect from '@kbn/expect'; -import { eventId } from '../../../../plugins/security_solution/common/endpoint/models/event'; +import { + eventIDSafeVersion, + timestampSafeVersion, +} from '../../../../plugins/security_solution/common/endpoint/models/event'; import { ResolverRelatedAlerts } from '../../../../plugins/security_solution/common/endpoint/types'; import { FtrProviderContext } from '../../ftr_provider_context'; import { @@ -69,7 +72,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should allow alerts to be filtered', async () => { - const filter = `not event.id:"${tree.origin.relatedAlerts[0].event.id}"`; + const filter = `not event.id:"${tree.origin.relatedAlerts[0].event?.id}"`; const { body }: { body: ResolverRelatedAlerts } = await supertest .post(`/api/endpoint/resolver/${tree.origin.id}/alerts`) .set('kbn-xsrf', 'xxx') @@ -84,7 +87,7 @@ export default function ({ getService }: FtrProviderContext) { // should not find the alert that we excluded in the filter expect( body.alerts.find((bodyAlert) => { - return eventId(bodyAlert) === tree.origin.relatedAlerts[0].event.id; + return eventIDSafeVersion(bodyAlert) === tree.origin.relatedAlerts[0].event?.id; }) ).to.not.be.ok(); }); @@ -135,14 +138,16 @@ export default function ({ getService }: FtrProviderContext) { .expect(200); const sortedAsc = [...tree.origin.relatedAlerts].sort((event1, event2) => { // this sorts the events by timestamp in ascending order - const diff = event1['@timestamp'] - event2['@timestamp']; + const diff = (timestampSafeVersion(event1) ?? 0) - (timestampSafeVersion(event2) ?? 0); + const event1ID = eventIDSafeVersion(event1) ?? 0; + const event2ID = eventIDSafeVersion(event2) ?? 0; // if the timestamps are the same, fallback to the event.id sorted in // ascending order if (diff === 0) { - if (event1.event.id < event2.event.id) { + if (event1ID < event2ID) { return -1; } - if (event1.event.id > event2.event.id) { + if (event1ID > event2ID) { return 1; } return 0; @@ -152,7 +157,7 @@ export default function ({ getService }: FtrProviderContext) { expect(body.alerts.length).to.eql(4); for (let i = 0; i < body.alerts.length; i++) { - expect(eventId(body.alerts[i])).to.equal(sortedAsc[i].event.id); + expect(eventIDSafeVersion(body.alerts[i])).to.equal(sortedAsc[i].event?.id); } }); }); diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts index 92d14fb94a2d8..f36d37ffae239 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts @@ -6,14 +6,14 @@ import _ from 'lodash'; import expect from '@kbn/expect'; import { - ResolverChildNode, - ResolverLifecycleNode, - ResolverEvent, + SafeResolverChildNode, + SafeResolverLifecycleNode, + SafeResolverEvent, ResolverNodeStats, } from '../../../../plugins/security_solution/common/endpoint/types'; import { - parentEntityId, - eventId, + parentEntityIDSafeVersion, + eventIDSafeVersion, } from '../../../../plugins/security_solution/common/endpoint/models/event'; import { Event, @@ -29,7 +29,10 @@ import { * @param node a lifecycle node containing the start and end events for a node * @param nodeMap a map of entity_ids to nodes to look for the passed in `node` */ -const expectLifecycleNodeInMap = (node: ResolverLifecycleNode, nodeMap: Map) => { +const expectLifecycleNodeInMap = ( + node: SafeResolverLifecycleNode, + nodeMap: Map +) => { const genNode = nodeMap.get(node.entityID); expect(genNode).to.be.ok(); compareArrays(genNode!.lifecycle, node.lifecycle, true); @@ -44,7 +47,7 @@ const expectLifecycleNodeInMap = (node: ResolverLifecycleNode, nodeMap: Map { @@ -52,7 +55,7 @@ export const verifyAncestry = ( const groupedAncestors = _.groupBy(ancestors, (ancestor) => ancestor.entityID); // group by parent entity_id const groupedAncestorsParent = _.groupBy(ancestors, (ancestor) => - parentEntityId(ancestor.lifecycle[0]) + parentEntityIDSafeVersion(ancestor.lifecycle[0]) ); // make sure there aren't any nodes with the same entity_id expect(Object.keys(groupedAncestors).length).to.eql(ancestors.length); @@ -69,7 +72,7 @@ export const verifyAncestry = ( let foundParents = 0; let node = ancestors[0]; for (let i = 0; i < ancestors.length; i++) { - const parentID = parentEntityId(node.lifecycle[0]); + const parentID = parentEntityIDSafeVersion(node.lifecycle[0]); if (parentID !== undefined) { const nextNode = groupedAncestors[parentID]; if (!nextNode) { @@ -95,12 +98,12 @@ export const verifyAncestry = ( * * @param ancestors an array of ancestor nodes */ -export const retrieveDistantAncestor = (ancestors: ResolverLifecycleNode[]) => { +export const retrieveDistantAncestor = (ancestors: SafeResolverLifecycleNode[]) => { // group the ancestors by their entity_id mapped to a lifecycle node const groupedAncestors = _.groupBy(ancestors, (ancestor) => ancestor.entityID); let node = ancestors[0]; for (let i = 0; i < ancestors.length; i++) { - const parentID = parentEntityId(node.lifecycle[0]); + const parentID = parentEntityIDSafeVersion(node.lifecycle[0]); if (parentID !== undefined) { const nextNode = groupedAncestors[parentID]; if (nextNode) { @@ -122,7 +125,7 @@ export const retrieveDistantAncestor = (ancestors: ResolverLifecycleNode[]) => { * @param childrenPerParent an optional number to compare that there are a certain number of children for each parent */ export const verifyChildren = ( - children: ResolverChildNode[], + children: SafeResolverChildNode[], tree: Tree, numberOfParents?: number, childrenPerParent?: number @@ -132,7 +135,9 @@ export const verifyChildren = ( // make sure each child is unique expect(Object.keys(groupedChildren).length).to.eql(children.length); if (numberOfParents !== undefined) { - const groupParent = _.groupBy(children, (child) => parentEntityId(child.lifecycle[0])); + const groupParent = _.groupBy(children, (child) => + parentEntityIDSafeVersion(child.lifecycle[0]) + ); expect(Object.keys(groupParent).length).to.eql(numberOfParents); if (childrenPerParent !== undefined) { Object.values(groupParent).forEach((childNodes) => @@ -155,7 +160,7 @@ export const verifyChildren = ( */ export const compareArrays = ( expected: Event[], - toTest: ResolverEvent[], + toTest: SafeResolverEvent[], lengthCheck: boolean = false ) => { if (lengthCheck) { @@ -168,7 +173,7 @@ export const compareArrays = ( // we're only checking that the event ids are the same here. The reason we can't check the entire document // is because ingest pipelines are used to add fields to the document when it is received by elasticsearch, // therefore it will not be the same as the document created by the generator - return eventId(toTestEvent) === eventId(arrEvent); + return eventIDSafeVersion(toTestEvent) === eventIDSafeVersion(arrEvent); }) ).to.be.ok(); }); @@ -212,7 +217,7 @@ export const verifyStats = ( * @param categories the related event info used when generating the resolver tree */ export const verifyLifecycleStats = ( - nodes: ResolverLifecycleNode[], + nodes: SafeResolverLifecycleNode[], categories: RelatedEventInfo[], relatedAlerts: number ) => { From d2d5f4ed85caec1ebb0a9a1a0b162e2a789b9393 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Fri, 4 Sep 2020 16:31:00 -0400 Subject: [PATCH 03/10] Gzipping again --- .../endpoint/resolver/api_feature/data.json | 15462 ---------------- .../resolver/api_feature/data.json.gz | Bin 0 -> 18192 bytes 2 files changed, 15462 deletions(-) delete mode 100644 x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json create mode 100644 x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz diff --git a/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json b/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json deleted file mode 100644 index dac69338b5810..0000000000000 --- a/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json +++ /dev/null @@ -1,15462 +0,0 @@ -{ - "type": "doc", - "value": { - "id": "PrQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455906000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93922, - "source_address": "10.6.188.90", - "source_port": 39168, - "timestamp": 132259295066186690, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:qQSXbeii7LO0D0/G1E/OA4IO+ME=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39168 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "V7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": ".test_file.swp", - "file_path": "/home/vagrant/.test_file.swp", - "md5": "d41d8cd98f00b204e9800998ecf8427e", - "opcode": 0, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93947, - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "timestamp": 132259295566271300, - "unique_pid": 93946 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "WLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": ".test_file.swpx", - "file_path": "/home/vagrant/.test_file.swpx", - "opcode": 0, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93948, - "timestamp": 132259295566273140, - "unique_pid": 93946 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "XLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93952, - "source_address": "10.6.188.90", - "source_port": 39178, - "timestamp": 132259295569057230, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:x/k69HbBnwDOOYTE4Y4gAaOGicE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39178 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "Y7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": ".viminfo.tmp", - "file_path": "/home/vagrant/.viminfo.tmp", - "opcode": 0, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93959, - "timestamp": 132259295597350900, - "unique_pid": 93946 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "abQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455962000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "cat test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "1484a27859e2ca20ad667cc06d595d22", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4073, - "ppid": 2876, - "process_name": "cat", - "process_path": "/usr/bin/cat", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93965, - "session_id": 2876, - "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", - "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e", - "tid": 4073, - "timestamp": 132259295623426690, - "unique_pid": 93965, - "unique_ppid": 93964 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "cat", - "test_file" - ], - "executable": "/usr/bin/cat", - "hash": { - "md5": "1484a27859e2ca20ad667cc06d595d22", - "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", - "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e" - }, - "name": "cat", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4073, - "ppid": 2876, - "thread": { - "id": 4073 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "bLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455966000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93968, - "source_address": "10.6.188.90", - "source_port": 39180, - "timestamp": 132259295669262820, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:ROcCcBYA2acrPPjZYkJWHFlu+XE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39180 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "crQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455993000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "opcode": 9, - "parent_process_name": "kthreadd", - "pid": 4173, - "ppid": 2, - "process_name": "kthreadd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93974, - "session_id": 0, - "tid": 4173, - "timestamp": 132259295931345280, - "unique_pid": 93974, - "unique_ppid": 1002 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "hash": { - }, - "name": "kthreadd", - "parent": { - "name": "kthreadd", - "pid": 2 - }, - "pid": 4173, - "ppid": 2, - "thread": { - "id": 4173 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "eLQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456016000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93980, - "source_address": "10.6.188.90", - "source_port": 39190, - "timestamp": 132259296169882030, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:BIOpxpEYP5YYcuCO5qYDSV8YtRY=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39190 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ebQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456026000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93981, - "source_address": "10.6.188.90", - "source_port": 39192, - "timestamp": 132259296269995940, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:lbSE4iBc2vccmwP76xpAEhEtpOI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39192 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "frQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456037000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93986, - "source_address": "10.6.188.90", - "source_port": 39194, - "timestamp": 132259296370096260, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:ZTJetA9OpyyxYgSIcv1TLHYSGn4=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39194 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "grQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456057000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93990, - "source_address": "10.6.188.90", - "source_port": 39198, - "timestamp": 132259296570400690, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:k4ExX42GiiCWUs+yjiUX9rdD44w=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39198 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "g7QhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456067000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93991, - "source_address": "10.6.188.90", - "source_port": 39200, - "timestamp": 132259296670433000, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:f31y4JXVMEBz67FSPFANQiGDWr4=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39200 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "h7QhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456087000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93995, - "source_address": "10.6.188.90", - "source_port": 39204, - "timestamp": 132259296870722460, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:Yh9Dwx7JLLDm52vLWCALomXGtig=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39204 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "jrQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456117000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94002, - "source_address": "10.6.188.90", - "source_port": 39210, - "timestamp": 132259297171099710, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:Pv9EtQNqSZS5UMcgm5//J7FB9Hw=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39210 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "kLQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456127000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94004, - "source_address": "10.6.188.90", - "source_port": 39212, - "timestamp": 132259297271158340, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:bFkUyYg72aBaSClHXHckTj+N4vM=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39212 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "kbQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456127000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "imjournal.state.tmp", - "file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 0, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94005, - "timestamp": 132259297271158860, - "unique_pid": 1088 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "l7QiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456157000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94011, - "source_address": "10.6.188.90", - "source_port": 39218, - "timestamp": 132259297571487410, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:5C8qwNUj15cr9IOHbpNPYR3yvUw=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39218 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "mbQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456167000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94013, - "source_address": "10.6.188.90", - "source_port": 39220, - "timestamp": 132259297671640510, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:lf2OPCbBd44D+gv1/r7bvBbGBU0=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39220 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "nLQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456177000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94016, - "source_address": "10.6.188.90", - "source_port": 39222, - "timestamp": 132259297771736350, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:BtBNXVnfTQ/YKQ37qYojIqkstak=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39222 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "nbQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456187000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94017, - "source_address": "10.6.188.90", - "source_port": 39224, - "timestamp": 132259297871762110, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:SvQjmX4wKsaRboaSlceoLn5QTi4=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39224 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "nrQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456187000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94018, - "source_address": "10.6.188.90", - "source_port": 39224, - "timestamp": 132259297871795260, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:SvQjmX4wKsaRboaSlceoLn5QTi4=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39224 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "obQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456207000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94021, - "source_address": "10.6.188.90", - "source_port": 39228, - "timestamp": 132259298072055170, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:NswqKHbvS0MjyKQDw0V/YL8UDL8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39228 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "prQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456227000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94026, - "source_address": "10.6.188.90", - "source_port": 39232, - "timestamp": 132259298272310880, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:AvCkUU9w3PGKPyGxKLWlBKmIA2Y=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39232 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "q7QjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456247000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94031, - "source_address": "10.6.188.90", - "source_port": 39236, - "timestamp": 132259298472496690, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:7UCrAikx6KeWHWr3fKjEvGaZqlE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39236 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "r7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456249000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "other", - "file_path": "/home/vagrant/other", - "md5": "d41d8cd98f00b204e9800998ecf8427e", - "opcode": 0, - "pid": 4999, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94035, - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "timestamp": 132259298495543260, - "unique_pid": 94034 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "sbQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456252000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 5009, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94037, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 5009, - "timestamp": 132259298521672800, - "unique_pid": 94037, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 5009, - "ppid": 2876, - "thread": { - "id": 5009 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "s7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456252000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "something", - "file_path": "/home/vagrant/something", - "md5": "d41d8cd98f00b204e9800998ecf8427e", - "opcode": 0, - "pid": 5009, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94039, - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "timestamp": 132259298521684770, - "unique_pid": 94038 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "trQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456255000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch blah", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 5019, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94042, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 5019, - "timestamp": 132259298552388430, - "unique_pid": 94042, - "unique_ppid": 94041 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "touch", - "blah" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 5019, - "ppid": 2876, - "thread": { - "id": 5019 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "urQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456257000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94046, - "source_address": "10.6.188.90", - "source_port": 39238, - "timestamp": 132259298572673280, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:qIkWxmjHs6UAHG4fbvAldTVa7qc=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39238 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "vbQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456277000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94049, - "source_address": "10.6.188.90", - "source_port": 39242, - "timestamp": 132259298773181330, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:zvd73pnlGPFHP1cc55Dp8ZZEByI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39242 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "v7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456287000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94051, - "source_address": "10.6.188.90", - "source_port": 39244, - "timestamp": 132259298873329660, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:4lQtBep8SV0kUo9F097vLiWA7N8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39244 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "xLQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456297000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94056, - "source_address": "10.6.188.90", - "source_port": 39246, - "timestamp": 132259298973516510, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:Tq7txtg21u7NqrdKlb2BHRz6DSo=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39246 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "xrQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456307000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94058, - "source_address": "10.6.188.90", - "source_port": 39248, - "timestamp": 132259299073645710, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:R71JqiDPuyT5y6GvVD7KN6BBtmk=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39248 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "yrQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456327000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94062, - "source_address": "10.6.188.90", - "source_port": 39252, - "timestamp": 132259299273880800, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:i+rc/D2/y5VC773gyG1oPzuHXeY=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39252 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "PLQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455896000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93920, - "source_address": "10.6.188.90", - "source_port": 39166, - "timestamp": 132259294966045890, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:bZPkpEuO2COZhdjeOwODPdoHYIs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39166 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "S7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455942000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4006, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93935, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 4006, - "timestamp": 132259295420506050, - "unique_pid": 93935, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4006, - "ppid": 2876, - "thread": { - "id": 4006 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ULQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455946000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93940, - "source_address": "10.6.188.90", - "source_port": 39176, - "timestamp": 132259295468940580, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:cV1Kq/qwraGtvdeC0MCuTqAgEbs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39176 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "VrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "vim test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "7d3e711e8b1cab7880f38821bd294822", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4052, - "ppid": 2876, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93946, - "session_id": 2876, - "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", - "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5", - "tid": 4052, - "timestamp": 132259295561690740, - "unique_pid": 93946, - "unique_ppid": 93945 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "vim", - "test_file" - ], - "executable": "/usr/bin/vim", - "hash": { - "md5": "7d3e711e8b1cab7880f38821bd294822", - "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", - "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5" - }, - "name": "vim", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4052, - "ppid": 2876, - "thread": { - "id": 4052 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "X7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": "4913", - "file_path": "/home/vagrant/4913", - "opcode": 2, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93955, - "timestamp": 132259295597321440, - "unique_pid": 93946 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "YbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "test_file", - "file_path": "/home/vagrant/test_file", - "md5": "9b8e321f3484f680055d6602129cb373", - "opcode": 0, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93957, - "sha1": "46aded9c78e41c22462ae3e5f5dfa289ea648f40", - "sha256": "bb166c7d92902ad63da1351e2d4589f77faf33d78c99548f57f188715753f5ad", - "timestamp": 132259295597322290, - "unique_pid": 93946 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "YrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": "test_file~", - "file_path": "/home/vagrant/test_file~", - "opcode": 2, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93958, - "timestamp": 132259295597348030, - "unique_pid": 93946 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ZLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": ".viminfo", - "file_path": "/home/vagrant/.viminfo", - "opcode": 2, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93960, - "timestamp": 132259295597353540, - "unique_pid": 93946 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "arQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455962000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "cat test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "1484a27859e2ca20ad667cc06d595d22", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4073, - "ppid": 2876, - "process_name": "cat", - "process_path": "/usr/bin/cat", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93966, - "session_id": 2876, - "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", - "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e", - "tid": 4073, - "timestamp": 132259295623437380, - "unique_pid": 93965, - "unique_ppid": 93964 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "cat", - "test_file" - ], - "executable": "/usr/bin/cat", - "hash": { - "md5": "1484a27859e2ca20ad667cc06d595d22", - "sha1": "c4072fdb2f99d4b006a28bf27b6f4aa2752dfd6d", - "sha256": "b7e986433840b107394897458fa6f1cba0532cbc7fa28953144d258e7f58ac2e" - }, - "name": "cat", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4073, - "ppid": 2876, - "thread": { - "id": 4073 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "brQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455976000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93970, - "source_address": "10.6.188.90", - "source_port": 39182, - "timestamp": 132259295769364300, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:lelA7m0aSdSZkXnpf1vl5dbBWf8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39182 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "c7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455996000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93975, - "source_address": "10.6.188.90", - "source_port": 39186, - "timestamp": 132259295969537170, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:7fs/H+rEFwDPcsa4fhrcu3Lxl4c=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39186 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "drQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456006000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93978, - "source_address": "10.6.188.90", - "source_port": 39188, - "timestamp": 132259296069739970, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:pgtobMrPyFzhc1ETGHeB5BlJo10=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39188 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "e7QgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456027000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "imjournal.state.tmp", - "file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 0, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93983, - "timestamp": 132259296270031400, - "unique_pid": 1088 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "k7QiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456137000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94007, - "source_address": "10.6.188.90", - "source_port": 39214, - "timestamp": 132259297371205400, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:dL9Mnb03cfdmWJb2cPqE+c8mdMM=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39214 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "lLQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456137000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94008, - "source_address": "10.6.188.90", - "source_port": 39214, - "timestamp": 132259297371232640, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:dL9Mnb03cfdmWJb2cPqE+c8mdMM=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39214 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "lbQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456147000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94009, - "source_address": "10.6.188.90", - "source_port": 39216, - "timestamp": 132259297471345460, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:XfuQ8Mt5f4MMlOeRkgvWnUsU9eI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39216 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "mLQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456157000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94012, - "source_address": "10.6.188.90", - "source_port": 39218, - "timestamp": 132259297571517140, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:5C8qwNUj15cr9IOHbpNPYR3yvUw=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39218 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "orQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456207000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94022, - "source_address": "10.6.188.90", - "source_port": 39228, - "timestamp": 132259298072089800, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:NswqKHbvS0MjyKQDw0V/YL8UDL8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39228 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "o7QjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456217000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94023, - "source_address": "10.6.188.90", - "source_port": 39230, - "timestamp": 132259298172124850, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:ot0vqafYqkth9pB4IbMfvUiyGOg=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39230 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "pLQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456217000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94024, - "source_address": "10.6.188.90", - "source_port": 39230, - "timestamp": 132259298172155300, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:ot0vqafYqkth9pB4IbMfvUiyGOg=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39230 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "sLQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456249000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch other", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4999, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94036, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 4999, - "timestamp": 132259298495543520, - "unique_pid": 94034, - "unique_ppid": 94033 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "touch", - "other" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4999, - "ppid": 2876, - "thread": { - "id": 4999 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "srQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456252000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch something", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 5009, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94038, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 5009, - "timestamp": 132259298521676380, - "unique_pid": 94038, - "unique_ppid": 94037 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "touch", - "something" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 5009, - "ppid": 2876, - "thread": { - "id": 5009 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "tbQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456255000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 5019, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94041, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 5019, - "timestamp": 132259298552385890, - "unique_pid": 94041, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 5019, - "ppid": 2876, - "thread": { - "id": 5019 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "vLQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456267000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94048, - "source_address": "10.6.188.90", - "source_port": 39240, - "timestamp": 132259298673066580, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:dbYg1YFAx5nMokqv+Y85cupgtsI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39240 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "x7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456307000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94059, - "source_address": "10.6.188.90", - "source_port": 39248, - "timestamp": 132259299073677600, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:R71JqiDPuyT5y6GvVD7KN6BBtmk=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39248 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "zLQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456327000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "imjournal.state.tmp", - "file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 0, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94064, - "timestamp": 132259299273914560, - "unique_pid": 1088 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "0bQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456347000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94069, - "source_address": "10.6.188.90", - "source_port": 39256, - "timestamp": 132259299474120830, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:Lqo1F38zJ2d1FltAA6flNs0D7E0=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39256 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "07QlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456357000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94071, - "source_address": "10.6.188.90", - "source_port": 39258, - "timestamp": 132259299574261710, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:BKnKNvILlxXib1Z6uznABCGhyOc=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39258 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "1LQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456367000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94072, - "source_address": "10.6.188.90", - "source_port": 39260, - "timestamp": 132259299674377310, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:Kd5q2SM/lcIJw3tR4PWzhZiKAmw=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39260 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "QLQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455916000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93924, - "source_address": "10.6.188.90", - "source_port": 39170, - "timestamp": 132259295166328900, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:TG2D1zmAzdOwEFpDw4x5Ap8f528=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39170 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "RrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455936000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93930, - "source_address": "10.6.188.90", - "source_port": 39174, - "timestamp": 132259295366625840, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:XYG9hAJrmAOWjiDZcOinQ1ogIZU=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39174 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "SbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455939000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 3996, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93933, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 3996, - "timestamp": 132259295397007820, - "unique_pid": 93933, - "unique_ppid": 93932 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "touch", - "test_file" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 3996, - "ppid": 2876, - "thread": { - "id": 3996 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "SrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455939000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 3996, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93934, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 3996, - "timestamp": 132259295397008300, - "unique_pid": 93933, - "unique_ppid": 93932 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "touch", - "test_file" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 3996, - "ppid": 2876, - "thread": { - "id": 3996 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "TbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455942000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": "test_file", - "file_path": "/home/vagrant/test_file", - "opcode": 2, - "pid": 4006, - "process_name": "rm", - "process_path": "/usr/bin/rm", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93937, - "timestamp": 132259295420548860, - "unique_pid": 93936 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "TrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455942000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "rm test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "a53cece4b9a67959e2143873e47a9cc5", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4006, - "ppid": 2876, - "process_name": "rm", - "process_path": "/usr/bin/rm", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93938, - "session_id": 2876, - "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", - "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96", - "tid": 4006, - "timestamp": 132259295420548940, - "unique_pid": 93936, - "unique_ppid": 93935 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "rm", - "test_file" - ], - "executable": "/usr/bin/rm", - "hash": { - "md5": "a53cece4b9a67959e2143873e47a9cc5", - "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", - "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96" - }, - "name": "rm", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4006, - "ppid": 2876, - "thread": { - "id": 4006 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "T7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455946000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93939, - "source_address": "10.6.188.90", - "source_port": 39176, - "timestamp": 132259295468904240, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:cV1Kq/qwraGtvdeC0MCuTqAgEbs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39176 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "UbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455953000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4042, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93941, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 4042, - "timestamp": 132259295535692540, - "unique_pid": 93941, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4042, - "ppid": 2876, - "thread": { - "id": 4042 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "UrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455953000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4042, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93942, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 4042, - "timestamp": 132259295535696000, - "unique_pid": 93942, - "unique_ppid": 93941 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "touch", - "test_file" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4042, - "ppid": 2876, - "thread": { - "id": 4042 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "U7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455953000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "test_file", - "file_path": "/home/vagrant/test_file", - "md5": "d41d8cd98f00b204e9800998ecf8427e", - "opcode": 0, - "pid": 4042, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93943, - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "timestamp": 132259295535703730, - "unique_pid": 93942 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "XbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93953, - "source_address": "10.6.188.90", - "source_port": 39178, - "timestamp": 132259295569084080, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:x/k69HbBnwDOOYTE4Y4gAaOGicE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39178 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "a7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455966000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93967, - "source_address": "10.6.188.90", - "source_port": 39180, - "timestamp": 132259295669235570, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:ROcCcBYA2acrPPjZYkJWHFlu+XE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39180 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "bbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455976000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93969, - "source_address": "10.6.188.90", - "source_port": 39182, - "timestamp": 132259295769303410, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:lelA7m0aSdSZkXnpf1vl5dbBWf8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39182 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "dbQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456006000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93977, - "source_address": "10.6.188.90", - "source_port": 39188, - "timestamp": 132259296069708860, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:pgtobMrPyFzhc1ETGHeB5BlJo10=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39188 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "fbQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456037000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93985, - "source_address": "10.6.188.90", - "source_port": 39194, - "timestamp": 132259296370065460, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:ZTJetA9OpyyxYgSIcv1TLHYSGn4=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39194 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "gLQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456047000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93988, - "source_address": "10.6.188.90", - "source_port": 39196, - "timestamp": 132259296470250350, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:A7EZ9c3qcFUUygQBYfs4aQ8DzD8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39196 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "hbQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456077000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93993, - "source_address": "10.6.188.90", - "source_port": 39202, - "timestamp": 132259296770576740, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:+Hr2DoNdf0lY2Bq0XIAAgTic6rA=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39202 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "iLQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456087000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93996, - "source_address": "10.6.188.90", - "source_port": 39204, - "timestamp": 132259296870750160, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:Yh9Dwx7JLLDm52vLWCALomXGtig=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39204 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ibQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456097000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93997, - "source_address": "10.6.188.90", - "source_port": 39206, - "timestamp": 132259296970863180, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:4ALCiH0GWvEIZwdCa6rir3Kc6MQ=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39206 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "jbQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456117000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94001, - "source_address": "10.6.188.90", - "source_port": 39210, - "timestamp": 132259297171069220, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:Pv9EtQNqSZS5UMcgm5//J7FB9Hw=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39210 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "m7QiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456177000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94015, - "source_address": "10.6.188.90", - "source_port": 39222, - "timestamp": 132259297771705680, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:BtBNXVnfTQ/YKQ37qYojIqkstak=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39222 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "oLQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456197000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94020, - "source_address": "10.6.188.90", - "source_port": 39226, - "timestamp": 132259297971942020, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:qalUL3DB3b7dExcd8DttJwKoHFo=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39226 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "t7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456255000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "blah", - "file_path": "/home/vagrant/blah", - "md5": "d41d8cd98f00b204e9800998ecf8427e", - "opcode": 0, - "pid": 5019, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94043, - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "timestamp": 132259298552397900, - "unique_pid": 94042 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "uLQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456255000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch blah", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 5019, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94044, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 5019, - "timestamp": 132259298552399550, - "unique_pid": 94042, - "unique_ppid": 94041 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "touch", - "blah" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 5019, - "ppid": 2876, - "thread": { - "id": 5019 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "u7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456267000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94047, - "source_address": "10.6.188.90", - "source_port": 39240, - "timestamp": 132259298673032850, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:dbYg1YFAx5nMokqv+Y85cupgtsI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39240 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "vrQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456277000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94050, - "source_address": "10.6.188.90", - "source_port": 39242, - "timestamp": 132259298773211090, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:zvd73pnlGPFHP1cc55Dp8ZZEByI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39242 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "wrQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456294000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "opcode": 9, - "parent_process_name": "kthreadd", - "pid": 5142, - "ppid": 2, - "process_name": "kthreadd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94054, - "session_id": 0, - "tid": 5142, - "timestamp": 132259298940682620, - "unique_pid": 94054, - "unique_ppid": 1002 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "hash": { - }, - "name": "kthreadd", - "parent": { - "name": "kthreadd", - "pid": 2 - }, - "pid": 5142, - "ppid": 2, - "thread": { - "id": 5142 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "yLQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456317000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94060, - "source_address": "10.6.188.90", - "source_port": 39250, - "timestamp": 132259299173701180, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:rq5rVOSAukY8ispGh6zW3tGkrvk=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39250 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "y7QlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456327000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94063, - "source_address": "10.6.188.90", - "source_port": 39252, - "timestamp": 132259299273914320, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:i+rc/D2/y5VC773gyG1oPzuHXeY=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39252 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "0rQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456357000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94070, - "source_address": "10.6.188.90", - "source_port": 39258, - "timestamp": 132259299574232750, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:BKnKNvILlxXib1Z6uznABCGhyOc=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39258 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "1bQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456367000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94073, - "source_address": "10.6.188.90", - "source_port": 39260, - "timestamp": 132259299674404860, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:Kd5q2SM/lcIJw3tR4PWzhZiKAmw=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39260 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "OrQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455886000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93918, - "source_address": "10.6.188.90", - "source_port": 39164, - "timestamp": 132259294865991800, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:diWB9PGnhcbUUARSqTzwinrZEOo=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39164 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "PbQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455896000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93921, - "source_address": "10.6.188.90", - "source_port": 39166, - "timestamp": 132259294966075060, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:bZPkpEuO2COZhdjeOwODPdoHYIs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39166 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "P7QeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455906000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93923, - "source_address": "10.6.188.90", - "source_port": 39168, - "timestamp": 132259295066216100, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:qQSXbeii7LO0D0/G1E/OA4IO+ME=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39168 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "QbQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455916000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93925, - "source_address": "10.6.188.90", - "source_port": 39170, - "timestamp": 132259295166361360, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:TG2D1zmAzdOwEFpDw4x5Ap8f528=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39170 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "QrQeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455926000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93926, - "source_address": "10.6.188.90", - "source_port": 39172, - "timestamp": 132259295266486400, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:QRJUKQoG0ofd1C9VbSo3GUURORE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39172 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "Q7QeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455926000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93927, - "source_address": "10.6.188.90", - "source_port": 39172, - "timestamp": 132259295266523890, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:QRJUKQoG0ofd1C9VbSo3GUURORE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39172 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "R7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455936000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93931, - "source_address": "10.6.188.90", - "source_port": 39174, - "timestamp": 132259295366655680, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:XYG9hAJrmAOWjiDZcOinQ1ogIZU=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39174 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "SLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455939000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 3996, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93932, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 3996, - "timestamp": 132259295396961260, - "unique_pid": 93932, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 3996, - "ppid": 2876, - "thread": { - "id": 3996 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "VLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455953000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4042, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93944, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 4042, - "timestamp": 132259295535705570, - "unique_pid": 93942, - "unique_ppid": 93941 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "touch", - "test_file" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4042, - "ppid": 2876, - "thread": { - "id": 4042 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "VbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4052, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93945, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 4052, - "timestamp": 132259295561315740, - "unique_pid": 93945, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4052, - "ppid": 2876, - "thread": { - "id": 4052 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "WbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": ".test_file.swpx", - "file_path": "/home/vagrant/.test_file.swpx", - "opcode": 2, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93949, - "timestamp": 132259295566273660, - "unique_pid": 93946 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ZbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": ".viminfo", - "file_path": "/home/vagrant/.viminfo", - "md5": "1358fa5366521834200c2024ca7c8878", - "old_file_path": "/home/vagrant/.viminfo.tmp", - "opcode": 3, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93961, - "sha1": "e1d41f2d3daf0655d00ab887b220b69d957dd1dc", - "sha256": "3f159b2702e51020dac0326e83d2805e80847951229c97362c4bb359381d9d47", - "timestamp": 132259295597353730, - "unique_pid": 93946 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "Z7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "vim test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "7d3e711e8b1cab7880f38821bd294822", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4052, - "ppid": 2876, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93963, - "session_id": 2876, - "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", - "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5", - "tid": 4052, - "timestamp": 132259295597377000, - "unique_pid": 93946, - "unique_ppid": 93945 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "vim", - "test_file" - ], - "executable": "/usr/bin/vim", - "hash": { - "md5": "7d3e711e8b1cab7880f38821bd294822", - "sha1": "184fb4c8d10952fe60b31f3277c8da609c27aaa6", - "sha256": "399141058ac0159cdf5921a8333fe1162bf597773eb82dc29215c329d8992ca5" - }, - "name": "vim", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4052, - "ppid": 2876, - "thread": { - "id": 4052 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "aLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455962000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4073, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93964, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 4073, - "timestamp": 132259295623411400, - "unique_pid": 93964, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4073, - "ppid": 2876, - "thread": { - "id": 4073 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "b7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455986000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93971, - "source_address": "10.6.188.90", - "source_port": 39184, - "timestamp": 132259295869393710, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:hbQCrgxuCDyJ9FGRh24A3wQRSXU=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39184 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "cbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455992000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "opcode": 2, - "parent_process_name": "kthreadd", - "pid": 2197, - "ppid": 2, - "process_name": "kthreadd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93973, - "session_id": 0, - "tid": 2197, - "timestamp": 132259295924677120, - "unique_pid": 93695, - "unique_ppid": 1002 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "hash": { - }, - "name": "kthreadd", - "parent": { - "name": "kthreadd", - "pid": 2 - }, - "pid": 2197, - "ppid": 2, - "thread": { - "id": 2197 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "gbQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456057000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93989, - "source_address": "10.6.188.90", - "source_port": 39198, - "timestamp": 132259296570370700, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:k4ExX42GiiCWUs+yjiUX9rdD44w=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39198 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "hLQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456067000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93992, - "source_address": "10.6.188.90", - "source_port": 39200, - "timestamp": 132259296670462340, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:f31y4JXVMEBz67FSPFANQiGDWr4=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39200 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "hrQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456077000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93994, - "source_address": "10.6.188.90", - "source_port": 39202, - "timestamp": 132259296770608000, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:+Hr2DoNdf0lY2Bq0XIAAgTic6rA=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39202 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "irQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456097000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93998, - "source_address": "10.6.188.90", - "source_port": 39206, - "timestamp": 132259296970895500, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:4ALCiH0GWvEIZwdCa6rir3Kc6MQ=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39206 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "i7QhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456107000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93999, - "source_address": "10.6.188.90", - "source_port": 39208, - "timestamp": 132259297070925490, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:ASrGJJL6gzHH6s5QKFaALqDlqPs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39208 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "jLQhNnABvfrOPnsMfFf1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456107000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94000, - "source_address": "10.6.188.90", - "source_port": 39208, - "timestamp": 132259297070959620, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:ASrGJJL6gzHH6s5QKFaALqDlqPs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39208 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "krQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456127000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": "imjournal.state", - "file_path": "/var/lib/rsyslog/imjournal.state", - "md5": "7407dd7a7c0794bf324b40bc4ce735e5", - "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 3, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94006, - "sha1": "0981e9a482f8e5c8ac182ce3840fe3fe03f15156", - "sha256": "9b3a4e78c019c4609acf5ca8bd283bcffcd18283f0ecb0db085bdfd5450bd751", - "timestamp": 132259297271158960, - "unique_pid": 1088 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "lrQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456147000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94010, - "source_address": "10.6.188.90", - "source_port": 39216, - "timestamp": 132259297471374800, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:XfuQ8Mt5f4MMlOeRkgvWnUsU9eI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39216 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "mrQiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456167000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94014, - "source_address": "10.6.188.90", - "source_port": 39220, - "timestamp": 132259297671678660, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:lf2OPCbBd44D+gv1/r7bvBbGBU0=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39220 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "n7QjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456197000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94019, - "source_address": "10.6.188.90", - "source_port": 39226, - "timestamp": 132259297971911760, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:qalUL3DB3b7dExcd8DttJwKoHFo=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39226 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "qbQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456237000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94029, - "source_address": "10.6.188.90", - "source_port": 39234, - "timestamp": 132259298372350350, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:gH73QuXFdi87dATezTZ63qBRVaM=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39234 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "rrQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456249000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch other", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4999, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94034, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 4999, - "timestamp": 132259298495542940, - "unique_pid": 94034, - "unique_ppid": 94033 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "touch", - "other" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4999, - "ppid": 2876, - "thread": { - "id": 4999 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ubQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456257000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94045, - "source_address": "10.6.188.90", - "source_port": 39238, - "timestamp": 132259298572641820, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:qIkWxmjHs6UAHG4fbvAldTVa7qc=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39238 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "w7QkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456297000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94055, - "source_address": "10.6.188.90", - "source_port": 39246, - "timestamp": 132259298973482610, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:Tq7txtg21u7NqrdKlb2BHRz6DSo=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39246 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "xbQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456302000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "opcode": 9, - "parent_process_name": "kthreadd", - "pid": 5172, - "ppid": 2, - "process_name": "kthreadd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94057, - "session_id": 0, - "tid": 5172, - "timestamp": 132259299025925090, - "unique_pid": 94057, - "unique_ppid": 1002 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "hash": { - }, - "name": "kthreadd", - "parent": { - "name": "kthreadd", - "pid": 2 - }, - "pid": 5172, - "ppid": 2, - "thread": { - "id": 5172 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ybQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456317000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94061, - "source_address": "10.6.188.90", - "source_port": 39250, - "timestamp": 132259299173744080, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:rq5rVOSAukY8ispGh6zW3tGkrvk=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39250 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "zbQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456327000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": "imjournal.state", - "file_path": "/var/lib/rsyslog/imjournal.state", - "md5": "0df2c29722fd39026e279293fda3f46e", - "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 3, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94065, - "sha1": "26185c27437c9d6e1f979fe553764ce63de72129", - "sha256": "28925a8b6aef1b58840c1df45c93a64dcdb2e982ab89921bb73c6ac0667454cf", - "timestamp": 132259299273914750, - "unique_pid": 1088 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "zrQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456337000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94066, - "source_address": "10.6.188.90", - "source_port": 39254, - "timestamp": 132259299374006350, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:nHNLxc9DdSQ1K9M+aJfzdkjZRMs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39254 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "O7QeNnABvfrOPnsMvVfW", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455886000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93919, - "source_address": "10.6.188.90", - "source_port": 39164, - "timestamp": 132259294866021940, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:diWB9PGnhcbUUARSqTzwinrZEOo=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39164 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "RLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455926000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "imjournal.state.tmp", - "file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 0, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93928, - "timestamp": 132259295266524240, - "unique_pid": 1088 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "RbQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455926000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": "imjournal.state", - "file_path": "/var/lib/rsyslog/imjournal.state", - "md5": "bd7cecc8c6fdc03ddb110ff5c29ba45c", - "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 3, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93929, - "sha1": "fd3e5ed3a90de5b683c9ad9e336a020cbb0234e1", - "sha256": "38a2ee2d979a3294ad13e9ea6f84fb04febffaa23f682fdad43faa99c34e08d1", - "timestamp": 132259295266524450, - "unique_pid": 1088 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "TLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455942000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "rm test_file", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process exec'd a new image.", - "event_subtype_full": "exec_event", - "event_type_full": "process_event", - "md5": "a53cece4b9a67959e2143873e47a9cc5", - "opcode": 5, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4006, - "ppid": 2876, - "process_name": "rm", - "process_path": "/usr/bin/rm", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93936, - "session_id": 2876, - "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", - "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96", - "tid": 4006, - "timestamp": 132259295420537250, - "unique_pid": 93936, - "unique_ppid": 93935 - }, - "event": { - "action": "exec_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame", - "type": "process_start" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process exec'd a new image.", - "process": { - "args": [ - "rm", - "test_file" - ], - "executable": "/usr/bin/rm", - "hash": { - "md5": "a53cece4b9a67959e2143873e47a9cc5", - "sha1": "648ce629b804e97eca9f8ca6ae9d52d72f7f5e18", - "sha256": "a2d08e70a49f4beb07de366213e26168da76b9ace37195cc22cdd2d384742e96" - }, - "name": "rm", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4006, - "ppid": 2876, - "thread": { - "id": 4006 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "WrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": ".test_file.swp", - "file_path": "/home/vagrant/.test_file.swp", - "opcode": 2, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93950, - "timestamp": 132259295566273810, - "unique_pid": 93946 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "W7QfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455956000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": ".test_file.swp", - "file_path": "/home/vagrant/.test_file.swp", - "md5": "d41d8cd98f00b204e9800998ecf8427e", - "opcode": 0, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93951, - "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709", - "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "timestamp": 132259295566274780, - "unique_pid": 93946 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "XrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "4913", - "file_path": "/home/vagrant/4913", - "opcode": 0, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93954, - "timestamp": 132259295597320050, - "unique_pid": 93946 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "YLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": "test_file~", - "file_path": "/home/vagrant/test_file~", - "old_file_path": "/home/vagrant/test_file", - "opcode": 3, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93956, - "timestamp": 132259295597321680, - "unique_pid": 93946 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "ZrQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455959000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_subtype_full": "file_delete_event", - "event_type_full": "file_event", - "file_name": ".test_file.swp", - "file_path": "/home/vagrant/.test_file.swp", - "opcode": 2, - "pid": 4052, - "process_name": "vim", - "process_path": "/usr/bin/vim", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 93962, - "timestamp": 132259295597355420, - "unique_pid": 93946 - }, - "event": { - "action": "file_delete_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "cLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455986000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93972, - "source_address": "10.6.188.90", - "source_port": 39184, - "timestamp": 132259295869425900, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:hbQCrgxuCDyJ9FGRh24A3wQRSXU=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39184 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "dLQfNnABvfrOPnsMqFc1", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581455996000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93976, - "source_address": "10.6.188.90", - "source_port": 39186, - "timestamp": 132259295969595900, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:7fs/H+rEFwDPcsa4fhrcu3Lxl4c=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39186 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "d7QgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456016000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93979, - "source_address": "10.6.188.90", - "source_port": 39190, - "timestamp": 132259296169852080, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:BIOpxpEYP5YYcuCO5qYDSV8YtRY=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39190 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "erQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456027000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93982, - "source_address": "10.6.188.90", - "source_port": 39192, - "timestamp": 132259296270026060, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:lbSE4iBc2vccmwP76xpAEhEtpOI=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39192 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "fLQgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456027000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": "imjournal.state", - "file_path": "/var/lib/rsyslog/imjournal.state", - "md5": "0d2c9f835b50037ecb58db338a4ec091", - "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 3, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93984, - "sha1": "3bf1106640d0742b0f2ae2496a1f75f4960def6f", - "sha256": "08b9fb9819f3beb2766f8e9137f74a3b52df42f93b38793fab3da5e2faf94c69", - "timestamp": 132259296270031650, - "unique_pid": 1088 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "f7QgNnABvfrOPnsMkleV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456047000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 93987, - "source_address": "10.6.188.90", - "source_port": 39196, - "timestamp": 132259296470213310, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:A7EZ9c3qcFUUygQBYfs4aQ8DzD8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39196 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "j7QiNnABvfrOPnsMZ1dV", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456127000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94003, - "source_address": "10.6.188.90", - "source_port": 39212, - "timestamp": 132259297271123660, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:bFkUyYg72aBaSClHXHckTj+N4vM=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39212 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "pbQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456227000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94025, - "source_address": "10.6.188.90", - "source_port": 39232, - "timestamp": 132259298272277800, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:AvCkUU9w3PGKPyGxKLWlBKmIA2Y=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39232 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "p7QjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456227000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_create_event", - "event_type_full": "file_event", - "file_name": "imjournal.state.tmp", - "file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 0, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94027, - "timestamp": 132259298272315200, - "unique_pid": 1088 - }, - "event": { - "action": "file_create_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "qLQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456227000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "file_rename_event", - "event_type_full": "file_event", - "file_name": "imjournal.state", - "file_path": "/var/lib/rsyslog/imjournal.state", - "md5": "648d5f5ef73e8ccdba1a8877c3b773af", - "old_file_path": "/var/lib/rsyslog/imjournal.state.tmp", - "opcode": 3, - "pid": 892, - "process_name": "rsyslogd", - "process_path": "/usr/sbin/rsyslogd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94028, - "sha1": "379676478db415c75c225d21c35de4dc913c9822", - "sha256": "f4536a53cf0be4d771e4daca337982e9fc5116e672606d71eb27d0223c414d03", - "timestamp": 132259298272316930, - "unique_pid": 1088 - }, - "event": { - "action": "file_rename_event", - "category": "file", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "qrQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456237000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94030, - "source_address": "10.6.188.90", - "source_port": 39234, - "timestamp": 132259298372381700, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:gH73QuXFdi87dATezTZ63qBRVaM=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39234 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "rLQjNnABvfrOPnsMeFfF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456247000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94032, - "source_address": "10.6.188.90", - "source_port": 39236, - "timestamp": 132259298472528480, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:7UCrAikx6KeWHWr3fKjEvGaZqlE=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39236 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "rbQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456249000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "-bash", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Forked a process", - "event_subtype_full": "fork_event", - "event_type_full": "process_event", - "md5": "59189125c11a18c588b545bb17cd2e32", - "opcode": 9, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 4999, - "ppid": 2876, - "process_name": "bash", - "process_path": "/bin/bash", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94033, - "session_id": 2876, - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b", - "tid": 4999, - "timestamp": 132259298495517310, - "unique_pid": 94033, - "unique_ppid": 93802 - }, - "event": { - "action": "fork_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Forked a process", - "process": { - "args": [ - "-bash" - ], - "executable": "/bin/bash", - "hash": { - "md5": "59189125c11a18c588b545bb17cd2e32", - "sha1": "5294292e00d5d607d2bd08409d029f6a0859b817", - "sha256": "f7a24de16d613d35937aea46503b0ab91e434854c27169e93a23d34ce53fad6b" - }, - "name": "bash", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 4999, - "ppid": 2876, - "thread": { - "id": 4999 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "tLQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456252000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "command_line": "touch something", - "effective_gid": 1000, - "effective_group_name": "vagrant", - "effective_uid": 1000, - "effective_user_name": "vagrant", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "md5": "985a951b1a7a8dbe51973e651a365900", - "opcode": 2, - "parent_process_name": "bash", - "parent_process_path": "/bin/bash", - "pid": 5009, - "ppid": 2876, - "process_name": "touch", - "process_path": "/usr/bin/touch", - "real_gid": 1000, - "real_group_name": "vagrant", - "real_uid": 1000, - "real_user_name": "vagrant", - "serial_event_id": 94040, - "session_id": 2876, - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d", - "tid": 5009, - "timestamp": 132259298521686190, - "unique_pid": 94038, - "unique_ppid": 94037 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "args": [ - "touch", - "something" - ], - "executable": "/usr/bin/touch", - "hash": { - "md5": "985a951b1a7a8dbe51973e651a365900", - "sha1": "7aa61b2c476234811a731efb9729a6d761cf63c8", - "sha256": "3f660ec99c2a0219bfb7c5df3faf848f950135c1aa385129fa26c752bf19d69d" - }, - "name": "touch", - "parent": { - "executable": "/bin/bash", - "name": "bash", - "pid": 2876 - }, - "pid": 5009, - "ppid": 2876, - "thread": { - "id": 5009 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 1000, - "name": "vagrant" - }, - "id": "1000", - "name": "vagrant" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "wLQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456287000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94052, - "source_address": "10.6.188.90", - "source_port": 39244, - "timestamp": 132259298873366020, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:4lQtBep8SV0kUo9F097vLiWA7N8=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39244 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "wbQkNnABvfrOPnsMY1cl", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456293000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_message": "Process ended.", - "event_subtype_full": "termination_event", - "event_type_full": "process_event", - "exit_code": 0, - "exit_code_full": 0, - "opcode": 2, - "parent_process_name": "kthreadd", - "pid": 3201, - "ppid": 2, - "process_name": "kthreadd", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94053, - "session_id": 0, - "tid": 3201, - "timestamp": 132259298935177580, - "unique_pid": 93875, - "unique_ppid": 1002 - }, - "event": { - "action": "termination_event", - "category": "process", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "message": "Process ended.", - "process": { - "hash": { - }, - "name": "kthreadd", - "parent": { - "name": "kthreadd", - "pid": 2 - }, - "pid": 3201, - "ppid": 2, - "thread": { - "id": 3201 - } - }, - "rule": { - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "z7QlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456337000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 133, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_disconnect_received_event", - "event_type_full": "network_event", - "opcode": 13, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94067, - "source_address": "10.6.188.90", - "source_port": 39254, - "timestamp": 132259299374037760, - "total_in_bytes": 133, - "total_out_bytes": 645, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_disconnect_received_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "bytes": 778, - "community_id": "1:nHNLxc9DdSQ1K9M+aJfzdkjZRMs=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 645, - "ip": "10.6.188.90", - "port": 39254 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 13 - } - }, - "type": "_doc" - } -} - -{ - "type": "doc", - "value": { - "id": "0LQlNnABvfrOPnsMTVeF", - "index": "endgame-4.21.0-000001", - "source": { - "@timestamp": 1581456347000, - "agent": { - "id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a", - "type": "endgame", - "version": "3.53.6" - }, - "destination": { - "address": "10.3.4.206", - "bytes": 0, - "ip": "10.3.4.206", - "port": 4506 - }, - "ecs": { - "version": "1.4.0" - }, - "endgame": { - "destination_address": "10.3.4.206", - "destination_port": 4506, - "effective_gid": 0, - "effective_group_name": "root", - "effective_uid": 0, - "effective_user_name": "root", - "event_subtype_full": "ipv4_connection_attempt_event", - "event_type_full": "network_event", - "opcode": 12, - "pid": 2083, - "process_name": "python2.7", - "process_path": "/usr/bin/python2.7", - "protocol": "tcp", - "real_gid": 0, - "real_group_name": "root", - "real_uid": 0, - "real_user_name": "root", - "serial_event_id": 94068, - "source_address": "10.6.188.90", - "source_port": 39256, - "timestamp": 132259299474089280, - "total_in_bytes": 0, - "total_out_bytes": 0, - "unique_pid": 1095 - }, - "event": { - "action": "ipv4_connection_attempt_event", - "category": "network", - "dataset": "esensor", - "kind": "event", - "module": "endgame" - }, - "host": { - "hostname": "adt-dhcp-172-31-4-178.eng.endgames.local", - "ip": "10.6.188.90", - "name": "adt-dhcp-172-31-4-178.eng.endgames.local", - "os": { - "name": "Linux", - "platform": "linux", - "version": "7.3.1611" - } - }, - "labels": { - "account_id": "57f4c86f-6f23-48a3-a8d5-8f507573a83e", - "endpoint_id": "5a0c957f-b8e7-4538-965e-57e8bb86ad3a" - }, - "network": { - "community_id": "1:Lqo1F38zJ2d1FltAA6flNs0D7E0=", - "transport": "tcp" - }, - "process": { - "executable": "/usr/bin/python2.7", - "name": "python2.7", - "parent": { - }, - "pid": 2083, - "thread": { - } - }, - "rule": { - }, - "source": { - "address": "10.6.188.90", - "bytes": 0, - "ip": "10.6.188.90", - "port": 39256 - }, - "user": { - "group": { - "id": 0, - "name": "root" - }, - "id": "0", - "name": "root" - }, - "winlog": { - "opcode": 12 - } - }, - "type": "_doc" - } -} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz b/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz new file mode 100644 index 0000000000000000000000000000000000000000..eddfac0bb1455c2780ff31e31e2456b04c0a14c7 GIT binary patch literal 18192 zcmZ^qbyQpbw(WreMTrOU;>mL+vl20m~lMj}yryphq6Q@5f zEi5;G^4TTpmBQ$X$4VYq1qM9i3vdxUkze_(Vf-OaczAs+S(nbke81CTIQYC;tbgOu zr=t^8p29f9J1ZR+@KnmvopCp)u$Qv4zmBLmZ2F*>*YXfzU-C5WfA7RlV}@U3MXcV?g+IT^f(N2rD`3wr=VCK?@_PtFl9Mdc7^Wumq1FgUBM! zM~-QcjdV$BBGvZ2>g;-V_tXrk+t$qJ_Qt&jPr^(QLC1sq<0WqGo!hEm#zm)o2?I#h zj}S&$>G6wRwaMW7d(Ub0>&%*M;4Q@}9@-C%%o>xiGx_E^(rMP@*HK3xoAY&Sfh&gA z(k=O11AH=`WQCtyu@9|2OFAx#U2R_o&)x3HqGwg&FTC76Pw%rpr?8Bd?{Zyl{S+06 zrZtK#NHVzb6EG{n-e7$DDT9>RwyjWu!&2mZTk~hxV`;u+7x$>OsZ4)0kkRetEum$W zPtFg%0F#4wUBXAhnt~0*^z!>D-zf&;rWSl?G66tMoy1QjHFHS@MptypCXK>vx}}tw?>G9ld|%aZM(sIg4_6W?I~q zKgRMQ5X7jF>3$AP8S_cuxFF9ZeU|DW1+x@?1Z^01j<#6MJd+BCUk~W29fSLIl5O;K z0{iM6pPj58R%h!T$>S<#w?TlfbYq zMrGxvu=(jQ8%sEOfG0?}{bb&{ie315I{<;D#WY4ybe$wc_|It1(hMuf@Z`Z(UWT^q zgHK-c7nT93p4Us2vCx~D|9j`oOmgFiGt4{{vNep(-L7TqHv>0uTdqRigF3tt~9S|cZv-~=RpY~^1 zC8^rm?CHPnr)R^}Gp3~DuHd~D`DBGk8Pk6e${9d@^et!M!*LSh8GeZ zFKwUYt{CAKhx!gsU_o&KY%g6KERDRA$vy$?0$;(N!<+{jtcZHLBlDZAo=xc7Zm4<#6`YR%2rwKi;UKWes zFBFQ6A^LMmtdRP1_he=$R>IX-ZD(CvW7;cg zj9q>hx$x}c`*Y*HwgJG~H~`#rG{+I?l|S zcu3^Dhm(XXa?x|4HivBTlS{ET)|EHmQAK=!3?F6+y;-P=j)xKYyIy3< za*0j^4#z;;FNRt7f;aQWuGEvlgFX@uL$|Bl*W10qd@iXUEwY3`333ryk3QUjSkz7T zZT6FYju1v8EofPXM!$KC$##EVkB*y@0L&~@AyFEJh8s~)V{zipq~Z_=tcT;UQ|;Da zM=JGv2<&Q|m9y+`437$}ibDIHF!yVKH$&AioX9co^*)xPDN}!ocjh-_CIJ3BI%==^ zmd9>L6IN@c&sBBusoZILJYwp~&ILfD;Ah@d*0`Om7Q(7Gi~uK^04wOaM<&`blSca~ zu}w(xK2cD9^z(`Pe*0v5fd={>XMlMar#3?wujl0yGTE0P9^`vvsj zVjl|ibHt0pVkCGk){!6XouaVU*EL-4Z{9qdkIzVMY(HWkCA0xQq}5SS2g~4n!I5~{ z`d}FY>61;XSH-fl;t$H>EB>&nFHt=eaxclIBYbPXIu?Z3t%Q2J5Bz;_j#KJ*1uU%1 z5?P3iEW5tY3_}%RlohS~qciDm4l$L?yBK4#!+SUrLz%=??hRvzC*$=IJ$)?`FNnrezXZ{qcSZUE5IEv21-2`W?_>Nf6g6nVij~>wpQxq zP=h-asG9`&W$-+#!y}1PplK0U=-R?Ej{PWrE8v(q|57fCG5G@?UyI&`#B6+U-;m?&By(VYw*f#J zInC7eHRcu^_Eu5aR{!;ATg^Au%A@1sXvJ%hd6uWP8t0aF_kLea##yHG!F97x5N)nz zmYPHwsWcAsIBtWLW9a#X%UH6I5CbSdd8t^jW>h9vj?WsKD8!|Utz zz1Jd6gXQclsCk-vmLpE%Ey!^NWtsV4&XrKwDr|8I_Ut_5ar@9{R!p;KAin~~WiSdm zrv|E|Wjz~~c%L5|K?vJ96Opp#sPHrILv`Do_OGbN)~LkFy1VU#kEkkxR=FD;zQY_~ z1sZ;DH9Rl_1sHnziD>)f%74wqZ;p+*eaDAjs*w@DhQLE~C?JBulhzHcXXhg$3kbB! znYl5H0>csH>6v%*u_iqLzRB_9{@Be*H7-EdsV4*=-cEVfD$3T6Ni3_*>mSk&!5;MW zTqnnTJUWE=rX%`|lCrj^SYircOSk?C3Mf2Vt*YBTei7u%(#{e_IwPgc&1Q{I`LC#qF6L#qh!9D@zszOG%QQ z*Vlc8kQCLL=c=kp8}5~!jhS1Z``5OYxT|O^;v9yEI%%zuA0OB?!%F8M+(}XIvf&B&=)HU7Mmp* zHn}he=Jx^f#P=RXYX$RGih?*?xg^z897BjcsYB^10ev-Uuo&9dBxnL= zGSz2aDNIseZH8XiM5Y+_ij?dxR=#d$YhZq~bY=W;_rvueYQ+_U;!NE>m?&#kwKBe+ zt+_}h%1^aY6e0?#QGo1fpL~G~xr{PXfhnsDLSKPdV8L);VTcJeO|u7iu4*5&DNnNK zeeN%6Cbp>{qoC-w0z-zJ5a&&#&#Ft%IQX&w$V4Ww@9H(!_>$7b0?~#k;<05J=t9t{ zSKd$zAOHs9?&qA<+Mjq^BHL$^Vj8Sf^vHR9ynYB{R8I5RnN1U!z;paM%Ojfh&IeE0 zc9Y;x$`@6_WkA0#WyS@h7-nxuE2&g}%DrQ=NRkyzi2$d#CoLV%cm?3BI z$)|0}#c!K{2F)bWfbY)1Xqz`Zp_A!yoFxv_vyN2Yf*@SQqxokKO7vsZ_g zS87wsQu^M@wzD&z$JftJqxm%!KmLT^StorrqLqTE<5?z|Fzgrln(=KgLBH8sYT1lel8*r9hM4HzUi zNNTA!2(3oLw3dHs$8Q6gw=rhm$rw#aGY)VHzF2@6a$r+RV5<{iLc+Nu(WT@yTMp zNMhqqe}7rt(P3HRbyAsHO`bcg@OuCs(Qq};ddCtX*jslsoW^tY2{17jC6}YK8i_lm)A1?Kx8l!@VZ3IfbLv&M zIikoC_5=&YT2FTar2A_bI4(w`&#ns~TpY5_U5e81 ziQfdqHZT>Oej@$Ga#%tJybU8&LbD7BjShMjzAtU4IYe0n3gn9k!b#yD;6h(BOj)CY z2@i7;#T>vjPm*S;ot=thi_{#o{FD(|O{&D^6=c_mj1QqxL7}ZS*qPKT`5>(JF`6al zSUyb?Mep5D{GUm1pNM*V39O|HoYOwts^4V^@>lFIKP%|ls5vlj7@GIDUk{HCGCwR1 z^}C_VP*x;*BtMa`J+z?ea4$&+#H z*TOLBDqpF7R&-H3UNm{7+Keszwhp80^9<4W05++r+<+2kQ154$%&&>6Xz-b8s-i!4 z2$AmUs$WZ0<8loRA)9%`KnHcohiAFAW|qf8rAMlRM>bL(NI>tmOoSLiP#+dIN6Ssz zj)v?WLSHaSMNMTtCt;qkG|tq>$zWX#A2p^V2X!!`#RQ=rwNWZAz%xB~)D&EWVL=(j z-3j)yVJcGXaS}78jBU`;Hp1-S52vOl%3oipMR5@HbumkE(X%*{ zQeV7d)|k6kd!5ab@W=L5xj`7xHJth>cLYc;UFDZwz+;cT%DUua#aHLMxEte=!?$qj&l~n{y*P#ZcrjDJJvd5z{|E2== zFc<*JDiHov!Hz59FZQadni{I=Ldv&14`nhl$|_fUUM3c2=JZ{D=6Frr#c~EmJB8*H z7-$P%c>_K>ow79S(n_HN(gU>;8rWd}>D?w#TISRG#gFfuyvL?Uqz8`_9xWuigBB)K z<2U78=~L0bD~BrLkT1eu>~E`>k9tfgq>2~m=*)M8z%7lFv+V)Q#}Pdd%&iuzt)lVc zjo)?@w3+Cq8I^b@$`Aj%4b}3fZl*7NM zWQ(}CbRn;gRd;5P+DWT&b4+n@(2g~>jmTEZlkfBPeakP|3H$ardheYd@ge#D`tQ|+vcR3E)lmLvJ+J>#@b%^!Rt%+rXp)% z&X`FWms^^?I0n}~DKK+M>09PRn#SbpQk4N5Dqk`x69`f!mpZ%@>TRl4L*T$vs|Z(= z`FI8Xk8HCJs}=Z(mQ>WtdV*ui3Etq63F_wkrTHLX?+UN3&Tu4LIOgBDc%Lg$GTzbb(A)jizph^+t(^119XDC5Od=|a2p?X0FHSKvP99w~`WP7W zeFC99D%9SeKY+e3tI_10G?VEkBbiJUHEXgF9KD&fG{81wG9|t3X(7PC7gNZEknlq1 z6&eimM8dsFl&FM3EI>f)y{CUXSb9Fr2c7r?wRz=;l!mBAdz|FSQKDo|uYo(_%|@SH zg?7QJM15=EovCm-gHlk)Eclx5hZXA7L z@aZ>zE8OH9C4%NVrX74vq)f>Gj8p=1#4OcnLj|sn%qqXeTMT$m7Vcmf2BA;&`hMh`94u51D0J0=@CCJVz@|}Y>Y)t8tQ_$ zYj8Y&1D-nw%5G1O<%=s>5NBw)$9ZUQWVd>Yt`bSE@-U~`-t>mIh?=b)W@kJ%wuIX^ zbm-Q8!F_*yJ&-(9np)v2k_tSpFS!)>087q`!>~5WZ)Uca(niJ^qGmQB=EzXR)FW5q zixJ4z@G>0|H6%BzG|cdPp1u0C`2D8L)b`JaZh)pizZK(JX(~$_C>7%D;zMGkQK2Pw_FnxTK!?X<0F%R(YA%fn^c2jLpG$NTLh z{jJidQTfQfYSsM5^Sud3mX(oexcJ~%xOnTWa*zp5QNoAz8$7ee36OB0<NQ5&KV=$_izT9IxO-_WSAyRK-c;76xrkeHWLGYmvw0 zRG}Ke(-5E&gjoV{q4&90YA@1|+pZ%Sx-h3p>J=Tj+^pwgI~{a?hH#N0 zv*F$0D-R@!F6xz|Ihvh=g#C6ur-bbA`YLq{~I6x zpNlGN+sPg}m+CJHm&^a`?XR5jd|4H0L>MX4`FpL2PxV&q6M4HlzoWphH19;yUJj>X znu%Z@I5@6AjAQBe1cPE2DpTa4udkA*hbs>k_Ycd9nq%4?eymoMFMsRW+IZ{yz5Z3= z0|Tu*TwW@zye5|A?^}R;X!Lt0Pd_$JFI2sl)YR?5pcJA|1e^lizwjU)3J>NFz8=+u z#Z-<8nBQ3?dWE-jF9+N`ZXeNqH>n%94>wB%(BiypUx3aS!wzPe*r34yLylHl^9i42}9qPf39BHN=g)Uh%!^WRHt_)i8`Y&)H+j&}Yt}h~_c%JXP z+-T1qanjg^tsIXhZ3Bsfh*WHoZwB(EqbkRL|I_`ia1uG|Og#int$^K-K68NHa8yPc z%_Q1*GIwfHFA^!%pvlA!&2_eN+$hy`^9?p&|G)+LL_f%2j{F{)q7^a6GO(#%Iv z@Sv`oF%Dya(J)rQl96%I@034tn1(>wkI-?FUwN@g859;|Fa+9(bl_<0cWT5cGuX*) z1=)W3+7J4E6v>@>#3SF2?qe4^s{NE%bru9judxNn7wE6S|Er?R+kdCM@vte7IyEu1 zDd;+_y#0`}&pmmlCUNtYbn@G}YqR^hfcfR%WU9o;iQ0dMu+cv^`rp~UI&EO%8ci)h zhQ3xX>B|+2B-o|BD>zE;7Ax3>N2M=fFtt+sem<&q%Td7M?NQ>t3)i*aA=A}ri6<>7 zy67mm2&8$I|MS>K1m`^p@Q&HMkU0_HBRgrvXczdXdNWLb)c(BNSFh=N6lJ!*M4Qy` zvjgK#ta3`p3ChGaF=G_?yV9J2X_FF`xnTJB+GsZ!6tMPA*@U<>Nqa`EV#0aqwavI1a?LRx)hchB)za~`MSGnE_SP1$jGe{VtSuDl$ zE|*}xhtH#Uk8<|YQ540&_M*0sqUIEYXYgJ*HYiUTse%Hbso@o!Ya9KwjXc7)4Q0=k zDu+JScF<^L^KlGb1CM%PCO58sxgbL7I~0d#(6I?u9ymvoAeJU}`yif%Tu~pEyG%4$ z5`sdHz~thw0-J}NH}CP&A@5fH_vq|pU2FRN@q^wc7mV4>EA^@$3r)PQU(i#IsCqQW z=Xi?Pa^k`J53Q1#AH)(cY>%~~Laq6auTl#2Rf7KQt8`sP=o`+k%5S_+*^Yi5Yib;b z@-i#^zwuOdwp#+HsEj#&(PiAqO8L2*d+T?OIMT?dfYn88aE>k&hSfNAk z;%I6^;V0lHGQ1`dQZI=sX@_&{-?0#3X&C*FS~Yz*cv!itC=k_5eua!%+ zyjmxkmKaadjo_FURvL~vva9vlV(C?s2R;&K-y}H)&InVt93@dAB*~ZtbOhU(q5Xn; z>NjRho(CPeyze|^1y<))#*b^_@2&^?PF4Q>(JsYmy{QaZ$V%ejE!96Sir2t zi)exakFbGhz&|!9z)T@=fIhJg-<)p65MNj*0#*NUx(WJoo5t;-i|s5=#mwjVxB5*e z>XKhG-Rb~DXoRsQB4BUp>E9r*p6#5uBq<|U=^uE>=3MDAyi zM#P$||FEC0<|kGb&!iI1M$8)1hysTrQ(DP5z2Y^{YPF~Us^Hb$Hj;7uXRS$snf72Z zPT%j2^TyjToSrLMN@65mhR_^{ead66q!lXjVqF{_tc7v5f5cvSn~JflU2mM$1g?&m zzP0d@tIYz_q?l`|AsHlTdueRfjqtj zH*X)U{D$|BpKo{!jJ;3p?~McZ@sjScrmJs{Mr!+T31w51@#@uRg)`ct-%i#kxn{Er zBvo&M4JRzDZ&#J8?*gN$pkG`$K0_YnK(qFA~S1 z%(k4AOAK4t`~GrZ_sdjpz9=3mLfS55FJ2SH>4Pd}!X!PQAKc&Yd?D*z z^L6nvy!CcG(+S+Lxu|qqY@c4$UWj!W=>H{MjfIXg)>M0pgCDk}_pFapavxePRrECr zyzh|q7-`e6rEp{o2iqH#>p8G-9!%{9{iVrZb3ZW_9eTriKqJ}Btk&Yd)ukcKq%9v7SL zb#C!-w@@k93-0v$^9N^EE0hxEgaVNDQ7Fq38#)rOG+VyCMz6zleAAig@KI5(ho}Vo zGRp(23W-mKH^zv(#ZOej(!{7RR{RH{i_l+lIqYBNvfI}>r0B4~;{VHBX1KxY;dEaL zXjG$Ou;iO2 zrg%QC(=*f=flIZ8b637TZr*atY4|ohxLCKmym7pLkdj%EvON4lHzeU#c(YGP$g?~y zU-ELhyy`@JisD4z7T5O{GkZ4WywcegGR~R{jlfhf3o*Xr{1oItYhSjVBqf_p`^E zT$fdA4;4Q{oWA4<>FAlJk*;i`{jqn7l9C;`dPR# zq~9>{mjoMOAoYNugu=gN0i%Q3=3Q9*#lmM&(xvPfwU`ZVPOiEu4|Jo|#L8deoVo>` z9E=Vl-xf5}KpRnR*zO5%{m_Ye3~E2^lFCJvB=8P)?6_^X^(!A)9m(Ll# z4E>xruqOs=0I5bnm^W#rP|uKVCyGvLnki=VV&O3Jp{1tAr337`^Jil~;rw@>S)n&d zhGvx+QQ0EXU(@7^YFd7l;sg}Dfd&yehpNivC@m~31T`zE=~!6RpnnN-dkNbt3phV8 z(szfyAh=iI!{6jg9%V7D?X(!q%JmP9i}qHOta(ty0vnGwf?~_g1+7p6OY>E40EhW9Uv@+%rqLnYEqs>(~omN zQ*HG6JsI%j8HWJ*ndnzLyJvDPlOJAj6pp zl_2n4l$$XXfUj`e=2vc@;6RXnf27Trwed`=efZ zZ^s*5?ff{Web<@dI)$C{Ll;NuT;vQ*XEI>w?w@OuGdh9l|45gzJTPyz*aRuT`X#ky z{o}nT!@jcP7cMBwhf1Y{Uc!(vR6ptSM9juw47_{(T(s74?udZjMzy@sRT_laNK z3Y1|N%?DM15h1RjlD{}4JH<6Vu}{)OV~3R1g;L9Rst}HTH}~I_RyISQ)UhT7_ki)(xbIFD2Pq_kd3-OrB!OR5!buGl|0x{ zqOXDFOUX2y&iHxjZI$cg$S54ab4#mh_{9iqG}4=1i)iXkCf{-Xo0VWY%_(K_EgnPv zoydJZCC4EXuStl|`TNc{O;te_XBR^GCR(;gkwVi3rMsG^;KWh@Vd~Vf<#xWY{K5b@6$!+ZLt(oA*&R_VN=RA_4Iz|VIQxe z>>PmMV4qR2NDfN%2b0S2rky)<($C$Rvw9OfC$za+KJ6kS`HK3AZXtn|FmOvh{>!n6 zzDO^~FU08GL4O`0ycOePG+!CPre5T+WW9#9<>cDn;tmqzox|Fk{_(KPcp_QsxPAR_ z3JxMThm%sHK)d?M!q>JLr19aVLM8y`oaiv9<=rn5Pad{vcH101?yS0@`RZ^9CPsin zLeUw=YAg@ZkO0PzfYHj=h-k&r)82u%?GF=z?MH1QYD+6RnJx?26j|CfD-;2EbbOG5 zdIqX~K3zXJ_kdWQ#uqlx{K6(A=wxJM?7j;BB02cCJ#TyBIt%{dJU_RzIJeL>uO_7!$#3&aD*CVC^JS*02yElNWxUFh+iX zO*LP|F0Qt&W{(OpdzWLr1S)n9AFnlte9l@v)_SSOvRs2NJ~6fwUfgCz1rg#)ZSV2# zKeb3QvVhT%?!{Dw`|l36OIUIRujeKC}!H{l{%*DpF7u z(VF&1Pd4Y~=he8a_j!DDr3jwszhiMCDORgNL;REkcHl_c(o?|#@7)5RPCv9!(xm|0 z1ljn?O5aY3!S6(g)_AVKiZ}Vb*!@JA2bucis|S#nW?J*3bH_sriP*~DEykI9j+4Zt0GLYBFYkf2gi{xm?WAuzyEqdM`fa=;_x}t zvz5iwWt>=RrF(y{nekxq=$>`|MQ3iy?HDQqgRJo^)7Fn({Sz<|v@AeB-UoBma2Lgb zsxVayP|~)~|BJExuc~lX7B|*xI**J*Lx#X` zUMzq54hjs%zyDzs`>KZ_3^AC*GAQbH;3K0>);k_C0G_mj-XmuHi{V z+SmWwp-Sd#G|Qu76^XPjC}2mOz~q*j?TJS;$&+=fr!dG!F>ojtix^??$2N#CSjmCJ ztpH6NH`9VROR(3vK8dfgFv= zKeJBr53jUl)ySCDzqzl0Di&Ost6@u6dHf-B6uO9L@+)3kV_<)z^yTDwGCd zAqhG~;yZ$eM2o+n53YSL-q%Ud3{384Oxs>%fYN4Fg?8a`dDE zu~84XxBzIzGmgY0wBI5P>C)Pa@}|X5Gs?$OZH|^*sjG)uxm3rNNlq?o*LU}uJ>367%XE*CBKU9d#u0MTt2rAI8(k%1DU%3d8w%&WSoJrMs-hX4&6Sd9TDTx?@ z>mFT~r)T%6XpR5gN@#F?a+@OeKGrF>xC4n#dZ%M~9j! z#jdsaOC|mfVycQZ55k9YFRcS2VwL6cLXw(!-C8u*@vNiS(7hK3OL*UWp7}Q}UD%>* zw#7!JOs6fM=1n$@9Uh?2=6vAz#o~4DTjy7|+P(1V;pd;cW!p4}{HTIGE)2QFh78>U zLiC!=m01gZVM6Em%37u2jr2+xd{_JiY}Y-zU*7$pj=ApmEcD4eYF=MCWj@Cfqe-) zII?L&1Ir^ko_#UhwHO3BNmbv=@< zS9<=@(ZRdhf9Oo>Ii01d`Lew`IAYvqCr9c`BkAuL(s`}XxQ|6ihrJM#Ji&Kx@Rg47 z4Y{{C)o(sYcs^q+U?<~VsMu2JNgN$lU!XUZ*;d0%5#=|9B0bx?*emq6P*s= z+5ecr_`e*&Ac_*L7J*s#aq{mdpW&-}l|tl%t>yUlfW7OK9W&xe^tj6TNYOeIk}0?$ zEer$19umK-v)q7_&ZdE130^GTN7w!{Eo=`zs&Hc&lQn7czaDQS;ZF`N<6taxKSQ`_ z4T9Hj9UaCWh&>_^!a5P@ftPVqBarX$+A_7uS~%7>i~)MEc6mc9)q-od2XaB(dch*G z?1=CnGdN=NUX2+x=2mX~veC9g@ov5UVbS^e&I#r;6kGKNQ=kT}#4>V=G#NqOaPd2) zGt%h&7&E$a=;4@D4;==FbN80vrgQSZIrR7@dnohEx1co{jY_fVRLmj0JRm@3C}+Tl z$}Lf`JPsH8M${O-7(|rrA5&w>_LWTS`CmH6~HrX%9gwB!w zU)oejqfRMBO&J{QqlzN1SPTuEazF#8ltIXV?RY?rBKgIxHeJe8YA{1(5Ex?GO_hR% z7yvBx9V@JCcopgZ8|E-2?8V-5eQ+Mr#kybG9<(&Kx~OrhRcc%DwvN!wtjFul-#OhB zIy+{!)u>72(ffg3j(IkSGeTESF|BLHGQxljUa3f@9)1GqUB+&IgKXcI<7--bJF{Dn z#!p*cY)lRe>|X!CE61Z49sqM@r&gcjX;y}VxS)LgFQGSESa0YHncNowO^TqzR z)-7LOeO}cT#2xcvKU?ARvJ|z}CH`{#Z&`Hd8i$FYW;Y6XO>|2m5Yz*7Pl*j_5>4St z5*)H)3^6c+_!lFa6Q8j`gS9W-SX1@t!o!2RRL0ZF0=A9b;tCt1z^rxDek=EPlYIA- z_21@DcPu{Sw)C6ekUQ|7frlc+WZvR3&+sfq=M#~fzgcRlH^qQE^}t6i*|j0d2`2Nj zziHtHt4ok&mH|&(-A0NWwdIKEX*!A)+zhLC5OnP*3d1l>Kp0xMN`Dm8Efq-(mS1@Z z2rdo+Utgtx*Z`UFl3D<+2qPJd?hhuZmk@_+%Qna{7VqY9>sRfs6Q-9AStHrZaUbCm z54*_-qOyn`m>6)QYdiHw3Z%;f8wNDWLN8U=aXpAV5^7&{dy4wJefzPiMFro`CRKD{ zE=4<+N(wjX6R9?VLZL-uOH^z`?C-dUw-~E@aq*<)E5}qwKqD)@-^?z<%bX{Z^yEg3k2;r4YQSP`X-V>=d}&Z{&&GBX<9~6RZM+y8vU^UnDhPCle}{| z)}ZJYguk?3@22o~ z#+90IAefx%4lmYl45V+EgAN%q{M_Oi{a{?eSM3wh~3Frg?Q#?nbj!-0>j2T$Nvu0dFM@3lG|w)z|8jc7~2`H=1Qqd;lTp6CVWl zp187Kv%WhoGnakb&XQt;z1WKsY4e5uqtQc!(#U|NoP`i&fEL2Xja>499KiN~8fK zOi;iMED_uV{(>YOqPKuXWz6@aAJ(fdtMsske7udEM}BNlo$tip1GMi?)@RSx(kDo= z4-}CH@iMKgkmSrH^Ne=pFV~>`38@w&^VAW?f~su(WX3HQ_3@qS>{(jy%M!>(E11H* z<#Skt+_^%dx&EGjh;Kzf-1%&=S`OXhzv**w*11anVrirg#8zpDMnsH$OHy@`X`*f9 zcVSG{Ic~yrOmsc3^4;)dMzGzO9MoJoWUx#P!9Zi_cl22+Z$xWuC2M#Re_QIF&#WIk z4GiB_l{8dxk9HqZFU$+tI*-2FE%||q5uzl>H}Rm0XDJqdZSjFaCIEZW$S9r$7vQ2o zO(hryD`;_m7M1#o6b@acS2Q|R^pCOvFP4VAEFgEnidHbXZmMc0L#CsQV9FiLHV(}* z3!4VU+Z{K4jAIk-#ZnKajL;owoSs73E{h1A4NsA_l()kLTLo1~BlYvv*l$0w_s@w{lOn71!=DSub|?3fXWaM zEH;JnEejPsUL~fG1BBmY00Fj2A&n%7`W4Y)Zuvt4njaO_{~s~F7WN{>H?P&-UZTy| zBtg>{A4hEkpqqbbFPndqec-e-XscmSn3@cBt>Y{%GWTJ#7mSmJTFVhwVQ8z}T_p~7 zRPeNsXcgku1C6U+``~|j|CGnPCfR&XeUcNg_THSvkAfnntD6zy-+ zU5!CQIqdiQk#}bae7FL8O&FDFk|XERbXIlt3(5>=RKFy#s1n>CSUf&eCgpK-d;G4Q z3dSCe?3%K+6))2urNqCdi;kiM;fHsR@Je>ITiJBc$2p|dBw@k_3{g@bQG~Y3W3HCo zp+HH^NL%}+_r6gv&e6|NZ^u_$*HYz8w!G*R>za8{v1!(dY`HQ@qj}>qXJT)P3bus@ zy1OMyo5&Bg*k;^Bqat8q*@4qn#RaKLIano!s0C#Nu+O+gda|}r(TQB0Zil?~kZz7` zGK`{n+tBwNm=s-3LsaCHyMlQB@Bm6U)U8O|b*!o^nX;z3K#iTy+;FgD3%({HeM*~{ z7;=5MG8hp@<~iz5X+8N>8(RYW^p)Rdv-Sn=UQZy#WDSPr3cpy>V;L4xaosZ<`6+h* zNH1Om$>$Ym&njcBNO&?MV{J?j=-oO{YG2mi%7G zl?`}v{~x;SY_WW2A->4-nK;hHq61+hz&%-Ior8>t?l+H4HSvX= zuL;73YaT%9{CN?!;NCa)sZ*MS$oX7huQcBOxMt+Ue_gXGBk?;i+6+YjO$yo!`mBqK z;%&75P-kFrT0~TYH+yO4c;wQG7BDDz-wIMcBeTpTHRG8t6R(BkYA#tSn9A}49 z9(~PvK(uufbun)k?x=KRK$S0;%Z15ThwvxdPk$bRj+g=A+MTAj3o2vS$&_fMSC8*I zvT2_@=e}f}oJq@IGN4!cUc(bA<`wu*D(qRV@X`tG;ob&-+AaqjDwf%vHo zdk+;P>;Nf*m^;K6tJ1rypft4)lU8LBA~^-q*~54hB}27}9$xZ{Tq>{B#W*2$ZeJ*- zYT@8gwV}?Pd}&S5Rh9D>*K_;Br<#?y2N%gXl-6>u#bI6S{m9hxsyJ< zb`Zutg?br^65g@lPNbGW&T`b`SoGp$Exjte5F%px-$s%~^3)}H1yx~1oJ;X@-D#R} z^lw3!V)Xc9<#0vzTE+JEKUBL_C4}Zd*zn>)=32%6Mds6ulzr4H=&}_!9a@-j^ua~6 zW4%k0y`djR@tVB9F}K!}yncOMSU0`VI4mb${-~$?RZ^AoGGq6lsb5^kr(a7*9s*4; z1_Dl1tUkVYk)n`X2;e;(G*l-KfyY2~m!V>(QAr39{Ofs!0&=6y1MWAJ!9ykU&vSEk zRi>lu&tIMso!eo+YBCV`Q708g4uCt}%WBmGbhRp;0{oAk1~p{C6HS0hS}=bk057h? zKw7nJjo@X%^pkeTzdwCg6J4EX9X@QmA8tO(%M6v7V`OKb0iys?X~9ju08PBN z_8W&PoPfhmf_&DuYTOZVHTb^FZ^g;PwQwE%W$boUiHyej5O0t;y7m6NuXOzx!s3sS znM&%|(Yg56kz95!v5tjfjt-cgABSe^K~qlTFx0nJIT?|cEA(&;0Dv*uyo`;y$G@u>$MtiI%1&~3frq_!n%?Y&!(;{Tj&en{r^S!-k>mSEwK1TE|w$C)DZ*Tsn zdh>TH^TMhRInGQ)Krw!syd z?( zk3?BB2Exq5abjXO6exD3H)D;Y1;m}0(3EtfP|Q6Q88R5q4M&XE;R~W2`(H^|37Zay~m zS+8w$mbre-^EGvqR@oEwe9!QleklLzyTb)8?|xi!^*>iDtoeI))$?@6bALa7yQg`{ zdVbG(Xt$@p1J>>7TJkwvF>dml)Y%Mi#Vv7t*ZKP|cogO3Juz`IJDtMW!*CO}S82!k z2Z79ce<7_dC1tGCYVxg{nzN2LodB-kRNYj2sA$4kuCjkOwd2`tF3p$QV7B4g?1<_H zd5O7Oe*0c#*84K&kp_d^g=13#esIeiy#3~Eg|44w>+`(_;}3tBxF?dcP5n4?+xNsD zxuFv46vUZ|6xrr67b#XPUT!Pi)UPhy#CvvE=p;4PpBzt|fUEZy&YLsr*A#Cu&6*op zzw{gb#h;GB`3kzbt-mf7{VDp&E_@#ML50_5{k{-6Rwv(s&UqRl8QUASH02bIH7}-%f115a#{1;e1m8(okuK@BHr1JT9^E?DoT8rBCoomV(sE?_3j3ZMx2%V0Jj+o7&1ZMXz6 Date: Tue, 8 Sep 2020 11:53:03 -0400 Subject: [PATCH 04/10] Finishing type conversions for backend --- .../common/endpoint/index_data.ts | 3 +- .../common/endpoint/models/event.ts | 6 +- .../endpoint/routes/resolver/utils/node.ts | 1 - .../routes/resolver/utils/tree.test.ts | 2 +- .../apis/resolver/children.ts | 98 ++++++++++--------- .../apis/resolver/common.ts | 18 ++++ .../apis/resolver/entity_id.ts | 46 +++++---- .../apis/resolver/events.ts | 28 +++--- .../apis/resolver/tree.ts | 58 +++++------ .../services/resolver.ts | 3 +- 10 files changed, 146 insertions(+), 117 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/index_data.ts b/x-pack/plugins/security_solution/common/endpoint/index_data.ts index a82815ea6ea27..b8c2fdbe65f1e 100644 --- a/x-pack/plugins/security_solution/common/endpoint/index_data.ts +++ b/x-pack/plugins/security_solution/common/endpoint/index_data.ts @@ -7,6 +7,7 @@ import { Client } from '@elastic/elasticsearch'; import seedrandom from 'seedrandom'; import { EndpointDocGenerator, TreeOptions, Event } from './generate_data'; +import { firstNonNullValue } from './models/ecs_safety_helpers'; export async function indexHostsAndAlerts( client: Client, @@ -86,7 +87,7 @@ async function indexAlerts( // eslint-disable-next-line @typescript-eslint/no-explicit-any (array: Array>, doc) => { let index = eventIndex; - if (doc.event?.kind === 'alert') { + if (firstNonNullValue(doc.event?.kind) === 'alert') { index = alertIndex; } array.push({ create: { _index: index } }, doc); diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.ts index d7cd555170fcc..07208214a641a 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.ts @@ -67,11 +67,7 @@ export function timestampAsDateSafeVersion(event: SafeResolverEvent): Date | und } export function eventTimestamp(event: ResolverEvent): string | undefined | number { - if (isLegacyEvent(event)) { - return event.endgame.timestamp_utc; - } else { - return event['@timestamp']; - } + return event['@timestamp']; } export function eventName(event: ResolverEvent): string { diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/node.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/node.ts index fbef43bb93679..535ee37f3db32 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/node.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/node.ts @@ -7,7 +7,6 @@ import { SafeResolverAncestry, SafeResolverTree, - ResolverChildNode, ResolverRelatedAlerts, SafeResolverChildren, SafeResolverLifecycleNode, diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts index 8ec2e0a122cc3..290af87a61b1d 100644 --- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts +++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver/utils/tree.test.ts @@ -11,7 +11,7 @@ import { SafeResolverEvent, SafeResolverRelatedEvents, } from '../../../../../common/endpoint/types'; -import { entityId, entityIDSafeVersion } from '../../../../../common/endpoint/models/event'; +import { entityIDSafeVersion } from '../../../../../common/endpoint/models/event'; describe('Tree', () => { const generator = new EndpointDocGenerator(); diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/children.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/children.ts index 2dec3c755a93b..49e24ff67fa77 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/children.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/children.ts @@ -5,14 +5,17 @@ */ import expect from '@kbn/expect'; import { SearchResponse } from 'elasticsearch'; -import { entityId } from '../../../../plugins/security_solution/common/endpoint/models/event'; +import { + entityIDSafeVersion, + timestampSafeVersion, +} from '../../../../plugins/security_solution/common/endpoint/models/event'; import { eventsIndexPattern } from '../../../../plugins/security_solution/common/endpoint/constants'; import { ChildrenPaginationBuilder } from '../../../../plugins/security_solution/server/endpoint/routes/resolver/utils/children_pagination'; import { ChildrenQuery } from '../../../../plugins/security_solution/server/endpoint/routes/resolver/queries/children'; import { - ResolverTree, - ResolverEvent, - ResolverChildren, + SafeResolverTree, + SafeResolverEvent, + SafeResolverChildren, } from '../../../../plugins/security_solution/common/endpoint/types'; import { FtrProviderContext } from '../../ftr_provider_context'; import { @@ -20,6 +23,7 @@ import { EndpointDocGenerator, } from '../../../../plugins/security_solution/common/endpoint/generate_data'; import { InsertedEvents } from '../../services/resolver'; +import { createAncestryArray } from './common'; export default function resolverAPIIntegrationTests({ getService }: FtrProviderContext) { const supertest = getService('supertest'); @@ -40,20 +44,20 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC // Origin -> infoEvent -> startEvent -> execEvent origin = generator.generateEvent(); infoEvent = generator.generateEvent({ - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), eventType: ['info'], }); startEvent = generator.generateEvent({ - parentEntityID: infoEvent.process.entity_id, - ancestry: [infoEvent.process.entity_id, origin.process.entity_id], + parentEntityID: entityIDSafeVersion(infoEvent), + ancestry: createAncestryArray([infoEvent, origin]), eventType: ['start'], }); execEvent = generator.generateEvent({ - parentEntityID: startEvent.process.entity_id, - ancestry: [startEvent.process.entity_id, infoEvent.process.entity_id], + parentEntityID: entityIDSafeVersion(startEvent), + ancestry: createAncestryArray([startEvent, infoEvent]), eventType: ['change'], }); genData = await resolver.insertEvents([origin, infoEvent, startEvent, execEvent]); @@ -64,13 +68,13 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC }); it('finds all the children of the origin', async () => { - const { body }: { body: ResolverTree } = await supertest - .get(`/api/endpoint/resolver/${origin.process.entity_id}?children=100`) + const { body }: { body: SafeResolverTree } = await supertest + .get(`/api/endpoint/resolver/${origin.process?.entity_id}?children=100`) .expect(200); expect(body.children.childNodes.length).to.be(3); - expect(body.children.childNodes[0].entityID).to.be(infoEvent.process.entity_id); - expect(body.children.childNodes[1].entityID).to.be(startEvent.process.entity_id); - expect(body.children.childNodes[2].entityID).to.be(execEvent.process.entity_id); + expect(body.children.childNodes[0].entityID).to.be(infoEvent.process?.entity_id); + expect(body.children.childNodes[1].entityID).to.be(startEvent.process?.entity_id); + expect(body.children.childNodes[2].entityID).to.be(execEvent.process?.entity_id); }); }); @@ -86,23 +90,23 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC // Origin -> (infoEvent, startEvent, execEvent are all for the same node) origin = generator.generateEvent(); startEvent = generator.generateEvent({ - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), eventType: ['start'], }); infoEvent = generator.generateEvent({ - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], - entityID: startEvent.process.entity_id, + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), + entityID: entityIDSafeVersion(startEvent), eventType: ['info'], }); execEvent = generator.generateEvent({ - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), eventType: ['change'], - entityID: startEvent.process.entity_id, + entityID: entityIDSafeVersion(startEvent), }); genData = await resolver.insertEvents([origin, infoEvent, startEvent, execEvent]); }); @@ -117,12 +121,12 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC eventsIndexPattern ); // [1] here gets the body portion of the array - const [, query] = childrenQuery.buildMSearch(origin.process.entity_id); - const { body } = await es.search>({ body: query }); + const [, query] = childrenQuery.buildMSearch(entityIDSafeVersion(origin) ?? ''); + const { body } = await es.search>({ body: query }); expect(body.hits.hits.length).to.be(1); const event = body.hits.hits[0]._source; - expect(entityId(event)).to.be(startEvent.process.entity_id); + expect(entityIDSafeVersion(event)).to.be(startEvent.process?.entity_id); expect(event.event?.type).to.eql(['start']); }); }); @@ -139,25 +143,25 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC // Origin -> (infoEvent, startEvent, execEvent are all for the same node) origin = generator.generateEvent(); startEvent = generator.generateEvent({ - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), eventType: ['start'], }); infoEvent = generator.generateEvent({ - timestamp: startEvent['@timestamp'] + 100, - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], - entityID: startEvent.process.entity_id, + timestamp: (timestampSafeVersion(startEvent) ?? 0) + 100, + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), + entityID: entityIDSafeVersion(startEvent), eventType: ['info'], }); execEvent = generator.generateEvent({ - timestamp: infoEvent['@timestamp'] + 100, - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + timestamp: (timestampSafeVersion(infoEvent) ?? 0) + 100, + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), eventType: ['change'], - entityID: startEvent.process.entity_id, + entityID: entityIDSafeVersion(startEvent), }); genData = await resolver.insertEvents([origin, infoEvent, startEvent, execEvent]); }); @@ -167,37 +171,37 @@ export default function resolverAPIIntegrationTests({ getService }: FtrProviderC }); it('retrieves the same node three times', async () => { - let { body }: { body: ResolverChildren } = await supertest - .get(`/api/endpoint/resolver/${origin.process.entity_id}/children?children=1`) + let { body }: { body: SafeResolverChildren } = await supertest + .get(`/api/endpoint/resolver/${origin.process?.entity_id}/children?children=1`) .expect(200); expect(body.childNodes.length).to.be(1); expect(body.nextChild).to.not.be(null); - expect(body.childNodes[0].entityID).to.be(startEvent.process.entity_id); - expect(body.childNodes[0].lifecycle[0].event?.type).to.eql(startEvent.event.type); + expect(body.childNodes[0].entityID).to.be(startEvent.process?.entity_id); + expect(body.childNodes[0].lifecycle[0].event?.type).to.eql(startEvent.event?.type); ({ body } = await supertest .get( - `/api/endpoint/resolver/${origin.process.entity_id}/children?children=1&afterChild=${body.nextChild}` + `/api/endpoint/resolver/${origin.process?.entity_id}/children?children=1&afterChild=${body.nextChild}` ) .expect(200)); expect(body.childNodes.length).to.be(1); expect(body.nextChild).to.not.be(null); - expect(body.childNodes[0].entityID).to.be(infoEvent.process.entity_id); - expect(body.childNodes[0].lifecycle[1].event?.type).to.eql(infoEvent.event.type); + expect(body.childNodes[0].entityID).to.be(infoEvent.process?.entity_id); + expect(body.childNodes[0].lifecycle[1].event?.type).to.eql(infoEvent.event?.type); ({ body } = await supertest .get( - `/api/endpoint/resolver/${origin.process.entity_id}/children?children=1&afterChild=${body.nextChild}` + `/api/endpoint/resolver/${origin.process?.entity_id}/children?children=1&afterChild=${body.nextChild}` ) .expect(200)); expect(body.childNodes.length).to.be(1); expect(body.nextChild).to.not.be(null); - expect(body.childNodes[0].entityID).to.be(infoEvent.process.entity_id); - expect(body.childNodes[0].lifecycle[2].event?.type).to.eql(execEvent.event.type); + expect(body.childNodes[0].entityID).to.be(infoEvent.process?.entity_id); + expect(body.childNodes[0].lifecycle[2].event?.type).to.eql(execEvent.event?.type); ({ body } = await supertest .get( - `/api/endpoint/resolver/${origin.process.entity_id}/children?children=1&afterChild=${body.nextChild}` + `/api/endpoint/resolver/${origin.process?.entity_id}/children?children=1&afterChild=${body.nextChild}` ) .expect(200)); expect(body.childNodes.length).to.be(0); diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts index f36d37ffae239..2c59863099ae7 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/common.ts @@ -13,6 +13,7 @@ import { } from '../../../../plugins/security_solution/common/endpoint/types'; import { parentEntityIDSafeVersion, + entityIDSafeVersion, eventIDSafeVersion, } from '../../../../plugins/security_solution/common/endpoint/models/event'; import { @@ -23,6 +24,23 @@ import { categoryMapping, } from '../../../../plugins/security_solution/common/endpoint/generate_data'; +/** + * Creates the ancestry array based on an array of events. The order of the ancestry array will match the order + * of the events passed in. + * + * @param events an array of generated events + */ +export const createAncestryArray = (events: Event[]) => { + const ancestry: string[] = []; + for (const event of events) { + const entityID = entityIDSafeVersion(event); + if (entityID) { + ancestry.push(entityID); + } + } + return ancestry; +}; + /** * Check that the given lifecycle is in the resolver tree's corresponding map * diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity_id.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity_id.ts index cb6c49e17c712..e6d5e8fccd00d 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity_id.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/entity_id.ts @@ -4,9 +4,10 @@ * you may not use this file except in compliance with the Elastic License. */ import expect from '@kbn/expect'; +import { entityIDSafeVersion } from '../../../../plugins/security_solution/common/endpoint/models/event'; import { eventsIndexPattern } from '../../../../plugins/security_solution/common/endpoint/constants'; import { - ResolverTree, + SafeResolverTree, ResolverEntityIndex, } from '../../../../plugins/security_solution/common/endpoint/types'; import { FtrProviderContext } from '../../ftr_provider_context'; @@ -15,19 +16,26 @@ import { Event, } from '../../../../plugins/security_solution/common/endpoint/generate_data'; import { InsertedEvents } from '../../services/resolver'; +import { createAncestryArray } from './common'; export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertest'); const resolver = getService('resolverGenerator'); const generator = new EndpointDocGenerator('resolver'); + const setEntityIDEmptyString = (event: Event) => { + if (event.process?.entity_id) { + event.process.entity_id = ''; + } + }; + describe('Resolver handling of entity ids', () => { describe('entity api', () => { let origin: Event; let genData: InsertedEvents; before(async () => { origin = generator.generateEvent({ parentEntityID: 'a' }); - origin.process.entity_id = ''; + setEntityIDEmptyString(origin); genData = await resolver.insertEvents([origin]); }); @@ -57,16 +65,16 @@ export default function ({ getService }: FtrProviderContext) { // should not be returned by the backend. origin = generator.generateEvent({ entityID: 'a' }); childNoEntityID = generator.generateEvent({ - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), }); // force it to be empty - childNoEntityID.process.entity_id = ''; + setEntityIDEmptyString(childNoEntityID); childWithEntityID = generator.generateEvent({ entityID: 'b', - parentEntityID: origin.process.entity_id, - ancestry: [origin.process.entity_id], + parentEntityID: entityIDSafeVersion(origin), + ancestry: createAncestryArray([origin]), }); events = [origin, childNoEntityID, childWithEntityID]; genData = await resolver.insertEvents(events); @@ -77,11 +85,11 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not find children without a process entity_id', async () => { - const { body }: { body: ResolverTree } = await supertest - .get(`/api/endpoint/resolver/${origin.process.entity_id}`) + const { body }: { body: SafeResolverTree } = await supertest + .get(`/api/endpoint/resolver/${origin.process?.entity_id}`) .expect(200); expect(body.children.childNodes.length).to.be(1); - expect(body.children.childNodes[0].entityID).to.be(childWithEntityID.process.entity_id); + expect(body.children.childNodes[0].entityID).to.be(childWithEntityID.process?.entity_id); }); }); @@ -101,21 +109,21 @@ export default function ({ getService }: FtrProviderContext) { }); ancestor1 = generator.generateEvent({ entityID: '1', - parentEntityID: ancestor2.process.entity_id, - ancestry: [ancestor2.process.entity_id], + parentEntityID: entityIDSafeVersion(ancestor2), + ancestry: createAncestryArray([ancestor2]), }); // we'll insert an event that doesn't have an entity id so if the backend does search for it, it should be // returned and our test should fail ancestorNoEntityID = generator.generateEvent({ - ancestry: [ancestor2.process.entity_id], + ancestry: createAncestryArray([ancestor2]), }); - ancestorNoEntityID.process.entity_id = ''; + setEntityIDEmptyString(ancestorNoEntityID); origin = generator.generateEvent({ entityID: 'a', - parentEntityID: ancestor1.process.entity_id, - ancestry: ['', ancestor2.process.entity_id], + parentEntityID: entityIDSafeVersion(ancestor1), + ancestry: ['', ...createAncestryArray([ancestor2])], }); events = [origin, ancestor1, ancestor2, ancestorNoEntityID]; @@ -127,11 +135,11 @@ export default function ({ getService }: FtrProviderContext) { }); it('does not query for ancestors that have an empty string for the entity_id', async () => { - const { body }: { body: ResolverTree } = await supertest - .get(`/api/endpoint/resolver/${origin.process.entity_id}`) + const { body }: { body: SafeResolverTree } = await supertest + .get(`/api/endpoint/resolver/${origin.process?.entity_id}`) .expect(200); expect(body.ancestry.ancestors.length).to.be(1); - expect(body.ancestry.ancestors[0].entityID).to.be(ancestor2.process.entity_id); + expect(body.ancestry.ancestors[0].entityID).to.be(ancestor2.process?.entity_id); }); }); }); diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/events.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/events.ts index c0e4e466c7b62..4e248f52ec297 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/events.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/events.ts @@ -4,8 +4,8 @@ * you may not use this file except in compliance with the Elastic License. */ import expect from '@kbn/expect'; -import { eventId } from '../../../../plugins/security_solution/common/endpoint/models/event'; -import { ResolverRelatedEvents } from '../../../../plugins/security_solution/common/endpoint/types'; +import { eventIDSafeVersion } from '../../../../plugins/security_solution/common/endpoint/models/event'; +import { SafeResolverRelatedEvents } from '../../../../plugins/security_solution/common/endpoint/types'; import { FtrProviderContext } from '../../ftr_provider_context'; import { Tree, @@ -59,7 +59,7 @@ export default function ({ getService }: FtrProviderContext) { const cursor = 'eyJ0aW1lc3RhbXAiOjE1ODE0NTYyNTUwMDAsImV2ZW50SUQiOiI5NDA0MyJ9'; it('should return details for the root node', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${entityID}/events?legacyEndpointID=${endpointID}`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -69,7 +69,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('returns no values when there is no more data', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest // after is set to the document id of the last event so there shouldn't be any more after it .post( `/api/endpoint/resolver/${entityID}/events?legacyEndpointID=${endpointID}&afterEvent=${cursor}` @@ -82,7 +82,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should return the first page of information when the cursor is invalid', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post( `/api/endpoint/resolver/${entityID}/events?legacyEndpointID=${endpointID}&afterEvent=blah` ) @@ -93,7 +93,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should return no results for an invalid endpoint ID', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${entityID}/events?legacyEndpointID=foo`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -120,7 +120,7 @@ export default function ({ getService }: FtrProviderContext) { describe('endpoint events', () => { it('should not find any events', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/5555/events`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -129,7 +129,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should return details for the root node', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${tree.origin.id}/events`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -140,7 +140,7 @@ export default function ({ getService }: FtrProviderContext) { it('should allow for the events to be filtered', async () => { const filter = `event.category:"${RelatedEventCategory.Driver}"`; - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${tree.origin.id}/events`) .set('kbn-xsrf', 'xxx') .send({ @@ -156,7 +156,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should return paginated results for the root node', async () => { - let { body }: { body: ResolverRelatedEvents } = await supertest + let { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${tree.origin.id}/events?events=2`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -185,7 +185,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should return the first page of information when the cursor is invalid', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${tree.origin.id}/events?afterEvent=blah`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -195,7 +195,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should sort the events in descending order', async () => { - const { body }: { body: ResolverRelatedEvents } = await supertest + const { body }: { body: SafeResolverRelatedEvents } = await supertest .post(`/api/endpoint/resolver/${tree.origin.id}/events`) .set('kbn-xsrf', 'xxx') .expect(200); @@ -204,8 +204,8 @@ export default function ({ getService }: FtrProviderContext) { // the last element in the array so let's reverse it const relatedEvents = tree.origin.relatedEvents.reverse(); for (let i = 0; i < body.events.length; i++) { - expect(body.events[i].event?.category).to.equal(relatedEvents[i].event.category); - expect(eventId(body.events[i])).to.equal(relatedEvents[i].event.id); + expect(body.events[i].event?.category).to.equal(relatedEvents[i].event?.category); + expect(eventIDSafeVersion(body.events[i])).to.equal(relatedEvents[i].event?.id); } }); }); diff --git a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts index 957d559087f5e..837af6a940f5c 100644 --- a/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts +++ b/x-pack/test/security_solution_endpoint_api_int/apis/resolver/tree.ts @@ -5,12 +5,12 @@ */ import expect from '@kbn/expect'; import { - ResolverAncestry, - ResolverChildren, - ResolverTree, - LegacyEndpointEvent, + SafeResolverAncestry, + SafeResolverChildren, + SafeResolverTree, + SafeLegacyEndpointEvent, } from '../../../../plugins/security_solution/common/endpoint/types'; -import { parentEntityId } from '../../../../plugins/security_solution/common/endpoint/models/event'; +import { parentEntityIDSafeVersion } from '../../../../plugins/security_solution/common/endpoint/models/event'; import { FtrProviderContext } from '../../ftr_provider_context'; import { Tree, @@ -71,7 +71,7 @@ export default function ({ getService }: FtrProviderContext) { const entityID = '94042'; it('should return details for the root node', async () => { - const { body }: { body: ResolverAncestry } = await supertest + const { body }: { body: SafeResolverAncestry } = await supertest .get( `/api/endpoint/resolver/${entityID}/ancestry?legacyEndpointID=${endpointID}&ancestors=5` ) @@ -82,7 +82,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should have a populated next parameter', async () => { - const { body }: { body: ResolverAncestry } = await supertest + const { body }: { body: SafeResolverAncestry } = await supertest .get( `/api/endpoint/resolver/${entityID}/ancestry?legacyEndpointID=${endpointID}&ancestors=0` ) @@ -91,7 +91,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should handle an ancestors param request', async () => { - let { body }: { body: ResolverAncestry } = await supertest + let { body }: { body: SafeResolverAncestry } = await supertest .get( `/api/endpoint/resolver/${entityID}/ancestry?legacyEndpointID=${endpointID}&ancestors=0` ) @@ -110,14 +110,14 @@ export default function ({ getService }: FtrProviderContext) { describe('endpoint events', () => { it('should return the origin node at the front of the array', async () => { - const { body }: { body: ResolverAncestry } = await supertest + const { body }: { body: SafeResolverAncestry } = await supertest .get(`/api/endpoint/resolver/${tree.origin.id}/ancestry?ancestors=9`) .expect(200); expect(body.ancestors[0].entityID).to.eql(tree.origin.id); }); it('should return details for the root node', async () => { - const { body }: { body: ResolverAncestry } = await supertest + const { body }: { body: SafeResolverAncestry } = await supertest .get(`/api/endpoint/resolver/${tree.origin.id}/ancestry?ancestors=9`) .expect(200); // the tree we generated had 5 ancestors + 1 origin node @@ -128,7 +128,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('should handle an invalid id', async () => { - const { body }: { body: ResolverAncestry } = await supertest + const { body }: { body: SafeResolverAncestry } = await supertest .get(`/api/endpoint/resolver/alskdjflasj/ancestry`) .expect(200); expect(body.ancestors).to.be.empty(); @@ -136,18 +136,20 @@ export default function ({ getService }: FtrProviderContext) { }); it('should have a populated next parameter', async () => { - const { body }: { body: ResolverAncestry } = await supertest + const { body }: { body: SafeResolverAncestry } = await supertest .get(`/api/endpoint/resolver/${tree.origin.id}/ancestry?ancestors=2`) .expect(200); // it should have 2 ancestors + 1 origin expect(body.ancestors.length).to.eql(3); verifyAncestry(body.ancestors, tree, false); const distantGrandparent = retrieveDistantAncestor(body.ancestors); - expect(body.nextAncestor).to.eql(parentEntityId(distantGrandparent.lifecycle[0])); + expect(body.nextAncestor).to.eql( + parentEntityIDSafeVersion(distantGrandparent.lifecycle[0]) + ); }); it('should handle multiple ancestor requests', async () => { - let { body }: { body: ResolverAncestry } = await supertest + let { body }: { body: SafeResolverAncestry } = await supertest .get(`/api/endpoint/resolver/${tree.origin.id}/ancestry?ancestors=3`) .expect(200); expect(body.ancestors.length).to.eql(4); @@ -171,7 +173,7 @@ export default function ({ getService }: FtrProviderContext) { const entityID = '94041'; it('returns child process lifecycle events', async () => { - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/${entityID}/children?legacyEndpointID=${endpointID}`) .expect(200); expect(body.childNodes.length).to.eql(1); @@ -179,12 +181,12 @@ export default function ({ getService }: FtrProviderContext) { expect( // for some reason the ts server doesn't think `endgame` exists even though we're using ResolverEvent // here, so to avoid it complaining we'll just force it - (body.childNodes[0].lifecycle[0] as LegacyEndpointEvent).endgame.unique_pid + (body.childNodes[0].lifecycle[0] as SafeLegacyEndpointEvent).endgame.unique_pid ).to.eql(94042); }); it('returns multiple levels of child process lifecycle events', async () => { - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/93802/children?legacyEndpointID=${endpointID}&children=10`) .expect(200); expect(body.childNodes.length).to.eql(10); @@ -193,12 +195,12 @@ export default function ({ getService }: FtrProviderContext) { expect( // for some reason the ts server doesn't think `endgame` exists even though we're using ResolverEvent // here, so to avoid it complaining we'll just force it - (body.childNodes[0].lifecycle[0] as LegacyEndpointEvent).endgame.unique_pid + (body.childNodes[0].lifecycle[0] as SafeLegacyEndpointEvent).endgame.unique_pid ).to.eql(93932); }); it('returns no values when there is no more data', async () => { - let { body }: { body: ResolverChildren } = await supertest + let { body }: { body: SafeResolverChildren } = await supertest .get( // there should only be a single child for this node `/api/endpoint/resolver/94041/children?legacyEndpointID=${endpointID}&children=1` @@ -216,7 +218,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('returns the first page of information when the cursor is invalid', async () => { - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get( `/api/endpoint/resolver/${entityID}/children?legacyEndpointID=${endpointID}&afterChild=blah` ) @@ -236,7 +238,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('returns empty events without a matching entity id', async () => { - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/5555/children`) .expect(200); expect(body.nextChild).to.eql(null); @@ -244,7 +246,7 @@ export default function ({ getService }: FtrProviderContext) { }); it('returns empty events with an invalid endpoint id', async () => { - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/${entityID}/children?legacyEndpointID=foo`) .expect(200); expect(body.nextChild).to.eql(null); @@ -254,7 +256,7 @@ export default function ({ getService }: FtrProviderContext) { describe('endpoint events', () => { it('returns all children for the origin', async () => { - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/${tree.origin.id}/children?children=100`) .expect(200); // there are 2 levels in the children part of the tree and 3 nodes for each = @@ -269,7 +271,7 @@ export default function ({ getService }: FtrProviderContext) { // this gets a node should have 3 children which were created in succession so that the timestamps // are ordered correctly to be retrieved in a single call const distantChildEntityID = Array.from(tree.childrenLevels[0].values())[0].id; - const { body }: { body: ResolverChildren } = await supertest + const { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/${distantChildEntityID}/children?children=3`) .expect(200); expect(body.childNodes.length).to.eql(3); @@ -281,7 +283,7 @@ export default function ({ getService }: FtrProviderContext) { // this gets a node should have 3 children which were created in succession so that the timestamps // are ordered correctly to be retrieved in a single call const distantChildEntityID = Array.from(tree.childrenLevels[0].values())[0].id; - let { body }: { body: ResolverChildren } = await supertest + let { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/${distantChildEntityID}/children?children=1`) .expect(200); expect(body.childNodes.length).to.eql(1); @@ -308,7 +310,7 @@ export default function ({ getService }: FtrProviderContext) { it('gets all children in two queries', async () => { // should get all the children of the origin - let { body }: { body: ResolverChildren } = await supertest + let { body }: { body: SafeResolverChildren } = await supertest .get(`/api/endpoint/resolver/${tree.origin.id}/children?children=3`) .expect(200); expect(body.childNodes.length).to.eql(3); @@ -334,7 +336,7 @@ export default function ({ getService }: FtrProviderContext) { const endpointID = '5a0c957f-b8e7-4538-965e-57e8bb86ad3a'; it('returns ancestors, events, children, and current process lifecycle', async () => { - const { body }: { body: ResolverTree } = await supertest + const { body }: { body: SafeResolverTree } = await supertest .get(`/api/endpoint/resolver/93933?legacyEndpointID=${endpointID}`) .expect(200); expect(body.ancestry.nextAncestor).to.equal(null); @@ -348,7 +350,7 @@ export default function ({ getService }: FtrProviderContext) { describe('endpoint events', () => { it('returns a tree', async () => { - const { body }: { body: ResolverTree } = await supertest + const { body }: { body: SafeResolverTree } = await supertest .get( `/api/endpoint/resolver/${tree.origin.id}?children=100&ancestors=5&events=5&alerts=5` ) diff --git a/x-pack/test/security_solution_endpoint_api_int/services/resolver.ts b/x-pack/test/security_solution_endpoint_api_int/services/resolver.ts index 7e4d4177affac..c5855281f55c9 100644 --- a/x-pack/test/security_solution_endpoint_api_int/services/resolver.ts +++ b/x-pack/test/security_solution_endpoint_api_int/services/resolver.ts @@ -9,6 +9,7 @@ import { EndpointDocGenerator, Event, } from '../../../plugins/security_solution/common/endpoint/generate_data'; +import { firstNonNullValue } from '../../../plugins/security_solution/common/endpoint/models/ecs_safety_helpers'; import { FtrProviderContext } from '../ftr_provider_context'; export const processEventsIndex = 'logs-endpoint.events.process-default'; @@ -87,7 +88,7 @@ export function ResolverGeneratorProvider({ getService }: FtrProviderContext) { const tree = generator.generateTree(options); const body = tree.allEvents.reduce((array: Array, doc) => { let index = eventsIndex; - if (doc.event.kind === 'alert') { + if (firstNonNullValue(doc.event?.kind) === 'alert') { index = alertsIndex; } /** From 4ef0b21e74a5cb22ef6ae096cb491d349d0cae8e Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Tue, 8 Sep 2020 12:58:12 -0400 Subject: [PATCH 05/10] Trying to cast front end tests back to unsafe type for now --- .../resolver/store/data/reducer.test.ts | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts b/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts index 21c4f92f8e502..04aa7313c91bf 100644 --- a/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts +++ b/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts @@ -10,8 +10,9 @@ import { dataReducer } from './reducer'; import * as selectors from './selectors'; import { DataState } from '../../types'; import { DataAction } from './action'; -import { ResolverChildNode, ResolverTree } from '../../../../common/endpoint/types'; +import { ResolverChildNode, ResolverEvent, ResolverTree } from '../../../../common/endpoint/types'; import * as eventModel from '../../../../common/endpoint/models/event'; +import { values } from '../../../../common/endpoint/models/ecs_safety_helpers'; /** * Test the data reducer and selector. @@ -39,7 +40,7 @@ describe('Resolver Data Middleware', () => { // Generate a 'tree' using the Resolver generator code. This structure isn't the same as what the API returns. const baseTree = generateBaseTree(); const tree = mockResolverTree({ - events: baseTree.allEvents, + events: baseTree.allEvents as ResolverEvent[], cursors: { childrenNextChild: 'aValidChildCursor', ancestryNextAncestor: 'aValidAncestorCursor', @@ -88,7 +89,8 @@ describe('Resolver Data Middleware', () => { type: 'serverReturnedRelatedEventData', payload: { entityID: firstChildNodeInTree.id, - events: firstChildNodeInTree.relatedEvents, + // TODO comment about casting it to unsafe event type + events: firstChildNodeInTree.relatedEvents as ResolverEvent[], nextEvent: null, }, }; @@ -161,7 +163,7 @@ describe('Resolver Data Middleware', () => { type: 'serverReturnedRelatedEventData', payload: { entityID: firstChildNodeInTree.id, - events: firstChildNodeInTree.relatedEvents, + events: firstChildNodeInTree.relatedEvents as ResolverEvent[], nextEvent: 'aValidNextEventCursor', }, }; @@ -231,7 +233,7 @@ function mockedTree() { const statsResults = compileStatsForChild(firstChildNodeInTree); const tree = mockResolverTree({ - events: baseTree.allEvents, + events: baseTree.allEvents as ResolverEvent[], /** * Calculate children from the ResolverTree response using the children of the `Tree` we generated using the Resolver data generator code. * Compile (and attach) stats to the first child node. @@ -242,9 +244,8 @@ function mockedTree() { * related event limits should be shown. */ children: [...baseTree.children.values()].map((node: TreeNode) => { - // Treat each `TreeNode` as a `ResolverChildNode`. - // These types are almost close enough to be used interchangably (for the purposes of this test.) - const childNode: Partial = node; + const childNode: Partial = {}; + childNode.lifecycle = node.lifecycle as ResolverEvent[]; // `TreeNode` has `id` which is the same as `entityID`. // The `ResolverChildNode` calls the entityID as `entityID`. @@ -314,10 +315,8 @@ function compileStatsForChild( const compiledStats = node.relatedEvents.reduce( (counts: Record, relatedEvent) => { - // `relatedEvent.event.category` is `string | string[]`. - // Wrap it in an array and flatten that array to get a `string[] | [string]` - // which we can loop over. - const categories: string[] = [relatedEvent.event.category].flat(); + // get an array of categories regardless of whether category is a string or string[] + const categories: string[] = values(relatedEvent.event?.category); for (const category of categories) { // Set the first category as 'categoryToOverCount' From 910fe246438e8a2b57cda2a5968dc53941a44a41 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Tue, 8 Sep 2020 14:16:56 -0400 Subject: [PATCH 06/10] Working reducer tests --- .../common/endpoint/types/index.ts | 35 +++++++++---------- .../resolver/store/data/reducer.test.ts | 13 +++++-- 2 files changed, 28 insertions(+), 20 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts index 64bdbb1193f53..38d9c1c3eed25 100644 --- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts +++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts @@ -334,7 +334,7 @@ export interface Host { /** * A record of hashes for something. Provides hashes in multiple formats. A favorite structure of the Elastic Endpoint. */ -interface Hashes { +type Hashes = Partial<{ /** * A hash in MD5 format. */ @@ -347,14 +347,14 @@ interface Hashes { * A hash in SHA-256 format. */ sha256: ECSField; -} +}>; -interface MalwareClassification { +type MalwareClassification = Partial<{ identifier: ECSField; score: ECSField; threshold: ECSField; version: ECSField; -} +}>; type ThreadFields = Partial<{ id: ECSField; @@ -367,7 +367,7 @@ type ThreadFields = Partial<{ }>; type DllFields = Partial<{ - hash: Partial; + hash: Hashes; path: ECSField; pe: Partial<{ architecture: ECSField; @@ -378,7 +378,7 @@ type DllFields = Partial<{ }>; Ext: Partial<{ compile_time: ECSField; - malware_classification: Partial; + malware_classification: MalwareClassification; mapped_address: ECSField; mapped_size: ECSField; }>; @@ -397,7 +397,6 @@ export type AlertEvent = Partial<{ policy: Partial<{ applied: Partial<{ id: ECSField; - // TODO this is an enum is this right? status: ECSField; name: ECSField; }>; @@ -411,14 +410,14 @@ export type AlertEvent = Partial<{ thread: ECSField; uptime: number; Ext: Partial<{ - // TODO this was an array of objects is this right? + // Using ECSField as the outer because the object is expected to be an array code_signature: ECSField< Partial<{ subject_name: ECSField; trusted: ECSField; }> >; - malware_classification: Partial; + malware_classification: MalwareClassification; token: Partial<{ domain: ECSField; type: ECSField; @@ -426,12 +425,12 @@ export type AlertEvent = Partial<{ sid: ECSField; integrity_level: ECSField; integrity_level_name: ECSField; - // TODO array + // Using ECSField as the outer because the object is expected to be an array privileges: ECSField< Partial<{ - description: string; - name: string; - enabled: boolean; + description: ECSField; + name: ECSField; + enabled: ECSField; }> >; }>; @@ -445,11 +444,11 @@ export type AlertEvent = Partial<{ mtime: ECSField; created: ECSField; size: ECSField; - hash: Partial; + hash: Hashes; Ext: Partial<{ - malware_classification: Partial; + malware_classification: MalwareClassification; temp_file_path: ECSField; - // TODO was an array + // Using ECSField as the outer because the object is expected to be an array code_signature: ECSField< Partial<{ trusted: ECSField; @@ -458,7 +457,7 @@ export type AlertEvent = Partial<{ >; }>; }>; - // TODO was an array + // Using ECSField as the outer because the object is expected to be an array dll: ECSField; }> & SafeEndpointEvent; @@ -706,7 +705,7 @@ export type SafeEndpointEvent = Partial<{ subject_name: ECSField; }>; pid: ECSField; - hash: Partial; + hash: Hashes; parent: Partial<{ entity_id: ECSField; name: ECSField; diff --git a/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts b/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts index 04aa7313c91bf..7aa805acbc92b 100644 --- a/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts +++ b/x-pack/plugins/security_solution/public/resolver/store/data/reducer.test.ts @@ -40,6 +40,8 @@ describe('Resolver Data Middleware', () => { // Generate a 'tree' using the Resolver generator code. This structure isn't the same as what the API returns. const baseTree = generateBaseTree(); const tree = mockResolverTree({ + // Casting here because the generator returns the SafeResolverEvent type which isn't yet compatible with + // a lot of the frontend functions. So casting it back to the unsafe type for now. events: baseTree.allEvents as ResolverEvent[], cursors: { childrenNextChild: 'aValidChildCursor', @@ -89,7 +91,8 @@ describe('Resolver Data Middleware', () => { type: 'serverReturnedRelatedEventData', payload: { entityID: firstChildNodeInTree.id, - // TODO comment about casting it to unsafe event type + // Casting here because the generator returns the SafeResolverEvent type which isn't yet compatible with + // a lot of the frontend functions. So casting it back to the unsafe type for now. events: firstChildNodeInTree.relatedEvents as ResolverEvent[], nextEvent: null, }, @@ -163,6 +166,8 @@ describe('Resolver Data Middleware', () => { type: 'serverReturnedRelatedEventData', payload: { entityID: firstChildNodeInTree.id, + // Casting here because the generator returns the SafeResolverEvent type which isn't yet compatible with + // a lot of the frontend functions. So casting it back to the unsafe type for now. events: firstChildNodeInTree.relatedEvents as ResolverEvent[], nextEvent: 'aValidNextEventCursor', }, @@ -233,6 +238,8 @@ function mockedTree() { const statsResults = compileStatsForChild(firstChildNodeInTree); const tree = mockResolverTree({ + // Casting here because the generator returns the SafeResolverEvent type which isn't yet compatible with + // a lot of the frontend functions. So casting it back to the unsafe type for now. events: baseTree.allEvents as ResolverEvent[], /** * Calculate children from the ResolverTree response using the children of the `Tree` we generated using the Resolver data generator code. @@ -245,12 +252,14 @@ function mockedTree() { */ children: [...baseTree.children.values()].map((node: TreeNode) => { const childNode: Partial = {}; + // Casting here because the generator returns the SafeResolverEvent type which isn't yet compatible with + // a lot of the frontend functions. So casting it back to the unsafe type for now. childNode.lifecycle = node.lifecycle as ResolverEvent[]; // `TreeNode` has `id` which is the same as `entityID`. // The `ResolverChildNode` calls the entityID as `entityID`. // Set `entityID` on `childNode` since the code in test relies on it. - childNode.entityID = (childNode as TreeNode).id; + childNode.entityID = node.id; // This should only be true for the first child. if (node.id === firstChildNodeInTree.id) { From c06ba9325cd154a483a19a38eb66bcddba69c154 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Tue, 8 Sep 2020 15:25:05 -0400 Subject: [PATCH 07/10] Adding more comments and fixing alert type --- .../common/endpoint/models/event.test.ts | 8 ++++++++ .../security_solution/common/endpoint/types/index.ts | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts index 6ea04f9bc77c2..bd2996d101300 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts @@ -19,6 +19,8 @@ describe('Generated documents', () => { it('returns the right name for a registry event', () => { const extensions = { registry: { key: `HKLM/Windows/Software/abc` } }; const event = generator.generateEvent({ eventCategory: 'registry', extensions }); + // casting to ResolverEvent here because the `descriptiveName` function is used by the frontend is still relies + // on the unsafe ResolverEvent type. Once it's switched over to the safe version we can remove this cast. expect(descriptiveName(event as ResolverEvent)).toEqual({ subject: `HKLM/Windows/Software/abc`, }); @@ -28,6 +30,8 @@ describe('Generated documents', () => { const randomIP = `${generator.randomIP()}`; const extensions = { network: { direction: 'outbound', forwarded_ip: randomIP } }; const event = generator.generateEvent({ eventCategory: 'network', extensions }); + // casting to ResolverEvent here because the `descriptiveName` function is used by the frontend is still relies + // on the unsafe ResolverEvent type. Once it's switched over to the safe version we can remove this cast. expect(descriptiveName(event as ResolverEvent)).toEqual({ subject: `${randomIP}`, descriptor: 'outbound', @@ -37,6 +41,8 @@ describe('Generated documents', () => { it('returns the right name for a file event', () => { const extensions = { file: { path: 'C:\\My Documents\\business\\January\\processName' } }; const event = generator.generateEvent({ eventCategory: 'file', extensions }); + // casting to ResolverEvent here because the `descriptiveName` function is used by the frontend is still relies + // on the unsafe ResolverEvent type. Once it's switched over to the safe version we can remove this cast. expect(descriptiveName(event as ResolverEvent)).toEqual({ subject: 'C:\\My Documents\\business\\January\\processName', }); @@ -45,6 +51,8 @@ describe('Generated documents', () => { it('returns the right name for a dns event', () => { const extensions = { dns: { question: { name: `${generator.randomIP()}` } } }; const event = generator.generateEvent({ eventCategory: 'dns', extensions }); + // casting to ResolverEvent here because the `descriptiveName` function is used by the frontend is still relies + // on the unsafe ResolverEvent type. Once it's switched over to the safe version we can remove this cast. expect(descriptiveName(event as ResolverEvent)).toEqual({ subject: extensions.dns.question.name, }); diff --git a/x-pack/plugins/security_solution/common/endpoint/types/index.ts b/x-pack/plugins/security_solution/common/endpoint/types/index.ts index 38d9c1c3eed25..89ea27aa10b3d 100644 --- a/x-pack/plugins/security_solution/common/endpoint/types/index.ts +++ b/x-pack/plugins/security_solution/common/endpoint/types/index.ts @@ -405,10 +405,10 @@ export type AlertEvent = Partial<{ process: Partial<{ command_line: ECSField; ppid: ECSField; - executable: ECSField; start: ECSField; + // Using ECSField as the outer because the object is expected to be an array thread: ECSField; - uptime: number; + uptime: ECSField; Ext: Partial<{ // Using ECSField as the outer because the object is expected to be an array code_signature: ECSField< From 25fa0831be517c45d3968d642b409c8409cbd690 Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Tue, 8 Sep 2020 16:07:39 -0400 Subject: [PATCH 08/10] Restoring resolver test data --- .../resolver/api_feature/data.json.gz | Bin 18192 -> 18309 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz b/x-pack/test/functional/es_archives/endpoint/resolver/api_feature/data.json.gz index eddfac0bb1455c2780ff31e31e2456b04c0a14c7..92e4af68bf22e3e13f31cea08c3514ce465f0a6d 100644 GIT binary patch literal 18309 zcmZ^}Wl&ws8Z?>^+@0XIafgjNA;881K{oCl+}&L_PSD^4cXxMp4ek!XFYh_$z4umq z_0{ult*V(?Gqbw;>1omkczE@737rq0jPxD#nJpY_tUsJ&SSqhb%@1r$6lS~DuvCj| zuxQ?X7hDCAeH8PJEn_Ni`V?TZSnZdZ_Hweqz8F_3!PTW&=~ZB10qZ1VUEDJ9aQk+% zTOpj3l(aoy()e7Fzni_q^2X6L$vG!)zsvFz@=}8dD3&bSzL4?q$|bBrjX64P72%23Gr@j+NTkvN z{aErfH(}Y17rrEgTKJ@msgIzFy%lND70h{u^D-H?R-=sQvG$(BzBb9a6rEdU-!;_-)3S}6K(rR;+QL|Vd{oZR0&>oT4jNOS2VnUrJkVur9D82n{@kF zBBONJShAoXtRi04GQ-(&?Dy<~&M-0evqVK`)rKrhotU!IZ1>D=H{yZukk3=$$k(j3 z0u`&w!ij|zU1hoHjospHv^ro_c%sIf8E@8QQ{uO%AnE(f+N$h8Te;dFp->Fuj?JTX zl=Uzrvn<+P=X6z5VHw34?z`oNGLs%?k-!O;BI|K7{I@0M$c;r$tPr)RdBc)K`%L>BNoM{@hM<+{vSE|OlpA6~{oN%?2 z7t%U{`3lu6(nXyzE>C5-w}Z}bIq&B?{{Y7L12$IUjhesY<4U58)GloUKw7$1EW~rugT;XmODqWD( zYi6Q*Rqbf5U!|UhZhwB_P4cMxBS@RN^RFc2@t)M@nNtXqIkZhH2XWzl^~Io(hCB;G zcJe-3e{Qxt(nf0hZCP$r!6IIPmzB`1FlNRR=$nL529!o?Y8Hp$hO}v8#;9_ zZ0)klW%cJjo2)*CH(Sqk*X{e4w|OcvZMLb7*k(VA{DvowA;Yx@ik+vwq3jDC{eF`j zlbzmW5Neuj8~WCqxU9azoxlR){N;9Ak6&^v?_%8Pt*FFFj3oY$XaV-V{a4QNB5lwO(wm&qU21;RLD>9 zQ-H}r6ykh(-Z)n7V5wCI%0_|yp|wur&t}StfIGX5BNB|e6KNl~gm6pjYcY_?{&&To6sX((><>;Fs zXL%HHwc8f%q%o$(3?-Y4%y3+=I^5(`OMY(OtZ}3ogd4{wy3HJFs(?gmd3=f?ic?tT z6Whiq<3{RA9nO4xB4mfx-Ttc#LeU$gI=js6g?F)1P4VyCH7ENSb?@f$i!0|lb5v-P zaC{1!1@cQ2QEGItM1j(T9!R`@Jh6e&^J0W|?pV z(gk13wzBG&3>aO66V3&jJ-Rq}mq8&-j$Q$;;>a7`Y?v@4VYR3!A+fCDZWwWyp(#~~ zqabt`3R{KV3!|b$y#)GT0jrKS6KR=#6(jLLuL&~wu=5A@YK6IUgMO&)vfI!`cA+81 zjztwec>|0<=wh+KV=x!jiTex74yNgpko>P2l$K2GB?Z8NF?_nGy*5?^4#wOPQf)7q2LPnuK z-AA7@X1MwCRHUagrI^Mcf{r35#ZKJ+d}~%T+{>0R$pFLK z?MF_ezo8C)9?O{)qEbi#zNmuoiVyh#W9C89J`9k2*fail+n^!ewH%~2bQ!0s1MB$f(5(8QaA zL2#LkX^8uzTdJf6oRBX7r6@=>0jC&cn6=s%Kl4{>IAx}QXSd3q-i4;Yy zd%|YgOIM%L##qzZK*!5}T^BvgtaXVlBak|3+y>8?>*dF1zdqkW)s|P+F{5axWdhqE zQt_iS=G{=r>Uzy0DPc4LsrZ7OL8;BWsifRU9DE0R+hg`*diRQYqoanIiNc2D2jkYq=}k8Fm1<10{^cSgZcW$1T9QM9F&ZCQ|n90LG6`xT@pomRTm<~MP5g)*V=b*tP zrb&GXPERo}gUJQ9uwjS~__5-Jyni+Rx9342FX5-ww#&j;ei}*sW8G+m7R`MoMW&Ic zXw6StBLLovgTGE-K(Q~t@4ZaZ0URD*U->}M$WfY>ijTvNA5Qfq}Nplg!yX&{Y8f?#Ry(*=R1$T zl)d#nK17S5+b$fyoXP4%BiMd2(i@fwRaM4Vj?r3OEdOuq=zbQaT!&kRek^5-pnZ#Fa#}QMx~0i2iYX0O@KX>yBJo%qzsCr4lqyP zJepwCCn}nv4_nKIR?D`B%+X$acGi);u6NdOGteVg@vwXFhr#P4Q*5VV2j9fCK&?&Q zG#FgQ$O)_31_gowjq`yDgu5!@jqYx=@IZ)RFkgtI>=C3erLMvNzcF|PmT$PA`s;Dr0NEs#30GF$NWn}@Vw@}4 z1mEZdnrs*bFkCfJ6~W!^Dg0Y^<-6ABO zxL4M+ueZyaQ5eDHCZKD1&tNHgzBFSQl8pk;71Yy6pmE4PBSX+z02HIfOZGU87Q?Cvz>g_t@3ye4J>mR}a@_G@V@Uu1u`?XM8Ubieh z4|9F+?S0t4x)Wk)5P`J+6(Cb$FAI-+Ub6E(*RGZ@DK7U45?8eI@)HWN{lz2^i=N{P z2Q}pD`cVn_@B;=hLICzcX7}_Mc^ohhh8)+g6PT@~j6@QQ5Y3qVSwRyzN7il+D=Y|= zle5>v(0kC_2x`lixA&WuJkJ(15(t|<5bIFNQ$8PY*AS=g;Li!Sxrv>lXeVwbE?j-2 zVdokF#9W(7?KR_-S|Qrfc31dt+JuTG8KFh~m82wVLGy1zYWxrZHcdH>NAeaL>tjpX z^PnH0^k`WPW5tCM>QZ@(_RtHAoR8>KBV&|R`PAPvhz$Y(xaAwt_ObMfg>1%Xs!z4X zQe}RMLmA^sImfR=DxQ**gdiS7xR#HO{;I0%=)GmtzP=M|=*X7Ff|AucDr2JvCXx#6 zc68*=K7j3Vch`>Z#Y?kuQ;l(}K#bE-cjR2&yUMuwZ4dGRjcG+&tD;T56**YF*l2RO zZ~Q$K3*&o{BA)DAb%!*1p$^rMG#LU{U3+rXn>edLGANG zY@vFmUo&sq(3iGK`^1g$;q)!ww)z$Os))Z3Qh1sV0lN9n`39%MaxvEiyAf2vrznhu zJVVK0#tQx{e2i+jPsq>awX*0)T(+69AHDproT|UC4y#70qf)Ydto3J)^o^zaQ7H|uXJz5yAnvdr;S5o6#gi1qcy_`;E z&$rn#=IYj}3&h3`-P|ghaa9+X(M?RmMmi!>t#+uHm6S>uCAyC^$VU4BqXIIoODKRJ z^S@gp`8^~T?|C;YN=Sw4xk-efWRhB%lg4g@m}bD*D@>Mqo9USbPyhr#6AxgBrbYpY z&?zuX38M7t>m>%Y2t)*eBn~NcC$b5YbFvS%Rv>hTGhY%cO0O7UscdjudZ+Hf1lbS( zDXKIDNH7b4Fl7_!&GOC+)Q@8l){li$yXqHzdJ@SWGnjh}~T-d!sE8x!t zSzOBWI*#I^+A4g)%i>{eO_ru?xMujFz%HTS+>h@|ivV~KhpflsuIxGQ$6ArRHlkX0_dNBKQXL;nU~kis_B$9NSS8A_tDlWco!tj;1#?bnkNRMFBxtq^Nym zqaZ4Y%3iY^M^!HT43%hV)f{(aIsLG2!XIf}+Uf4)WFntAT74RvT{hTT?6~2%r}oFj z8(MCE|3CvQRwsYf=bfQAaZLK0Q726y_euhC(4eqtP|~bM;cO=oYWacNyLfLG2thWZ zWvj1?_Sy#JD~cylEFztBYGE`mYYt;boU0zEAh*Pk-VO6&AJY(7OlBE4TS#ZowwG1TDrh%QPj66W#* zhK>qF@GDf-qWGEeuTS}$mt&J#(b0&G_RM(dW&m&;`_BjTp5aoHiXC+xA%tw_yBLMx ze_J;TzuG5%d`3kV-7T7R69~0sLVE9CNX_4IEVp z6wzN4WH>nQm@PpTfs4$DJwY$aBbt4|jBYJIB&WUetaS^^HNNmrcK&R1MDp=Z_KKif971*>H2>ZyXn>6%y&j% z{qSC_sK^PpZBU5f zue6r^Y_8M1w|T$kzx?AT$O<0~qw35)cAR`uWO4f@&l@_k`L!zoRq*ZJ{hRW<>vzU! zh_j{lo*q|z*{fb8LW135$?d{ht2v4BU&SyM;_&ND_cx5gUQ;k3M;~%r_;KvtU@|Ot zaxc=bPAIL5?wyfHpUm|gnN;v8$NY}Wif{j~fcJv~LDk`Zm~POG6!(*)DEqWW4nTe& z^>DdM;F)Cl@T^<4w<{#;Wq3Z~)nkVziLcgrJNJDW6o?^?Yxi($vmN?H3ciT^3*;K8 zLQVDsa+bA!bC|p8E2RcKT7{R2#d0A|iztMlncS}G|E=V+ebvhur?LinIg}*yVk7FG zgwG3u$vlFEDQq#e{EN`J`QHGo<*a8={ZNwV!$o=Y2s{+Uj5-l!8_nXc03jzuVl*ge z(=cOKRCP}kV^=+mr-PE=;!7rdm0f;n--#&B!)UH5l5|d_=N^?rq*48_-}F>+t|Y@C z8*T>o5fw%we~24xY6#@PC2@4bQF?D~Rf&QQSQoExMSZWxPWt*RvOzR+uS|8#)S(jh zV<+8}MvXhU!Q~@KedE5h7WCwc;5Ec8@tF7`S()9Yx@5zT_@XPd@{{*^D*p1o&Gu+| z3r9R|nsS&i1&2PIC%TD#5Pn@A^5b!fu7~Cd+RuT4^UCZgj{DljMFUvI)Kk>I^b0>( zm`ve3E7V#t6L#cAgmwJ^Oq3CHpir>bXth>~Y<^#hpdl(X45o%sSv(s8+sMT}+&5gg zgou8|^Kv-i`%0JhK6RDV_1MvLVPli9>;+X~b9B@&sp;&kJv}9#g#)rDednXA>NX%9 zXNAB|1zhPkRq1fj*f=pJ`MUvo+A`Q=Q%}IxcB?w0eSVwuc=xK4b^RxB4Lw1g{?^sY z=Uir#m;B&X($Hvi>Gv;QP8;&P&w_H;90}+t5%{Ni+aGO}+YtqmIQI+qLe>X09PCls zy4RKV6lK-yP=i`^%MCeW??)W%8fvkk13RY=se^?V5(FiN|x`LrlKY};ivYJcTjMlXeV<=s>V*m+?e zFrs(sfMElL>BZg?l79G>q?iz~_tKgAJN|y8378yzZ`p(oipNn-L$3);F%C;9p3&cH z)qoiS6hv}-WRpQR;eFqn9b;Qv<&aM#l|4Q4ac|dq?yhzo^TIQ)Bd@H5h^4_U3@xH*^=>&Wb7M^li zEOE$*Ygh{J1CD2UYR+C^)o86jS0EkglHGql(#X^|SevHE#Re9|tD);|wMWl&-gB9^ z8CJ&RCvhR|1Vl^T`MDes^1e*gOz%f*l#Lf0USlO|kGdu)l8}$P`-@G+b`P{KSn0-X3^1})Z?3jozbw9bT~1PTt?`+ z<(-E-`WuEImiL@ea#*vL-5TMH8lV*DT4x2d67V|Qrpa=MZ>$(;@I`krv&lwla5Gr3 zF!XtET7YUP1?VafpgE6Z{?=9e&^0H6zKWU;=6P47u;sv2B(qKE@L~~%KsxS4yP`iS z2c6{IQu3=GEENtW*P{a(BR(S;7Vw%T#4pJeoZ@vEpuP%9=LVnvQ(=$yYKLxaCV`LL zy41Z5SP-6@#mp8 z3#Io;Sh3afnalEP_Ec-zI8)cD@{90#T8;Cua4F}?-2oH{Y1@GV`dehNn^BR5f3aI* zb!&P7>W{62FUktqz3R#i{z2H^snRt1h@L&Zw@=JoDk!L?MB}RuxD>xwyR(r~PC9qh zX0Yz~gs=P1eA#qierTJ_OYS_MI`-R8ekN%IU;a!E-FQni(IlB{TRU9)n;XY%;-57| zPUBqM4VO2@sY-ywFRc&9(35D-yImfUe;KL(Dy?-g`mPaPd-;@4?DqSs_Xa(|&n*{% zpIBp|)Iwq;_s|d$JHfoq(3^g<24_Mbh{(hisSR8)QQvTTB9d*2t zDCzC7*mQ{6F^|K2@3IgeWCi{60n-RpCYEyAGhs<8z8hAXOfJ^sHGgR4kfC$$$7Ft7 zo|yE=MGFV&(;ZoO4 z8kTa>*Eg%W!}W*>rN4kPnCsH#kb8)vLYCn|swH zyKVXq)}B-Bw=Y>7+{|mrxwI|#9IZTgc#TJFoVjA-`zD~`6v=_kZ(rJ2*!Ban7f7Sx z>`W`d_j+5If2B#4NXDpiGk>S&Tc+C2j<=2n@kPl)bNl_=Yotpg+N$1L{l2fbV*(7p zt%U)ITasxgmzYIK(P;GSJNeDZvI{)+lWTAYeK?}6=M%yyD|Y60{aLc_^=IpJK3fSx z^jMPg$1oH0R9a~+r@#UeMKV^IC_AOOScKF&RB^mbC*-(C#mG2V>%_`PKqr09;}!Za z4Q(E6QyB{6Mzu!sM!qj88yG2wsOWvE$(ZXn2WCbiOK~`ui|MdZ$fc|3RA$$qPBy|3 z+$V&l9^Ql?=W`gQ(gAXnrj1O*wn_d=mOFj}Ejv55ZN_(Zqz9Wc{OzvRTAXO~Kg_r@ z?Y2qcjx~aJfoH`kmaln$ko~ScOu!H)E*U5mAjLiaA!3@A`vOrPj|U8hDgJV_C;udc z2>?@oGS6b=o>$8SJS5RHS6qIgoy4h~ozPHD$_r?MmOml`c$tQ>+B8_{hR*8UI1EZ4 zdH)@71A@%t{u~I{pEIzf48)I;oZ7tgxzg?fh zmtr>rvB&Pz0u)wD0pNDrm^%sL=d^N+(H`f8Ny9xKESL5IjgY%WX5AS42x$U7N*_U! z0%ijNvpR99lEC&TW!>JJ*M+ophd0XuwoidfMlq=!@mnhjSoM>^Bpfx=Q9ku?cVh86 z-4e^W3qCs&fnqj!UJx)D-rtw~Tem;lj$pX5!o1r_1Ahuj?QaPg^Eo4YDFUD33m1)v zKcgbU1uJko1Ao)4$*<`8yhI*X?GLp4-6hn6 zr?Q)q506mi^jww}QyEvz^a|urwzvz9$#n?>mvgub41l?zPyWJ(KH>2T?b+at(Wj^! zfF1c#<}AMeEdNlA#2E3W6Kwn)t@Ck}8mm)a%^iM4>B-BD+InM#a7OtCQGok$M2kXJ zq1YI^5-wq;%Ed+(rn#e06YK)FEn~10AR@4<0~`kGsF$(C+_625omv}Tr>~3Ap_Q}X z858!U^ldPgVDF$dUL};5}w2w_57hNo(RoTj9~6Cwo(`7_`uJ&7c|DNdH6ku zQ8JdKD0)GX4S@%9{IG8mQNY7!&MNG5wolJBlXGG-YGMZ#H;;iKIe7<3;2c6}zjhHi z^aQBg7HrzYm-(vnbM+jc0kpK=d}mA0{h5Eh$Q}`?<3bCXps6YA&GY%e#nX#uj=Qg%%#Bs;x48<33C{xac6%YtUN@`FF^Ay;LSjV%kGZcaVMEBh$K zvJ^x-GV#^a0cO)aqYjnmz9TV`Or0{cuzxHGl@GF*VDww_`rsny@Y_ApN zC6W4P6g@2Hj?*brFbY3wrt>n85YG!myIsA`emIC)fbEgsk)j~C0G7$ZkU*his3e6!ZZB?aArglMxua$o((x_6HsHy~} z^@}|$c;emIQluxq%a?^K*_pYv?>e#;+Yli+w#HSh5eakR&T$DV1?&CwvIwSk)8qU; z^u=xbC~^No2aS-M#q+pD)R&xxw(5dtrU|w?3~<#|`U1wR;i7W?486!8RW6J!B6(S& z&55Ffk>^*mG=3#)qVAm2Upl5Z6FJK{?Gs*G?09bPPAP1A1`2eyG$qXiHbiQ`aG{Wy zJrcu%9GNS{oW@pCU{Yf-ENoF`>o4+?EbFPoaAXf~fuKcc$?faqB;OghJTX){?PU3W zi1TtiSemkv?mGd~2mg^#rMW(>8~C-3oF|v!dBH1mVWIXjJDq!*@gNf8d~C-z64DQT z*qUTnN3So9-jp}xEp|_pZjRrD*9@GTwe6yv(@c<(#7$OTR@R@hl#Iw*eE7jZnc{5u z2)mq$I?5y_;X`YdLgS;AB-<%;fz$~Ose`h#6(99+Ra3snyb7>yj7hYK5zX)my?Uv1 zEOjidS+DuDLCctE>Evdc8j3@#RoP?^AkZLxfCKZ8BVyg$YM+OaSvYOaf3WQ;2B7Kv zn_^{<_fo#xn%U+YO2Eo)VyzKA`^jY<5?NkB+XfJ9a2BK+`kCa@4h_Oeo5b6KmXR0NrWQg-CX>wlX$=A;eLsMqtJfA@2e(&S^0Nk9K&(Y`~56%t`tGvCc zO@sf|HfstmH5ro)Sy2_^OWA8c7Um)WL*aCwqCvm#bbEdF*|GiYl=KFyrpiySTcP$v zgZTez1ypyw@60E1)mqk1jAxcx65eJ{q^B)=t_QBV?BVe8EvzK46jBs!%@f2=Bi9EQ zm*!$i;r_2za7!sxrhBF~Tj!J3mqcO?3Jm79BpbCy zzf`s3gR&p#F1a z-lVQviyC0-NY~|=&qEW-vZPy+Z9)?*N zg#Qc&sElT(7?Q8M^H74kI#;$~gK&W@D95z=#Ky&}_=s5EQ1RE8t4cDZ_@YDlAazOn z*JrZfUt#uBP6^tDPOAAo31<`6=W{P-_w*{?Y$uo2&U`s)bRd;CF>==Ty;0!V30Z^=~?r=7Y|MlAc1 z@}3Wee_dLb3Nd*9!v2;hJgw;PZoNHJULo;m`htI#a9N9pZjWHlt_p8n=7~isVRZ1T zT@a0yUBE7oMzdA+i|u3+cg}_omR}qPO#-)*pg}gC0~2*A-uPh&9u!j%s~N0RO374kPc{Ql53bXdaCTCB!g1T{;H#3)B$%mAchC^~OMeDz&5ghgguVeJZR|aC4pLYz%tDqX^x5n5KR1 zawg+L@Ra2?^ZBgIjB%$I&gTm^*vRMeRrijQo=cZu@XyR!Ra~Syi`!Ei{0xU@Q){i7 zH@S@`t__?|9SbCqWw>^Iu4hr1Pm4s);i-Q%yoJ0Yh5{<0E3qPTd7Y~$PkFW;i7Y{0 zT~%LT7PbnH#xQbDc1CnXI|_C;`CeFwx(nML^o>FWo2r0rFCNlEL#{GYUEN})H&0b(ik0mLEn(P5}W6p^*D2$gq%cikyrO`$bGxx5Ov@}pfHl9x}<@qc&Z9!-fv zK0tl+gCGEXNJ3*Ic-xMr6kctv2vbSY=5^lmJfFIJz65w$@i4Hra!Lf8%zpKFBf4nH zp0T3NT!Z(#g6INxl2Yo`D<86|tb*lsDI=b&_2 zt{}IneAG7}nYj5HU*UX&6SXqhYx>jX9csgNnmX;>Sw)`ly%u!81C^_v110^!MCO zb0-_8z}{;Z;*-^z;K~*0ey}nsc%}$oECB)ZB>;@%$SpOPWeaAYQYRu7%qfcdBfG5` z-rK(fD(u}~;F-OJOz;NaSmF7(CE@1L9L^;=>)eIqg^!2hxRfrW)LcBRC^-)3_D?{1I7Z{3@SxvHSr7_?q0BR)16Htvti0K-tak8C5CAJL5wzBZYS zUUhD3+uJv;vwJ+DIbOsQ>k4p}r@Red;+^`}!wVj;a(!u`t5|m_4&|^B}T+c%zWj(7DiD$Le4^VNqw8Ocq+^s<=gsMPyTb%q-7{BD$? z;CABwdT{-WYrnUDwv;_lUcDTYY`xsYkVJFEw2fPPRiKTJ@|c)QHVDW#ytAZXY7~$Y z%G@6)n)Z-vLce6kxW`mi>+*{%33*6gCf4NdbpUXLe$4uGXZrT199Zzt=We{NIIL`G zTeol7W*q7GpjlTZxFwwM6U8581@JK<208-#V8r#(1R{hdK2;V%AP#Kpd8?S@LO3 zb)xxsVL{nY%Aw|{&L7^RLwBT=Q0CsN0L#B;rB3@U*7MxnrE8U%>yL5mEZ;=Z+sxxR-i{r1-upAO`cE$Y#t7#*dv5GLjrsH6QO4qpHrz&DB~k}?8H`I=;P-oECu zAhaRAKees$GIW+PGxqYbmZ2T0!KD>Kx8IC3<#@!pB4<2+mjL(=`|tV>X#fgo0zmRb zP>G#gsAR)bfMJkfQfF!nc1^nFbh`Ygy;{9t5|D*!)tB6oN)9m(;k|h8^FYVoOUeNz z(*5s%*_~e+1#s_8{fi$kIT0vKYJIdlzj6k)+~3qRJ&jm7^t9Q&&gIs<^8*snj5XG;+JOrmmt!t(ocLW&HrE~Xh3OhyR-bb~m8Z)@R6U9yYs!g)fY55J zF@M+F)ct!GZNq%FEmXsR#BFKtcw?P9p8^zBJ|mCc`t8M!&wN(CK7zSmp1ap8rLvln zwS{yQ_6Dcb0r@L8`~;%rLMkBGUYJ7!%;mkhtr(pMa1ob~^f*A&A|dqjp$sz-kN1t; z*C9I$yZxsDqToY(&jP4!rJsWg5%BIO;(>t=zCm~??rD+1z%JG}zSnY_gd*$MvIbuRerAGRx24wPR-&yB1Z20bZQ zRLG;(3E!|oeUOFrGnDqY?=!x^h~M`orN-vu-2S>OESOB0p%UBveVujo_iI|8wpUcf zOsin}C#lzq6-c{O2j^e4ZHxzc$BD+(eZbJ_o9fpU?C&A5Vnkwz}jPf)%U)8-RMjku2+o&I&ugwdtfbug(P-YU#c zDR!qFBAJLCVpa!OhJVleep4(QCjTixu4t>lZ-CylEWtp0&*s)zloFmsDI1@~6-*x; z|C3XkXDBR6-6O{fqdLUefX?VTvzB1L8nGITV`Ldj3b&MKLsH3Ac~_(E5lEVnUK=8( zY%|kICl9qr`9ljPNVpqAU}AmN(vF_4^#J9SAXwpD!Lqh;ldyVz?)jnoStz0o9X%%) z{+1_jFGlhpC`@tx%J=$n4oS1u?nSx~vcnMlR#Ryn6veE_SdI7?dJajXPBr|kxK0UX z6mRw=D*@>Tf(74x4w-hCl+*O!3ZeAi->euj>!i9o7v7d{HM%GUs1?jM-mAFLgcqBa z4`A1q3pri2NP0BV>`o5f#`Z(rci;rv~J z52D8@nECm;Ji0k{A!J@2Jy!>o4F0`BLGZtd`&y9X(0dSm??_}@Fmf0@su)hskg>_5 zAvpI-=PTw(V_119NTehbwi1*Oc!&*K#<@}zHnWRPBQfCqsD5j2Xie%Ri_PazqQH`L zr;K%ecWHa!lcoqbA{(WVEe{b>Ei;sbaXg2C zDxi6k_E^9ew$jcfN(M1Kq(z@UL6xNX9+iF`AuPaCD8nPHw!y)#lH~E-UrKW?lcPh6 zzJiKH*96>f$uTXV8--00TJ+%-s>)7RNto(e_VpU#X^iTWsh`~?8aPyl6B??9jWr>C ztTX5wdC}yPX+^Fx2$+&lW8m^jE)h2bF_66MiW{zc|E@7+Q1*FnbJXbzD7MSIF)OdM zFe{H>ML{V{$Avgd6c+BldF#+w3_sm)Mdy@c?Nv+r=~mUo>Wl~jyug3_+}AW#Q28ux?L_~YIV&@&CH6TWvB845YDn+zK^r*gA zz(8lTzy6PhoE|CqIu=(ZveqjqRuP)2?)7tTZCYxYoF|PtQ&Em@sE)ZN@_30e+PAI0 zf5VG+K6--OGC5K>9a2B)FC;zNhE8d zRzs4MU*1tuBrPi5q>A165L7dRZEis(_g-TUG-IVb9cu1KBiW|6kHB%}3?X z9%f5fV(6L; z=Lb(e`@ejjk2YkF$ZLunvmuCuK1uhIad~Os^-8q9R-q;0-Yl`4@$y=(s%S~>V4kUY zX*ST)&GREaYy(b{7pF!gu#Ut!jlzK32E!__IiUtT*C}VA63dU0uWesFBO=+0T2Gd? zt8-0*iAD&5D9daogXu6;Hs$d{aP0i(gAKCTvNMUu_9$Mif9)$e;X zf$IBn1()u#p{d)h`JJr72v_~wYI zR>7E1QZ*f)-e1(b`Qk`j10fk`zn%Ly>hG=&2s+NBJ=zSo)$TB2O=j{y+5B>Tz>bl- z21fJXs75xNX{|}lo=V6kReMGZlldA*KqQKpMHpv)H35e{6&(6rH>OD(70c-1E0?xr zj_TvB=KkFB+}z4fmwipb{Z7bO`3{)_aZUQTbTrZmG6)m#KUpQ-4FKqf9K|mi?`QzZ+rdAA?Z$@%wd)AM!;)33} zcp0AR9avMvYOCkQ{akEX2SCbvi;)GlIoy>?w zv%(KmXbi$;*ibNqb(F9er9Wz??MTgm-`H?CB~$D}qH@9wf8~;QgXFDxmyt3w$sAOi zv1Ig<%*XMktN?MSx}mMv4mK=I8Zq>GOg$0ZeaWuSxdaOetOdy*Kfmeb=%|Z4$)^_>%mQO8F-_zt#TK zvF|gUJ#4qor}$8WsF4?~5xylHb{S3zoG-C=G@Vb;e`w>bA00(TDZ^{=Sq`ow?5!jB zMf$kPi?+FkSec2@NxTpuX$OMtDQQMSgSPea#q;x}VS;gWu($QN`*Eyv(ooL@u3aco ze!Gm1!$XB?M1iy2Z=M@>glgojCWi$6Qu-(2&r1W+K?7CWea)Aa8OFx={GKU)PnC0n zyjx?{8q_4A-xA(*9A8?LWmM~(&wH0iuoJmtA;{s=i3XjaDMmP8YhQT-?h$=CX9Hz|mk^jROF5y__TzH{JS4)=jorbUis>=S=z+P1& zf416BnzduBP)E+S@Q^PInNa5I?`S}#2n9tI51&9r8g?9}7<*7GAr4J}?;C7*-4QJ6q*gh^22cvXQ$7&qu4CUkM?t*hj9>9Bn5Pdzr~Y2DPqV^*KJFH^~HLV z82Vy+gxJr3oc?b6Ob8knhKcjgnheEQ{p93;?a{vfqMcGy>JCoWH+0&M7SMhWY6BIQ zwP1KCjY^R`#G~>(LB&K(oTnR+xkg;ZwBgLZ1hsli8y{<{7Hiq`*XHiad>U*rbgn&q zJj-|Zn6LNq`&^xloO#5K{AfH2|ALeR1v(pa9)#@N7P_*+KxDC$s$u~MV1+?_>8NXQxx8e)6u%#NM4i3o z&bXDG|B(rD-~&&rojQ*~_WFVeS&cICiia2>dsjw++U{x<1&Oyr^3?P3Vd5~KYKc+@ zfixrwi2+#TJo-kCG|e=7FA{>(vG<>>{aZI^NiDiUm;=xzS`{}TLQN}To6_Zh9zN$9mZ7-i{uC-PcZ3vw{T9^zP^(OdEe=`| z@RE?Un&8$}WDqg?%qFmOZz5OvqG)9A+c6Vu@lvjkteilP4sV5u_#k9m{0n(r9U?Qm zgb}S%cVBfpm3?>99tcgD)24_E2u%`bjO!-N)4CQj8!n1gt@a z5SuKEuW*cNM3`}c8oHo^KVivg%DrbN_{ur!mFx^~CW1ao8h(r~ac1<@_}mHA>2Ipn zwck&@9Ki@^8&&TF7GQOEUgT^}c)WV9x@X>8NlBxZ$X5H_L!Tq8*O;HXEq<4Scb!PR zd^f05Pzwg$xO32$NEJ)bnMl7Mc}0B9k=gMYNa9)b&}BTzY7xVscGbOTpSWn()jMl; zT*rg-)|`Fo<2lXsh#B_C4{-AME`=E&2@~^(9CMVGHX)|KaA2--{72!y{MOVV;5WU) zmAS&Xd47L?XX0e!4Ud2a*-b4J6j&X~O;zFd|E)!Mnw%*)%v42m*T9jQ;r^ON@LzZ7 z6;zX?`m7!`c5jyBBkAb}B>n%arD4|x_hVxhuWgglfEFMliOZTovzNy(QLM>!9@z0x zB(2&jfod#%=E58?j}Bc&b{e{mM$uD)Vzjgn)Irjqq^g&LLt~gXBzlPe@1T!RGYDa@ zarRz)RTqBlL_=Gfm?QSKYplNq5x+MzP%>O4e-n@w1>$!cv9rV)$RX*VTf0#3IIqlm z_Ru`#`>oNyZDTm!6vtBPT_8q(() z1#8HA8UZXUiXmwdhQ-_hv1Y$a7e-|y!>aE{Y+GRJ6qwW2>BGKnK2JLX-8 zqaSqViXyDed`IO!d~u~PT?qz*?odA%1%Ak;+*%FYvMf&_HB@!H9T&CPe`ZNF|6SL@ z2{Tm`T$AabEzF%!y3f6IW(2xIx>F_x3B*^?z7zI4WrIKv@`N^M1!|E0K)wJ~+-EHM z66MT)BL6bt|4#t+1qu3+cH?CK*Wr;QX2tBSo^E~Kawi|Zz5JJ5zXy_Rlq3nB>#XK< zNb-kmf6J0&*oYg`AV~rw2_y+5Ip-uvvb7{nCrLVvBo&d#U`SQH;1@^|NOFltvURSM#CgYfh3D0DVLcfm#03iUZt8bWoPx&tQDnf zmZN4Z0b4eSJc_g^<^)yX(vvF0K*t972r9%L=|eBJ!G|t`51pGDbHUQv9eIe72IZW$ z1{h@=t#3 zLydV%udOhgx`=E#T1uS$Yn-9!w2B1%|LvVyQ`FHI1Gh6sXgB0<1@2wT3Q1N$K~O&o#QUSUb6u3CVi9upLn zu!rlU0jOiQsbi)65H1fT?R@{cWxGn+{S$Y8axUoY+mELP;)a^u55cS3Mv~*?VP0ZC zgh5ljsvXT{1kwc3d|jlumYufgZ*yrP8_+j z!?OX+j=moJ_|u%<_78wG8z;@J&USnz(o8zNY0~@$r-dG@nKXB~rg;A0n`?XFMR5Ey zzb9sR73ZxDD?08cYUn2;@6+-s=j@)@E2O3t_Od9fMZm7$t+MfaSPJDDD~$ReUDB_MS@@fshM8^?{L4kN)OS3*OzYr2zm!k~<(X=4yU6`E zueQ0z${@SZze4`2BsK!Yaw;d95ltLImRo_OC5c6fA#D-SnJ`FkohTgGo~h+jX$Z3p z3o9_Slxr%DGfZ$q6J!#N9ivQfmJ*4DcA6UEyRp=9ni(sSa5*(HeQ~7KoMRd8(Giws zpBadvu_)fIP&s6^dI>iA-Avt;_5H)Q{WzOFp8vm)i<5U&u;Dc)h@`{QRdt{4)3) z8l|asE{stHMCa$mBxL5)^`h~p-4Gh*5yGzqjYl`%)2qGV%{Mo?>Rw-N8zlerprm{L zU7dYXkH{l8_*S@cS0ZJ1*BxC%V(ur$i%U#5{t{oUxX~OZ*hp`X634NY)CrCa6?x^) zC|;A2vONP{bA*=1>+!$PLhjsB&rO7E7DNdw0NK(QffJH4DTp^;-lBSXby=b%(MDJ) zaGD94syJlRObFysty5wU!8*wjnR1(Xi;GR+aD-cB1s702Gp8X{83Ns?i0g$_bH zN3ltaLN+H@C=u2PD?zr3G(NV<Jz4DkH?J?gd;ylD-bbut&IV@xzPv#fyLfD z%5R!-EG1X-eUenk7@ZY(w(Pn;xFmtd)=XqibxD?-gfZ7zR9K?kwTd$yk*NZw>V>Mp zZI++>6ztjr;8`oc+{;dX8emRN-Ls?(QAkh+R~fj1vg^a+_Fbyq*-ssOq(A&--e>o=_x1eahatGins$|OaFvxv6SW&6 z%^giphtd{M+Ts;qX0Y?((=oFyJ6$u6nM#xD>~tt?0ff1;gjr_E_U#RBQFZ^GSlsH5 k_V-2BKOUlY@&Ex#He1?)Z*>Ct!lf<#2h0nzfx!?409PMg@&Et; literal 18192 zcmZ^qbyQpbw(WreMTrOU;>mL+vl20m~lMj}yryphq6Q@5f zEi5;G^4TTpmBQ$X$4VYq1qM9i3vdxUkze_(Vf-OaczAs+S(nbke81CTIQYC;tbgOu zr=t^8p29f9J1ZR+@KnmvopCp)u$Qv4zmBLmZ2F*>*YXfzU-C5WfA7RlV}@U3MXcV?g+IT^f(N2rD`3wr=VCK?@_PtFl9Mdc7^Wumq1FgUBM! zM~-QcjdV$BBGvZ2>g;-V_tXrk+t$qJ_Qt&jPr^(QLC1sq<0WqGo!hEm#zm)o2?I#h zj}S&$>G6wRwaMW7d(Ub0>&%*M;4Q@}9@-C%%o>xiGx_E^(rMP@*HK3xoAY&Sfh&gA z(k=O11AH=`WQCtyu@9|2OFAx#U2R_o&)x3HqGwg&FTC76Pw%rpr?8Bd?{Zyl{S+06 zrZtK#NHVzb6EG{n-e7$DDT9>RwyjWu!&2mZTk~hxV`;u+7x$>OsZ4)0kkRetEum$W zPtFg%0F#4wUBXAhnt~0*^z!>D-zf&;rWSl?G66tMoy1QjHFHS@MptypCXK>vx}}tw?>G9ld|%aZM(sIg4_6W?I~q zKgRMQ5X7jF>3$AP8S_cuxFF9ZeU|DW1+x@?1Z^01j<#6MJd+BCUk~W29fSLIl5O;K z0{iM6pPj58R%h!T$>S<#w?TlfbYq zMrGxvu=(jQ8%sEOfG0?}{bb&{ie315I{<;D#WY4ybe$wc_|It1(hMuf@Z`Z(UWT^q zgHK-c7nT93p4Us2vCx~D|9j`oOmgFiGt4{{vNep(-L7TqHv>0uTdqRigF3tt~9S|cZv-~=RpY~^1 zC8^rm?CHPnr)R^}Gp3~DuHd~D`DBGk8Pk6e${9d@^et!M!*LSh8GeZ zFKwUYt{CAKhx!gsU_o&KY%g6KERDRA$vy$?0$;(N!<+{jtcZHLBlDZAo=xc7Zm4<#6`YR%2rwKi;UKWes zFBFQ6A^LMmtdRP1_he=$R>IX-ZD(CvW7;cg zj9q>hx$x}c`*Y*HwgJG~H~`#rG{+I?l|S zcu3^Dhm(XXa?x|4HivBTlS{ET)|EHmQAK=!3?F6+y;-P=j)xKYyIy3< za*0j^4#z;;FNRt7f;aQWuGEvlgFX@uL$|Bl*W10qd@iXUEwY3`333ryk3QUjSkz7T zZT6FYju1v8EofPXM!$KC$##EVkB*y@0L&~@AyFEJh8s~)V{zipq~Z_=tcT;UQ|;Da zM=JGv2<&Q|m9y+`437$}ibDIHF!yVKH$&AioX9co^*)xPDN}!ocjh-_CIJ3BI%==^ zmd9>L6IN@c&sBBusoZILJYwp~&ILfD;Ah@d*0`Om7Q(7Gi~uK^04wOaM<&`blSca~ zu}w(xK2cD9^z(`Pe*0v5fd={>XMlMar#3?wujl0yGTE0P9^`vvsj zVjl|ibHt0pVkCGk){!6XouaVU*EL-4Z{9qdkIzVMY(HWkCA0xQq}5SS2g~4n!I5~{ z`d}FY>61;XSH-fl;t$H>EB>&nFHt=eaxclIBYbPXIu?Z3t%Q2J5Bz;_j#KJ*1uU%1 z5?P3iEW5tY3_}%RlohS~qciDm4l$L?yBK4#!+SUrLz%=??hRvzC*$=IJ$)?`FNnrezXZ{qcSZUE5IEv21-2`W?_>Nf6g6nVij~>wpQxq zP=h-asG9`&W$-+#!y}1PplK0U=-R?Ej{PWrE8v(q|57fCG5G@?UyI&`#B6+U-;m?&By(VYw*f#J zInC7eHRcu^_Eu5aR{!;ATg^Au%A@1sXvJ%hd6uWP8t0aF_kLea##yHG!F97x5N)nz zmYPHwsWcAsIBtWLW9a#X%UH6I5CbSdd8t^jW>h9vj?WsKD8!|Utz zz1Jd6gXQclsCk-vmLpE%Ey!^NWtsV4&XrKwDr|8I_Ut_5ar@9{R!p;KAin~~WiSdm zrv|E|Wjz~~c%L5|K?vJ96Opp#sPHrILv`Do_OGbN)~LkFy1VU#kEkkxR=FD;zQY_~ z1sZ;DH9Rl_1sHnziD>)f%74wqZ;p+*eaDAjs*w@DhQLE~C?JBulhzHcXXhg$3kbB! znYl5H0>csH>6v%*u_iqLzRB_9{@Be*H7-EdsV4*=-cEVfD$3T6Ni3_*>mSk&!5;MW zTqnnTJUWE=rX%`|lCrj^SYircOSk?C3Mf2Vt*YBTei7u%(#{e_IwPgc&1Q{I`LC#qF6L#qh!9D@zszOG%QQ z*Vlc8kQCLL=c=kp8}5~!jhS1Z``5OYxT|O^;v9yEI%%zuA0OB?!%F8M+(}XIvf&B&=)HU7Mmp* zHn}he=Jx^f#P=RXYX$RGih?*?xg^z897BjcsYB^10ev-Uuo&9dBxnL= zGSz2aDNIseZH8XiM5Y+_ij?dxR=#d$YhZq~bY=W;_rvueYQ+_U;!NE>m?&#kwKBe+ zt+_}h%1^aY6e0?#QGo1fpL~G~xr{PXfhnsDLSKPdV8L);VTcJeO|u7iu4*5&DNnNK zeeN%6Cbp>{qoC-w0z-zJ5a&&#&#Ft%IQX&w$V4Ww@9H(!_>$7b0?~#k;<05J=t9t{ zSKd$zAOHs9?&qA<+Mjq^BHL$^Vj8Sf^vHR9ynYB{R8I5RnN1U!z;paM%Ojfh&IeE0 zc9Y;x$`@6_WkA0#WyS@h7-nxuE2&g}%DrQ=NRkyzi2$d#CoLV%cm?3BI z$)|0}#c!K{2F)bWfbY)1Xqz`Zp_A!yoFxv_vyN2Yf*@SQqxokKO7vsZ_g zS87wsQu^M@wzD&z$JftJqxm%!KmLT^StorrqLqTE<5?z|Fzgrln(=KgLBH8sYT1lel8*r9hM4HzUi zNNTA!2(3oLw3dHs$8Q6gw=rhm$rw#aGY)VHzF2@6a$r+RV5<{iLc+Nu(WT@yTMp zNMhqqe}7rt(P3HRbyAsHO`bcg@OuCs(Qq};ddCtX*jslsoW^tY2{17jC6}YK8i_lm)A1?Kx8l!@VZ3IfbLv&M zIikoC_5=&YT2FTar2A_bI4(w`&#ns~TpY5_U5e81 ziQfdqHZT>Oej@$Ga#%tJybU8&LbD7BjShMjzAtU4IYe0n3gn9k!b#yD;6h(BOj)CY z2@i7;#T>vjPm*S;ot=thi_{#o{FD(|O{&D^6=c_mj1QqxL7}ZS*qPKT`5>(JF`6al zSUyb?Mep5D{GUm1pNM*V39O|HoYOwts^4V^@>lFIKP%|ls5vlj7@GIDUk{HCGCwR1 z^}C_VP*x;*BtMa`J+z?ea4$&+#H z*TOLBDqpF7R&-H3UNm{7+Keszwhp80^9<4W05++r+<+2kQ154$%&&>6Xz-b8s-i!4 z2$AmUs$WZ0<8loRA)9%`KnHcohiAFAW|qf8rAMlRM>bL(NI>tmOoSLiP#+dIN6Ssz zj)v?WLSHaSMNMTtCt;qkG|tq>$zWX#A2p^V2X!!`#RQ=rwNWZAz%xB~)D&EWVL=(j z-3j)yVJcGXaS}78jBU`;Hp1-S52vOl%3oipMR5@HbumkE(X%*{ zQeV7d)|k6kd!5ab@W=L5xj`7xHJth>cLYc;UFDZwz+;cT%DUua#aHLMxEte=!?$qj&l~n{y*P#ZcrjDJJvd5z{|E2== zFc<*JDiHov!Hz59FZQadni{I=Ldv&14`nhl$|_fUUM3c2=JZ{D=6Frr#c~EmJB8*H z7-$P%c>_K>ow79S(n_HN(gU>;8rWd}>D?w#TISRG#gFfuyvL?Uqz8`_9xWuigBB)K z<2U78=~L0bD~BrLkT1eu>~E`>k9tfgq>2~m=*)M8z%7lFv+V)Q#}Pdd%&iuzt)lVc zjo)?@w3+Cq8I^b@$`Aj%4b}3fZl*7NM zWQ(}CbRn;gRd;5P+DWT&b4+n@(2g~>jmTEZlkfBPeakP|3H$ardheYd@ge#D`tQ|+vcR3E)lmLvJ+J>#@b%^!Rt%+rXp)% z&X`FWms^^?I0n}~DKK+M>09PRn#SbpQk4N5Dqk`x69`f!mpZ%@>TRl4L*T$vs|Z(= z`FI8Xk8HCJs}=Z(mQ>WtdV*ui3Etq63F_wkrTHLX?+UN3&Tu4LIOgBDc%Lg$GTzbb(A)jizph^+t(^119XDC5Od=|a2p?X0FHSKvP99w~`WP7W zeFC99D%9SeKY+e3tI_10G?VEkBbiJUHEXgF9KD&fG{81wG9|t3X(7PC7gNZEknlq1 z6&eimM8dsFl&FM3EI>f)y{CUXSb9Fr2c7r?wRz=;l!mBAdz|FSQKDo|uYo(_%|@SH zg?7QJM15=EovCm-gHlk)Eclx5hZXA7L z@aZ>zE8OH9C4%NVrX74vq)f>Gj8p=1#4OcnLj|sn%qqXeTMT$m7Vcmf2BA;&`hMh`94u51D0J0=@CCJVz@|}Y>Y)t8tQ_$ zYj8Y&1D-nw%5G1O<%=s>5NBw)$9ZUQWVd>Yt`bSE@-U~`-t>mIh?=b)W@kJ%wuIX^ zbm-Q8!F_*yJ&-(9np)v2k_tSpFS!)>087q`!>~5WZ)Uca(niJ^qGmQB=EzXR)FW5q zixJ4z@G>0|H6%BzG|cdPp1u0C`2D8L)b`JaZh)pizZK(JX(~$_C>7%D;zMGkQK2Pw_FnxTK!?X<0F%R(YA%fn^c2jLpG$NTLh z{jJidQTfQfYSsM5^Sud3mX(oexcJ~%xOnTWa*zp5QNoAz8$7ee36OB0<NQ5&KV=$_izT9IxO-_WSAyRK-c;76xrkeHWLGYmvw0 zRG}Ke(-5E&gjoV{q4&90YA@1|+pZ%Sx-h3p>J=Tj+^pwgI~{a?hH#N0 zv*F$0D-R@!F6xz|Ihvh=g#C6ur-bbA`YLq{~I6x zpNlGN+sPg}m+CJHm&^a`?XR5jd|4H0L>MX4`FpL2PxV&q6M4HlzoWphH19;yUJj>X znu%Z@I5@6AjAQBe1cPE2DpTa4udkA*hbs>k_Ycd9nq%4?eymoMFMsRW+IZ{yz5Z3= z0|Tu*TwW@zye5|A?^}R;X!Lt0Pd_$JFI2sl)YR?5pcJA|1e^lizwjU)3J>NFz8=+u z#Z-<8nBQ3?dWE-jF9+N`ZXeNqH>n%94>wB%(BiypUx3aS!wzPe*r34yLylHl^9i42}9qPf39BHN=g)Uh%!^WRHt_)i8`Y&)H+j&}Yt}h~_c%JXP z+-T1qanjg^tsIXhZ3Bsfh*WHoZwB(EqbkRL|I_`ia1uG|Og#int$^K-K68NHa8yPc z%_Q1*GIwfHFA^!%pvlA!&2_eN+$hy`^9?p&|G)+LL_f%2j{F{)q7^a6GO(#%Iv z@Sv`oF%Dya(J)rQl96%I@034tn1(>wkI-?FUwN@g859;|Fa+9(bl_<0cWT5cGuX*) z1=)W3+7J4E6v>@>#3SF2?qe4^s{NE%bru9judxNn7wE6S|Er?R+kdCM@vte7IyEu1 zDd;+_y#0`}&pmmlCUNtYbn@G}YqR^hfcfR%WU9o;iQ0dMu+cv^`rp~UI&EO%8ci)h zhQ3xX>B|+2B-o|BD>zE;7Ax3>N2M=fFtt+sem<&q%Td7M?NQ>t3)i*aA=A}ri6<>7 zy67mm2&8$I|MS>K1m`^p@Q&HMkU0_HBRgrvXczdXdNWLb)c(BNSFh=N6lJ!*M4Qy` zvjgK#ta3`p3ChGaF=G_?yV9J2X_FF`xnTJB+GsZ!6tMPA*@U<>Nqa`EV#0aqwavI1a?LRx)hchB)za~`MSGnE_SP1$jGe{VtSuDl$ zE|*}xhtH#Uk8<|YQ540&_M*0sqUIEYXYgJ*HYiUTse%Hbso@o!Ya9KwjXc7)4Q0=k zDu+JScF<^L^KlGb1CM%PCO58sxgbL7I~0d#(6I?u9ymvoAeJU}`yif%Tu~pEyG%4$ z5`sdHz~thw0-J}NH}CP&A@5fH_vq|pU2FRN@q^wc7mV4>EA^@$3r)PQU(i#IsCqQW z=Xi?Pa^k`J53Q1#AH)(cY>%~~Laq6auTl#2Rf7KQt8`sP=o`+k%5S_+*^Yi5Yib;b z@-i#^zwuOdwp#+HsEj#&(PiAqO8L2*d+T?OIMT?dfYn88aE>k&hSfNAk z;%I6^;V0lHGQ1`dQZI=sX@_&{-?0#3X&C*FS~Yz*cv!itC=k_5eua!%+ zyjmxkmKaadjo_FURvL~vva9vlV(C?s2R;&K-y}H)&InVt93@dAB*~ZtbOhU(q5Xn; z>NjRho(CPeyze|^1y<))#*b^_@2&^?PF4Q>(JsYmy{QaZ$V%ejE!96Sir2t zi)exakFbGhz&|!9z)T@=fIhJg-<)p65MNj*0#*NUx(WJoo5t;-i|s5=#mwjVxB5*e z>XKhG-Rb~DXoRsQB4BUp>E9r*p6#5uBq<|U=^uE>=3MDAyi zM#P$||FEC0<|kGb&!iI1M$8)1hysTrQ(DP5z2Y^{YPF~Us^Hb$Hj;7uXRS$snf72Z zPT%j2^TyjToSrLMN@65mhR_^{ead66q!lXjVqF{_tc7v5f5cvSn~JflU2mM$1g?&m zzP0d@tIYz_q?l`|AsHlTdueRfjqtj zH*X)U{D$|BpKo{!jJ;3p?~McZ@sjScrmJs{Mr!+T31w51@#@uRg)`ct-%i#kxn{Er zBvo&M4JRzDZ&#J8?*gN$pkG`$K0_YnK(qFA~S1 z%(k4AOAK4t`~GrZ_sdjpz9=3mLfS55FJ2SH>4Pd}!X!PQAKc&Yd?D*z z^L6nvy!CcG(+S+Lxu|qqY@c4$UWj!W=>H{MjfIXg)>M0pgCDk}_pFapavxePRrECr zyzh|q7-`e6rEp{o2iqH#>p8G-9!%{9{iVrZb3ZW_9eTriKqJ}Btk&Yd)ukcKq%9v7SL zb#C!-w@@k93-0v$^9N^EE0hxEgaVNDQ7Fq38#)rOG+VyCMz6zleAAig@KI5(ho}Vo zGRp(23W-mKH^zv(#ZOej(!{7RR{RH{i_l+lIqYBNvfI}>r0B4~;{VHBX1KxY;dEaL zXjG$Ou;iO2 zrg%QC(=*f=flIZ8b637TZr*atY4|ohxLCKmym7pLkdj%EvON4lHzeU#c(YGP$g?~y zU-ELhyy`@JisD4z7T5O{GkZ4WywcegGR~R{jlfhf3o*Xr{1oItYhSjVBqf_p`^E zT$fdA4;4Q{oWA4<>FAlJk*;i`{jqn7l9C;`dPR# zq~9>{mjoMOAoYNugu=gN0i%Q3=3Q9*#lmM&(xvPfwU`ZVPOiEu4|Jo|#L8deoVo>` z9E=Vl-xf5}KpRnR*zO5%{m_Ye3~E2^lFCJvB=8P)?6_^X^(!A)9m(Ll# z4E>xruqOs=0I5bnm^W#rP|uKVCyGvLnki=VV&O3Jp{1tAr337`^Jil~;rw@>S)n&d zhGvx+QQ0EXU(@7^YFd7l;sg}Dfd&yehpNivC@m~31T`zE=~!6RpnnN-dkNbt3phV8 z(szfyAh=iI!{6jg9%V7D?X(!q%JmP9i}qHOta(ty0vnGwf?~_g1+7p6OY>E40EhW9Uv@+%rqLnYEqs>(~omN zQ*HG6JsI%j8HWJ*ndnzLyJvDPlOJAj6pp zl_2n4l$$XXfUj`e=2vc@;6RXnf27Trwed`=efZ zZ^s*5?ff{Web<@dI)$C{Ll;NuT;vQ*XEI>w?w@OuGdh9l|45gzJTPyz*aRuT`X#ky z{o}nT!@jcP7cMBwhf1Y{Uc!(vR6ptSM9juw47_{(T(s74?udZjMzy@sRT_laNK z3Y1|N%?DM15h1RjlD{}4JH<6Vu}{)OV~3R1g;L9Rst}HTH}~I_RyISQ)UhT7_ki)(xbIFD2Pq_kd3-OrB!OR5!buGl|0x{ zqOXDFOUX2y&iHxjZI$cg$S54ab4#mh_{9iqG}4=1i)iXkCf{-Xo0VWY%_(K_EgnPv zoydJZCC4EXuStl|`TNc{O;te_XBR^GCR(;gkwVi3rMsG^;KWh@Vd~Vf<#xWY{K5b@6$!+ZLt(oA*&R_VN=RA_4Iz|VIQxe z>>PmMV4qR2NDfN%2b0S2rky)<($C$Rvw9OfC$za+KJ6kS`HK3AZXtn|FmOvh{>!n6 zzDO^~FU08GL4O`0ycOePG+!CPre5T+WW9#9<>cDn;tmqzox|Fk{_(KPcp_QsxPAR_ z3JxMThm%sHK)d?M!q>JLr19aVLM8y`oaiv9<=rn5Pad{vcH101?yS0@`RZ^9CPsin zLeUw=YAg@ZkO0PzfYHj=h-k&r)82u%?GF=z?MH1QYD+6RnJx?26j|CfD-;2EbbOG5 zdIqX~K3zXJ_kdWQ#uqlx{K6(A=wxJM?7j;BB02cCJ#TyBIt%{dJU_RzIJeL>uO_7!$#3&aD*CVC^JS*02yElNWxUFh+iX zO*LP|F0Qt&W{(OpdzWLr1S)n9AFnlte9l@v)_SSOvRs2NJ~6fwUfgCz1rg#)ZSV2# zKeb3QvVhT%?!{Dw`|l36OIUIRujeKC}!H{l{%*DpF7u z(VF&1Pd4Y~=he8a_j!DDr3jwszhiMCDORgNL;REkcHl_c(o?|#@7)5RPCv9!(xm|0 z1ljn?O5aY3!S6(g)_AVKiZ}Vb*!@JA2bucis|S#nW?J*3bH_sriP*~DEykI9j+4Zt0GLYBFYkf2gi{xm?WAuzyEqdM`fa=;_x}t zvz5iwWt>=RrF(y{nekxq=$>`|MQ3iy?HDQqgRJo^)7Fn({Sz<|v@AeB-UoBma2Lgb zsxVayP|~)~|BJExuc~lX7B|*xI**J*Lx#X` zUMzq54hjs%zyDzs`>KZ_3^AC*GAQbH;3K0>);k_C0G_mj-XmuHi{V z+SmWwp-Sd#G|Qu76^XPjC}2mOz~q*j?TJS;$&+=fr!dG!F>ojtix^??$2N#CSjmCJ ztpH6NH`9VROR(3vK8dfgFv= zKeJBr53jUl)ySCDzqzl0Di&Ost6@u6dHf-B6uO9L@+)3kV_<)z^yTDwGCd zAqhG~;yZ$eM2o+n53YSL-q%Ud3{384Oxs>%fYN4Fg?8a`dDE zu~84XxBzIzGmgY0wBI5P>C)Pa@}|X5Gs?$OZH|^*sjG)uxm3rNNlq?o*LU}uJ>367%XE*CBKU9d#u0MTt2rAI8(k%1DU%3d8w%&WSoJrMs-hX4&6Sd9TDTx?@ z>mFT~r)T%6XpR5gN@#F?a+@OeKGrF>xC4n#dZ%M~9j! z#jdsaOC|mfVycQZ55k9YFRcS2VwL6cLXw(!-C8u*@vNiS(7hK3OL*UWp7}Q}UD%>* zw#7!JOs6fM=1n$@9Uh?2=6vAz#o~4DTjy7|+P(1V;pd;cW!p4}{HTIGE)2QFh78>U zLiC!=m01gZVM6Em%37u2jr2+xd{_JiY}Y-zU*7$pj=ApmEcD4eYF=MCWj@Cfqe-) zII?L&1Ir^ko_#UhwHO3BNmbv=@< zS9<=@(ZRdhf9Oo>Ii01d`Lew`IAYvqCr9c`BkAuL(s`}XxQ|6ihrJM#Ji&Kx@Rg47 z4Y{{C)o(sYcs^q+U?<~VsMu2JNgN$lU!XUZ*;d0%5#=|9B0bx?*emq6P*s= z+5ecr_`e*&Ac_*L7J*s#aq{mdpW&-}l|tl%t>yUlfW7OK9W&xe^tj6TNYOeIk}0?$ zEer$19umK-v)q7_&ZdE130^GTN7w!{Eo=`zs&Hc&lQn7czaDQS;ZF`N<6taxKSQ`_ z4T9Hj9UaCWh&>_^!a5P@ftPVqBarX$+A_7uS~%7>i~)MEc6mc9)q-od2XaB(dch*G z?1=CnGdN=NUX2+x=2mX~veC9g@ov5UVbS^e&I#r;6kGKNQ=kT}#4>V=G#NqOaPd2) zGt%h&7&E$a=;4@D4;==FbN80vrgQSZIrR7@dnohEx1co{jY_fVRLmj0JRm@3C}+Tl z$}Lf`JPsH8M${O-7(|rrA5&w>_LWTS`CmH6~HrX%9gwB!w zU)oejqfRMBO&J{QqlzN1SPTuEazF#8ltIXV?RY?rBKgIxHeJe8YA{1(5Ex?GO_hR% z7yvBx9V@JCcopgZ8|E-2?8V-5eQ+Mr#kybG9<(&Kx~OrhRcc%DwvN!wtjFul-#OhB zIy+{!)u>72(ffg3j(IkSGeTESF|BLHGQxljUa3f@9)1GqUB+&IgKXcI<7--bJF{Dn z#!p*cY)lRe>|X!CE61Z49sqM@r&gcjX;y}VxS)LgFQGSESa0YHncNowO^TqzR z)-7LOeO}cT#2xcvKU?ARvJ|z}CH`{#Z&`Hd8i$FYW;Y6XO>|2m5Yz*7Pl*j_5>4St z5*)H)3^6c+_!lFa6Q8j`gS9W-SX1@t!o!2RRL0ZF0=A9b;tCt1z^rxDek=EPlYIA- z_21@DcPu{Sw)C6ekUQ|7frlc+WZvR3&+sfq=M#~fzgcRlH^qQE^}t6i*|j0d2`2Nj zziHtHt4ok&mH|&(-A0NWwdIKEX*!A)+zhLC5OnP*3d1l>Kp0xMN`Dm8Efq-(mS1@Z z2rdo+Utgtx*Z`UFl3D<+2qPJd?hhuZmk@_+%Qna{7VqY9>sRfs6Q-9AStHrZaUbCm z54*_-qOyn`m>6)QYdiHw3Z%;f8wNDWLN8U=aXpAV5^7&{dy4wJefzPiMFro`CRKD{ zE=4<+N(wjX6R9?VLZL-uOH^z`?C-dUw-~E@aq*<)E5}qwKqD)@-^?z<%bX{Z^yEg3k2;r4YQSP`X-V>=d}&Z{&&GBX<9~6RZM+y8vU^UnDhPCle}{| z)}ZJYguk?3@22o~ z#+90IAefx%4lmYl45V+EgAN%q{M_Oi{a{?eSM3wh~3Frg?Q#?nbj!-0>j2T$Nvu0dFM@3lG|w)z|8jc7~2`H=1Qqd;lTp6CVWl zp187Kv%WhoGnakb&XQt;z1WKsY4e5uqtQc!(#U|NoP`i&fEL2Xja>499KiN~8fK zOi;iMED_uV{(>YOqPKuXWz6@aAJ(fdtMsske7udEM}BNlo$tip1GMi?)@RSx(kDo= z4-}CH@iMKgkmSrH^Ne=pFV~>`38@w&^VAW?f~su(WX3HQ_3@qS>{(jy%M!>(E11H* z<#Skt+_^%dx&EGjh;Kzf-1%&=S`OXhzv**w*11anVrirg#8zpDMnsH$OHy@`X`*f9 zcVSG{Ic~yrOmsc3^4;)dMzGzO9MoJoWUx#P!9Zi_cl22+Z$xWuC2M#Re_QIF&#WIk z4GiB_l{8dxk9HqZFU$+tI*-2FE%||q5uzl>H}Rm0XDJqdZSjFaCIEZW$S9r$7vQ2o zO(hryD`;_m7M1#o6b@acS2Q|R^pCOvFP4VAEFgEnidHbXZmMc0L#CsQV9FiLHV(}* z3!4VU+Z{K4jAIk-#ZnKajL;owoSs73E{h1A4NsA_l()kLTLo1~BlYvv*l$0w_s@w{lOn71!=DSub|?3fXWaM zEH;JnEejPsUL~fG1BBmY00Fj2A&n%7`W4Y)Zuvt4njaO_{~s~F7WN{>H?P&-UZTy| zBtg>{A4hEkpqqbbFPndqec-e-XscmSn3@cBt>Y{%GWTJ#7mSmJTFVhwVQ8z}T_p~7 zRPeNsXcgku1C6U+``~|j|CGnPCfR&XeUcNg_THSvkAfnntD6zy-+ zU5!CQIqdiQk#}bae7FL8O&FDFk|XERbXIlt3(5>=RKFy#s1n>CSUf&eCgpK-d;G4Q z3dSCe?3%K+6))2urNqCdi;kiM;fHsR@Je>ITiJBc$2p|dBw@k_3{g@bQG~Y3W3HCo zp+HH^NL%}+_r6gv&e6|NZ^u_$*HYz8w!G*R>za8{v1!(dY`HQ@qj}>qXJT)P3bus@ zy1OMyo5&Bg*k;^Bqat8q*@4qn#RaKLIano!s0C#Nu+O+gda|}r(TQB0Zil?~kZz7` zGK`{n+tBwNm=s-3LsaCHyMlQB@Bm6U)U8O|b*!o^nX;z3K#iTy+;FgD3%({HeM*~{ z7;=5MG8hp@<~iz5X+8N>8(RYW^p)Rdv-Sn=UQZy#WDSPr3cpy>V;L4xaosZ<`6+h* zNH1Om$>$Ym&njcBNO&?MV{J?j=-oO{YG2mi%7G zl?`}v{~x;SY_WW2A->4-nK;hHq61+hz&%-Ior8>t?l+H4HSvX= zuL;73YaT%9{CN?!;NCa)sZ*MS$oX7huQcBOxMt+Ue_gXGBk?;i+6+YjO$yo!`mBqK z;%&75P-kFrT0~TYH+yO4c;wQG7BDDz-wIMcBeTpTHRG8t6R(BkYA#tSn9A}49 z9(~PvK(uufbun)k?x=KRK$S0;%Z15ThwvxdPk$bRj+g=A+MTAj3o2vS$&_fMSC8*I zvT2_@=e}f}oJq@IGN4!cUc(bA<`wu*D(qRV@X`tG;ob&-+AaqjDwf%vHo zdk+;P>;Nf*m^;K6tJ1rypft4)lU8LBA~^-q*~54hB}27}9$xZ{Tq>{B#W*2$ZeJ*- zYT@8gwV}?Pd}&S5Rh9D>*K_;Br<#?y2N%gXl-6>u#bI6S{m9hxsyJ< zb`Zutg?br^65g@lPNbGW&T`b`SoGp$Exjte5F%px-$s%~^3)}H1yx~1oJ;X@-D#R} z^lw3!V)Xc9<#0vzTE+JEKUBL_C4}Zd*zn>)=32%6Mds6ulzr4H=&}_!9a@-j^ua~6 zW4%k0y`djR@tVB9F}K!}yncOMSU0`VI4mb${-~$?RZ^AoGGq6lsb5^kr(a7*9s*4; z1_Dl1tUkVYk)n`X2;e;(G*l-KfyY2~m!V>(QAr39{Ofs!0&=6y1MWAJ!9ykU&vSEk zRi>lu&tIMso!eo+YBCV`Q708g4uCt}%WBmGbhRp;0{oAk1~p{C6HS0hS}=bk057h? zKw7nJjo@X%^pkeTzdwCg6J4EX9X@QmA8tO(%M6v7V`OKb0iys?X~9ju08PBN z_8W&PoPfhmf_&DuYTOZVHTb^FZ^g;PwQwE%W$boUiHyej5O0t;y7m6NuXOzx!s3sS znM&%|(Yg56kz95!v5tjfjt-cgABSe^K~qlTFx0nJIT?|cEA(&;0Dv*uyo`;y$G@u>$MtiI%1&~3frq_!n%?Y&!(;{Tj&en{r^S!-k>mSEwK1TE|w$C)DZ*Tsn zdh>TH^TMhRInGQ)Krw!syd z?( zk3?BB2Exq5abjXO6exD3H)D;Y1;m}0(3EtfP|Q6Q88R5q4M&XE;R~W2`(H^|37Zay~m zS+8w$mbre-^EGvqR@oEwe9!QleklLzyTb)8?|xi!^*>iDtoeI))$?@6bALa7yQg`{ zdVbG(Xt$@p1J>>7TJkwvF>dml)Y%Mi#Vv7t*ZKP|cogO3Juz`IJDtMW!*CO}S82!k z2Z79ce<7_dC1tGCYVxg{nzN2LodB-kRNYj2sA$4kuCjkOwd2`tF3p$QV7B4g?1<_H zd5O7Oe*0c#*84K&kp_d^g=13#esIeiy#3~Eg|44w>+`(_;}3tBxF?dcP5n4?+xNsD zxuFv46vUZ|6xrr67b#XPUT!Pi)UPhy#CvvE=p;4PpBzt|fUEZy&YLsr*A#Cu&6*op zzw{gb#h;GB`3kzbt-mf7{VDp&E_@#ML50_5{k{-6Rwv(s&UqRl8QUASH02bIH7}-%f115a#{1;e1m8(okuK@BHr1JT9^E?DoT8rBCoomV(sE?_3j3ZMx2%V0Jj+o7&1ZMXz6 Date: Tue, 8 Sep 2020 16:09:49 -0400 Subject: [PATCH 09/10] Updating snapshot with timestamp info --- .../isometric_taxi_layout.test.ts.snap | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/x-pack/plugins/security_solution/public/resolver/models/indexed_process_tree/__snapshots__/isometric_taxi_layout.test.ts.snap b/x-pack/plugins/security_solution/public/resolver/models/indexed_process_tree/__snapshots__/isometric_taxi_layout.test.ts.snap index db8d047c2ce86..fc0d646fd62ca 100644 --- a/x-pack/plugins/security_solution/public/resolver/models/indexed_process_tree/__snapshots__/isometric_taxi_layout.test.ts.snap +++ b/x-pack/plugins/security_solution/public/resolver/models/indexed_process_tree/__snapshots__/isometric_taxi_layout.test.ts.snap @@ -212,6 +212,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:0:1", }, "points": Array [ @@ -227,6 +231,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:0:2", }, "points": Array [ @@ -242,6 +250,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:0:8", }, "points": Array [ @@ -287,6 +299,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:1:3", }, "points": Array [ @@ -302,6 +318,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:1:4", }, "points": Array [ @@ -347,6 +367,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:2:5", }, "points": Array [ @@ -362,6 +386,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:2:6", }, "points": Array [ @@ -377,6 +405,10 @@ Object { }, Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:6:7", }, "points": Array [ @@ -584,6 +616,10 @@ Object { "edgeLineSegments": Array [ Object { "metadata": Object { + "elapsedTime": Object { + "duration": "<1", + "durationType": "millisecond", + }, "uniqueId": "edge:0:1", }, "points": Array [ From b14cb3bb93ce370b76fe1ccd91afa38014a4938f Mon Sep 17 00:00:00 2001 From: Jonathan Buttner Date: Thu, 10 Sep 2020 10:44:22 -0400 Subject: [PATCH 10/10] Removing todo and fixing test --- .../common/endpoint/generate_data.test.ts | 8 +++++++- .../common/endpoint/models/event.test.ts | 2 -- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts index 08ad9c6bafdf8..7e3b3d125fb5d 100644 --- a/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts @@ -433,8 +433,14 @@ describe('data generator', () => { tree[value.parent_entity_id].children.push(value); } } + + const entityID = entityIDSafeVersion(events[0]); + if (!entityID) { + throw new Error('entity id was invalid'); + } + // The root node must be first in the array or this fails - return tree[entityIDSafeVersion(events[0]) ?? '']; + return tree[entityID]; } function countResolverEvents(rootNode: Node, generations: number): number { diff --git a/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts b/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts index bd2996d101300..2b0aa1601ab37 100644 --- a/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts +++ b/x-pack/plugins/security_solution/common/endpoint/models/event.test.ts @@ -13,8 +13,6 @@ describe('Generated documents', () => { generator = new EndpointDocGenerator('seed'); }); - // TODO what should I do about the cast? We can create a new safe descriptive name but - // the front end won't use that until the rest of it is converted describe('Event descriptive names', () => { it('returns the right name for a registry event', () => { const extensions = { registry: { key: `HKLM/Windows/Software/abc` } };