From 3d5c8ce300f68f241cd512ce89cd7679d05da999 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Thu, 14 May 2020 15:02:37 +0200
Subject: [PATCH] Improve ECS field mappings in Sysmon module. (#18381)
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.
Closes #18364
(cherry picked from commit 096b88e3afb88b7051e40a15d9aa7111b1376a63)
---
CHANGELOG.next.asciidoc | 4 +
.../module/sysmon/config/winlogbeat-sysmon.js | 131 +++++++++++--
.../test/testdata/sysmon-11-filedelete.evtx | Bin 69632 -> 69632 bytes
.../sysmon-11-filedelete.evtx.golden.json | 182 +++++++++++++++++-
.../testdata/sysmon-9.01.evtx.golden.json | 151 +++++++++++++++
5 files changed, 456 insertions(+), 12 deletions(-)
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 31c3f2012bf6..09d99c3a6401 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -63,6 +63,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Winlogbeat*
- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094]
+- Improve ECS field mappings in Sysmon module. `related.hash`, `related.ip`, and `related.user` are now populated. {issue}18364[18364]
+- Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364]
+- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
+- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
*Functionbeat*
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
index 8eea4b8a558f..f7dac99a4e82 100644
--- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
+++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -332,10 +332,21 @@ var sysmon = (function () {
evt.Delete("user");
evt.Put("user.domain", userParts[0]);
evt.Put("user.name", userParts[1]);
+ evt.AppendTo("related.user", userParts[1]);
evt.Delete("winlog.event_data.User");
}
};
+ var setRuleName = function (evt) {
+ var ruleName = evt.Get("winlog.event_data.RuleName");
+ if (!ruleName || ruleName === "-") {
+ return;
+ }
+
+ evt.Put("rule.name", ruleName);
+ evt.Delete("winlog.event_data.RuleName");
+ };
+
var addNetworkDirection = function (evt) {
switch (evt.Get("winlog.event_data.Initiated")) {
case "true":
@@ -361,7 +372,39 @@ var sysmon = (function () {
evt.Delete("winlog.event_data.DestinationIsIpv6");
};
- var addHashes = function (evt, hashField) {
+ var setRelatedIP = function (evt) {
+ var sourceIP = evt.Get("source.ip");
+ if (sourceIP) {
+ evt.AppendTo("related.ip", sourceIP);
+ }
+
+ var destIP = evt.Get("destination.ip");
+ if (destIP) {
+ evt.AppendTo("related.ip", destIP);
+ }
+ };
+
+ var getHashPath = function (namespace, hashKey) {
+ if (hashKey === "imphash") {
+ return namespace + ".pe.imphash";
+ }
+
+ return namespace + ".hash." + hashKey;
+ };
+
+ var emptyHashRegex = /^0*$/;
+
+ var hashIsEmpty = function (value) {
+ if (!value) {
+ return true;
+ }
+
+ return emptyHashRegex.test(value);
+ }
+
+ // Adds hashes from the given hashField in the event to the 'hash' key
+ // in the specified namespace. It also adds all the hashes to 'related.hash'.
+ var addHashes = function (evt, namespace, hashField) {
var hashes = evt.Get(hashField);
evt.Delete(hashField);
hashes.split(",").forEach(function (hash) {
@@ -372,16 +415,31 @@ var sysmon = (function () {
var key = parts[0].toLowerCase();
var value = parts[1].toLowerCase();
+
+ if (hashIsEmpty(value)) {
+ return;
+ }
+
+ var path = getHashPath(namespace, key);
+
+ evt.Put(path, value);
+ evt.AppendTo("related.hash", value);
+
+ // TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364).
evt.Put("hash." + key, value);
});
};
- var splitHashes = function (evt) {
- addHashes(evt, "winlog.event_data.Hashes");
+ var splitFileHashes = function (evt) {
+ addHashes(evt, "file", "winlog.event_data.Hashes");
};
- var splitHash = function (evt) {
- addHashes(evt, "winlog.event_data.Hash");
+ var splitFileHash = function (evt) {
+ addHashes(evt, "file", "winlog.event_data.Hash");
+ };
+
+ var splitProcessHashes = function (evt) {
+ addHashes(evt, "process", "winlog.event_data.Hashes");
};
var removeEmptyEventData = function (evt) {
@@ -477,6 +535,28 @@ var sysmon = (function () {
evt.Put("file.code_signature.valid", signatureStatus === "Valid");
};
+ var setAdditionalFileFieldsFromPath = function (evt) {
+ var filePath = evt.Get("file.path");
+ if (!filePath) {
+ return;
+ }
+
+ evt.Put("file.name", path.basename(filePath));
+ evt.Put("file.directory", path.dirname(filePath));
+
+ // path returns extensions with a preceding ., e.g.: .tmp, .png
+ // according to ecs the expected format is without it, so we need to remove it.
+ var ext = path.extname(filePath);
+ if (!ext) {
+ return;
+ }
+
+ if (ext.charAt(0) === ".") {
+ ext = ext.substr(1);
+ }
+ evt.Put("file.extension", ext);
+ };
+
// https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives
var commonRegistryHives = {
HKEY_CLASSES_ROOT: "HKCR",
@@ -606,10 +686,11 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(splitProcessArgs)
.Add(addUser)
- .Add(splitHashes)
+ .Add(splitProcessHashes)
.Add(setParentProcessNameUsingExe)
.Add(splitParentProcessArgs)
.Add(removeEmptyEventData)
@@ -652,6 +733,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -727,6 +810,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setRelatedIP)
.Add(setProcessNameUsingExe)
.Add(addUser)
.Add(addNetworkDirection)
@@ -792,6 +877,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -833,8 +919,10 @@ var sysmon = (function () {
],
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setAdditionalSignatureFields)
- .Add(splitHashes)
+ .Add(splitFileHashes)
.Add(removeEmptyEventData)
.Build();
@@ -888,9 +976,11 @@ var sysmon = (function () {
],
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setAdditionalSignatureFields)
.Add(setProcessNameUsingExe)
- .Add(splitHashes)
+ .Add(splitFileHashes)
.Add(removeEmptyEventData)
.Build();
@@ -921,6 +1011,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -956,6 +1047,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -998,6 +1091,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1039,6 +1133,8 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1070,6 +1166,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setRegistryFields)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1102,6 +1199,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setRegistryFields)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1134,6 +1232,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setRegistryFields)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1176,8 +1275,10 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(setProcessNameUsingExe)
- .Add(splitHash)
+ .Add(splitFileHash)
.Add(removeEmptyEventData)
.Build();
@@ -1235,6 +1336,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1276,6 +1378,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
@@ -1294,6 +1397,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
.Add(removeEmptyEventData)
.Build();
@@ -1316,6 +1420,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
@@ -1335,6 +1440,7 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
.Add(removeEmptyEventData)
.Build();
@@ -1389,6 +1495,7 @@ var sysmon = (function () {
field: "dns.question.name",
target_field: "dns.question.registered_domain",
})
+ .Add(setRuleName)
.Add(translateDnsQueryStatus)
.Add(splitDnsQueryResults)
.Add(setProcessNameUsingExe)
@@ -1425,7 +1532,7 @@ var sysmon = (function () {
},
{
from: "winlog.event_data.TargetFilename",
- to: "file.name",
+ to: "file.path",
},
{
from: "winlog.event_data.Image",
@@ -1446,9 +1553,11 @@ var sysmon = (function () {
ignore_missing: true,
fail_on_error: false,
})
+ .Add(setRuleName)
.Add(addUser)
- .Add(splitHashes)
+ .Add(splitProcessHashes)
.Add(setProcessNameUsingExe)
+ .Add(setAdditionalFileFieldsFromPath)
.Add(removeEmptyEventData)
.Build();
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx
index 4258ea01dd7caab6fc52b32362eccf8777dc8098..d3a5da13484828b3249a7ac033995e4966a1d7b4 100644
GIT binary patch
literal 69632
zcmeHQ33wGnwmvu9tYl*wkWCobH6aUuggs;-vhV1y1`;5c1xXNuVUa~p5n+&J@Hqs5
z5O#*mjVC@qR!8vZpyGlbkNHF&Ps1*s0p2;?UG!3+y2HKLIO$IAty5KhRh>F@{;KM}
zefy?lk4eqS&IIG(RuX1m=z>ZB;VvV@<M@b<(`I^HiBo}N0mlN41sn@F7H}-!SirG>
zV*$qkjs+YGI2Ld$U}}Ms>@i8>a-YI;eEGmLed#d9XJP8%Fn}+r0_>iDI9W#B`#aTt
zWc`+4Z4LGO@G?UHz-3>6^XvkI0*J@-4oo?1ArtvylQOShn{?E}HtD#o;CCwNl=d2?
zjWOuc3FE)`P%c1iLmN3tU6i*`k$WOG73+M*P!C}|J$~>vuc3*es}b3v1;CUby2c|P
zGsgWqsClzft}vGif?b32W<JhJlALlr>-mzGR-BujcCh(!><OU~tH6sWQU~dHC)gKK
z;2Fq-TqwZ!e0=$hS2Fj7`N9;)fo#mo#|&Rr9E?L)0Zf3l&=UXhVKk;>A|@T>NDQ+u
zWg_HZEDy#YG7{r?nBEd5V_q(XF%X4+tx$@Bczn;i(|o=z=Ht43`!tRf8@Idxe$XGD
z#hMGG76E(`Z{L0r^<pD>aasWMky?KS+sZ)HM9giCuT<uY-Iuwc7b=^BnE;`o;PQJy
z@rUL$+|U&!NhL8W48kfUR)U@go2nqLru%D*^*AJBUQ>Mek;_pv%})nGU#ub>O_qh-
z&yrLi(}lXh&nL7J__<w`;g6WWJiS(+KMYb}S!k(T%<~DY3~o1$aea(17ti?E7kVI&
z#wuF^0fBs=E=KAqews4P4FjaHcuIo!P=hXLfDxhq9oy>rL2n#D8Wu7UHRqz5e4!CW
z7<0y-2!QUG{Va}K9@;Sj?M_f%sNqJl_rb^#rN(xPDr2Krl1-Bknu!X~5M>}nG7qtc
ze5(DlAl(SELTDa8s8Y!lgx;dgC8?D{G}i8i6_U!NiEMeF&>#pRUFKmSHX*!msWK!<
zFw!Gi(uA3HDB@C66@~|041z?gu>ch(Zz;f@%Jqi&Lzo{;3N-9-A65ZsTCR!ubeBRQ
z<Sw^w=U^Lb5_xM+Aa-Dir1&JMA$fSyNDmxMAYFn!4^(`1Gy?PSPthU(0{m!drJ<dd
z5P%jQr`VPmAT$sHD!IZXccRIdjydR}Nr+5GN6MA-ra=n_m)mvwb{7QDtVRRZE;m3j
zR1UfVDJOHq$JZ5x=17OJ*cR1M01*;lqwzfg(_(-uP8G4KxG*vR2bBhA66VW>1b7$`
zer#4A)58x2V$Y}zrFX$lt&%&m3N&;BE>Sq2xuqBSE6|IM0H}elDw6C*iCzH^B;l~Q
zlpck#a0r7m441hZBBmz(DaWj%S5GeP+US&PCHh``AV3C&boe4Aq>!5Ki8|}2tOyv4
zX}LJodFcH4*l&5-$-#IojEJ8wxWxzGCGGFwcQxykU%xDG`IZv<$P~m9**9svkf-p!
z{WPN<TOdeInE!U~y)B<=JoTm43Dr@3Lg7dTph#;k9m%uF&Da#4ELEG1=`=egU`T5*
zdE1M5Zk(~GQObP?Uw$+z`nm$p!zZBznRjMJpAZ}p8tBGKd9ta3_Q#<tK#MW*`h=iH
zgpE+J($LE_S2nmdn_hiFd?1X<G*`;hQS0aFkO4j+l^}rdR5$g9yh72(eaE$YLePl_
z)lfl^k0>Z#bUa$5#$qphLVRUhtb(InD!5Q-`kW}?3Lq87hwPGzC27U*3GtIlKBAPY
zp_cSRC!|G?mcx8R`pd|c3X*hE+6YEn@^v#qI*gLq@d*il5b6O<o77L;C?%rL&~i%?
z7R^LHA%WP28!3T<jRc5P$UsCPc{aXY#n&o)xgi8oT?(6N368*5ob=uX8c0iVTZqPG
zxh=k0Vfj|LI43~6x);0T9oRMeF@G8=fCZ@3Ae;lcqR%9vzYI`nl;?+jI6n+E%pXZu
z<Ip=}l+Wc4#kR&`nH(vHc#*HLg0N$ebJ2*1hFIx63g6|81Y>8UG&UKy%(p`PC@h<+
zl#4_w(d=ukK_X6q6Yh{>D6X@4XlY{QQ0yUXZziA=t<)QVt<W|h8^<6HtrQDwu=RM9
z<Is+z18r~!P17oES0Xi%tW!^HEe<*$DgpmeFib*ki-Rs`!5FEYE)pUd<rK`Lzf|mD
z5?Y<wYK^T@8;_wc^+cAXVS0aj?|`KeFee!?NvKymVq!3l>WIhGM9fRY_h`(E#ZZ=G
zunfhhbr+6u0gl2X)LlAgze)SfS~yuK6R4bl@A9O@_MP6E$<MfqGx^h<UMuOWnaL|F
z8vG7s^0L_33a#7`UkmW{Cw!T+vkkH+2FHvz8jt?e24gW2JNNF~HN4hl*&YEnM8wGk
zIF<u3OvAONA9~0DcoMy_2gb;MdSHHk^oV}Q<i|0Ee1kZuU-gD6s~-7q4tfVMJ0E#U
zGZ1a>$*Z;e;!6{kX=_Cr8+lt!J7StoiP<X0X!oEZhoXjeXCv*ysBL+NP4ghl2pJeJ
zko=!Kn^;A>iN?Iv3aetV2gHbYv>dU4I24QT#6n^V@kQoM3Z@fJh!e!J)>wiL9VaM(
z_&~f!!w~;<$Nk|&H6J4{rgk|mo&T-F9bISKHXXp}nU3EnFPbR4co9SKsztLJty-<o
zb7`fL*%65;@ffF7D<k!t;Y+s3=4d74MSo;Rf8<CC&ZK2CAzyRac`r;*Pg>>D<ojdM
zGgUV9N0!hE7>}z*EcRdw_Keoy2uUL5M_{ZC`a4Mph$GJ@DGpOcq5nr?4RM${3QJ~S
zPvrF_4m~*m=XLV%R4f&Xath*T_2_~%()y5!aw_J>U_4n`1LCn1F(<W*^@Y|pPyT2`
zbX+3-ILGhH0{)7+fjIBz51PtH<F-qGFg$H8?&V<R)v}R6=hes^iO1c^(g{{^tdLRf
zoLhU>;%VxvX1|_jd&7piqM~Xn3Z(vDdHoeBWO_QGcP(HXcYr9N-|>8CEX0$xFaERn
z^x8|ebe^A-b~x5OFiqbBaeFG(Do!n-l|1FczFUXag1>!yh#%jz7V%+%5^DSA$lkL6
z&xcr{fAf40<4MyFdj`J#T5_YbqBf0goLW^#7f>{Zd3hOZ6{o3MBYMh*6Su<G;`J8W
z)`xME=hPuSEL1{G*BsG{7U22tXgT>H#*?ZY5B%?>nkU10F5O(Y_w$37Wa!m5FE8V*
z;`Ft%n5TTGf3x9Q2(*t6E9br>@nN45vVJ+CcP+s4K|Bxh>x21zY1rwO#Ul#-qw|hi
zwYK?9Df~{~195vQ)+$adp_M%4L*JVd*Wz`1+t!DX$x9_Z%vC~d-yGR{7U20HK5ymu
zVD6{elS|UwOV;;z?x*9~ecyE{mx5Uz#O*N@fK{AYLMwU7hmkku6hdYD_@M2JBinBQ
z=1)8y=z{|OV0fNyJhrS9R$k4smk+ycepCp-4j<I<sMr$oPo59;h36apE`0dlX1zkZ
zgTc1_QnQqU(tfFj5>{+)ynnst{Z+jG;rUQa$OqEA?v$+e+U;GFxTw*((rKLzuGIHN
z+@6Y+aV2onpRTj8gYk4E{HR=)kCyeB70)12$Z)zuLBwd68l{ni5NaPE1gbh&Hdui9
z6VC_wJg&cV+lE#xhBx|^79)~bc@<-oH);v3#Mh_I<z=JZjY?-0;%%U|tq<X)`=#}v
zl@jtAJ1O3<fN|W-&RcmtnEPpQui(|L3(%!7<n0M{-&_BMUT>@C1y*tT+F8s~K1?oM
zum*38wv7+0A5QpSSb+Hx&xeX}{_uS1muv8*afc5NhCAA>#ohTpH^$N}wEBbL`Sl0C
zhoOU-uP-v(Do$7Voe0zCPJ)SG)cecQAJ^a)ZyY|D*sY>uGk>b6>%;ldc5Cn}Wey)I
zio=`q^X_~Q&)dd%mYUIjXU6Jzfwytu4jc7ucR6_tRJV^0?Eco3=bZan#Utlgu5sMU
ze}Aj_eW#26b*kpAt6x`Hb~^wX1g{#S*Vw$gjJJx@*Un;$&n#{h8tu~U^0FfQI<jr+
zL)5H~rRz%rl+a9nC*NBZ5YNN>eo4GOkX8*xf8TUS{n_2#32ySkl#6}n5fz$4+@1=w
zic?EyB~SVA`sJb`_=A0X2w!tjzTT>Y+P*om_bgzX2k*!A*3Wi~oAOBY=Tf(yX}TnC
zQZhaBL~~g6bE`N_)f&-LK5V&sy$ByXVcYspobsi_hmVv{(=|u*q6IwXgSnqZH@#dG
zzv{`vHyU(!ZRUr!hUwKeFE8V*;`Ft%n5TTWeHn_NmVJCU@>z+*hYL!``sIY)wSeb*
zFyAkIceeL;Cl2Lz+4K6)6-N>kd_vs-IiM>1$^(Px%mfsc#WJ%*D3#VWj)30P4$J
zC1m|_LhoAOx8TDElO_};bPP<~`;VMS@Wh5_eGjbqxmBFLb{6xL4~dsX6+vzL_yCu_
zmbwsM>znd+g_*z!Em(l(gZTSB{Q0yPPb#GS?b}g@77y&YpxXH9nM3HwXxhWPyo~lX
zPOAei8|||A(yk3q$38x=>#e~@oa?RpXn8NiIPT@Y-dfG{{?;p-zZpMZ;pSfZd;j`#
z`rgPLdhM-VN41L6*Un<)om7o>S$nB;13uW)w*6At)%vyRzTT5J<dF5t3B79p<G2He
z&j<MRL5wGD9}Zi$^G}60doCE?qj#-?u|4!XFfT9Tt>W~xvzVuRxO6FG1JtvR59g;t
zUE)LV3^`=|azgJ~faimFU&8aDn(6wm_pj%tcl!1(Y5T_n%};n|>1+BPh}%=KR&i<x
zt>h^md@l~)fKSJ^ZGF)8#gXl|0P`oF56|F(OzElg^z?G|V0fNyDn=x+@+!vO^XUN>
z^ETi!w{7FYNWV~NeVD6+s$Cq(n-<{xRlG0Z`CvY8C!TBhP1Wq1iL+zc1Ripa7_HY|
z+@6ZHic?EyC7xf}TwXTXW$eYb)<FaN_`qxEq}XWz=1)8y=&`G#aeYYFsmJg}ztVvO
z5msJ>G&9|osaRg(>*F!n6r<jIFCJY74IMscZB&tE=1)8yD#rJLj$W+24u3brw*At|
z!BNtFX`d2SWMBMk`!3#>@O-FhI&TLZYda<M*_l1(_T4nkx5}Zn_5BgIr(&(*)Dl{W
z@mZTDl8x&_t&&IA!6WwZp;=I6i4Q%LP^7z)ckdQ3j(hp9x0;_nZ2#<o_QOwq)@$E;
z?Qbl5)jdbAtyMp_iqqH5VxIEh(GtARq>+7mVEu5y2g3r)pZN8mns9yK`DXk+&||{#
zYVW;`Q)@0uGU`3GWZrscY#$$@o=BJ0hXG1hmd;L^=N2%Id-?D8Hs3GN^NeTy^~B@5
zS6}$hHTTWm<^8QMmz-J;P3+^t`!Q#v`}xi(q30v-)KHcMcs_{dVSaru=Y!#Xz8Jk8
z;`UUmRh(KvE3x%Wn<kQtcKN#G`}O!+ueO~}i*$AJetQcrf8zO&i9i1I41OA?|5$<H
zjeccSb5>r(+k3tB=aQ)P(9Ge3Ivy2UV*bhVVG8~<VjujuHvPfy|1Ny!cs+4FG`Eir
zJ6gp^=MV9za;Ueq6T5#F5Z@QU^TGVS)748;GFQgdPF(Qj_!p|b_3>f7?&9`TtW}&^
zLMt(TYSTork;hM8|H~$5VILnvx;lBky#<&*@qFlsKhZk{f0{R0w?;6$(XXs(&dRHJ
zd-*Wy`r1wKsKW<!JSw)t{FCQH3jQeV<D79A-g|to_x$10>lZfRZ|~Z6K7F#lSK2RK
zQ9{n(PJ&k~!27HCb1$9`=JWQ}cNg}boVK&q&fGt5J74n4alPW=_EfC5aca$FNk+Sz
zz20FH{@S%|d?-stC(S+!u=$?nLo4CuX-2=Y+5^^}ijNVtqvFbz`1;Dmu~ehpao2in
zf=K)L5ME`Av_7;_LZ+t^de;KRaWDV(MI%i8^w*e8-=Ca3v+K&~Gv=JBGvlPb2j=JF
zGTtgqUptF=%7^4@t2aYS`}nY6^fZYNTa=LX%L%<}0iF-yeF?ulSh#;_>&rC{PF<R^
zx#PMKr*lFE>U$t=PsLirsU@_Mr+ip(t#~s;*~f>%b#+4M`=Vbcp|)?1>^%$cd=T$T
zcs_{nr0L|@YgfEq?bW2hoh>Hp&OFsyuf2JB8E+M*ubss_<wMc68=E28K0dJLYwSL~
zNcmkb)-xycrUiIDi1#HtAI#_NS4LO=@R7+w()N`uA2cj~SU0`?;`UUmRh(KvD|yO?
z8`pw1LyUcVIC3~k+Ar<+L=Lrmb7b#XfaimF|HJb^j3-Sych9f$#JcCYFYCSa&#$Jx
zXZXD=^YU_Ut>VhIji-DFxH@Dr#M;M);)cs5K76EvW%tra_0$49AH@3-o)2O?>38<o
zA#=ume=vFFye3<#Mzk~B+F@Q^?xR&)*%tAX4@0hIY=&0$@uBQqIjMG8fcX>8hiv?G
zdJNvpmj{^|<rtpln+7BhS$P#=ejQ82@)BPkkI|+W^&Wq9Pcg(fe9+pcBFoI5cs_{F
zAB=uw)rPD+6>l#e{`2agVrcE~K^>2ZEiwP(`7jA4lwlf%_Z}bYy<g*_t2K+Ejl+jB
zhPpx~G5_ZIkc4-8x5PV``snP!@ZRHtuKGI>*3O*-@a#N;)nnBA;VTV_A>KYdlnls}
z&ZnynltZSc6MEMI#&HJ_U&rD3VE(<e#k=b5AKS5K&o}13@PxZthu!)fh}%=KR&i<x
zt;F+2o6E~ayF^}jx)>7d;{&gulVYa@m_PA+s4Bc)!{}Gk2mJ%@t)3Tn8z;7=QSbCC
zvo}IphYw<_Rh-<r^C1Ir@#%c}Z;JvjywR_$T8x!f@#gE0isdD~J|3e@G3veJ%BLHl
zox=yMjViLt{E1&5GGU_hw90Iqc^Ka4S2~a&!pf@<d(Wp2T&cSe+S|v6w7myv(EUrZ
zlu)&cBYD#TyuXU~={z6I_c5iBXHSmV(zyGEi1?<h_x#XVufO<yaTP1pOU0Ef@%$<q
z$5M@Usd_wOBXqEj4@@s7d@wA){E6qo1Q><8r6~qA8Q$nu2H0Jrth@>^=beh>CB8l$
zqfIgD-T3&7jnL6PKCtHrgvUA06VQ&6w`JqF1Bm^O=Y#qDzF@?PFTR?7ve%ORZO^0~
zTokPDgSb5vYZa%K&`O^2q2Tx{+n|$ue9-pAk?pqt^QZFif#(}QC0%!{`nlEf2dg-p
z5?sWn_x$5uY=h4B@!_p?hosLRzE(m`VJE>W7BG%Gn0%ha^TGV{uWE-sd81w6hNRso
zCznpRu)3>War5#r-YQOCJBu+sv$$Dkw9BdEKWu|U`}i>K=d5r#pDt8FGyR?Xd$WLX
z+{@30IN|3Hq}B4TPe0Xh?84O5LoUz0F{GK{d6icE+$yeYJ9x^6AC9-(23_pqLt*k6
zX?=KXjvSWVODEO)77+U#zdo3MPscwMhRhHDL+`(bu2?>=_!GnLv5VVN`)3uWme5L`
z@*)0M_id15A0M=Rab)`~!2F5l!x;RftPK1FLVqwkzy9cPcZ;#|YQAUZ1$=#K&1FeO
zy}KWKbvr(C&9>*wjNDVdI_;MhzS%$u%hK6N^V|Z)aWDUV$$Z|<^&302(?e~0&i*u}
z<xl;d{8q2Ed3hOc6{oMA#XRN1s$=W7LyCQTfF|dq{Zb<(Wc_kN?^=N8Lu=vr0KYzn
z@ucmy*-bChY|*}JVR*~yFAr$)-})YymzVKYar)X>%u_yWJ$7w7K8Vn^^?~)n2_Fm#
zFn{9tkb}FWeEdxAe*gZoy?iJ==D!`f+Q*0Df`3Wt!$(T^V0cAE&_cW~;rSrOlf~9o
zUmp1RumxRTI(l|>(pSw&^;R@5FXOG^^tH1X<1>q!g~oL=>}a3ukY*nr&M*AC#E0OQ
z<<LxjC;#3oU>x`IpFfy?K3#R;$iUP8<xVWR_4bn|1`i6-YiiZct>W~xvzVuR7=AQ;
zJAUcO*)K7JR`8JdQ+d}1o^RF+$=XxV_U@OK9NoDEy4lBvsCxesK(-j5gsNQ}$(t77
z{Z;IDJRih(()If4e@y(P+Y8;deLJGb%{6gj_4=Eam+|JG`|0b|$9R6}^Nlg1T?&sL
z*aF?{<HL^XKT7+h&y>)puM_u<1&rekAofq559a%r$bY7^xcqKX+M-&!2L0cN@!H4I
zU?;@wslBv{Q%h(iPx)~9Xz&*3VILo~eQ{*_Ex`PV=Y#nCf#;j?`=VC;+}k*@O^tf{
z92vF+e*noje-N9k!sOna52NupWJ!>1_=K9_jecd-V641~H(!TTEHCl(@fdB2QSX6A
za<@P)hYwmCRb-j@6Td!;#^*0(;j6XIJPdF2D;-D>VdYhb)%(KL5?YC`Pn*ljM!hqR
z?B5E#?c>AZtKUiI)4P?B*Vsw9KNb-0e|SEa`)T_%(_8~rJ=}XX#6%6;bR=A_x41nO
zYZa%K&`O^2;mspQw&EkEY}+rr?|xf4pFXFA+P*om_bgzX2h0EYgZb~roqVXv!Q{(l
zs;ob|%m2*h4d&^!x4I9qiqqH5VxIEh(2<9>LSOs%!202Y4~7MpKk@5>c;4puX01Q0
lJr!*)A09f<Vk`8sj}JS}&FpkzCO}%VSyHIl#gRl7_<taZ1w8-&
delta 858
zcmZozz|ydQWr74F(?rQ+76FO>7d8jFe`nmB;QoRDG10+rl7N5)BLf7W(+wbDCI*HN
z+zbrbAL<n*8ahlaP-kH&YVLo&xj~?XQRo9F0|QJ~)M<M`N0rTDLTs!|+$@t{$eiB%
zQrv-Q^Kse3j7%RmiFFeZ&K^}lC}JrLq0NlOEWoJ$)R@Tdfnm|}VjvqvCopV$3F5<O
Sh62G?AU;Eb{BVomdyD`~JYS^%
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
index 1e36d89016c6..31c7d0a7a26d 100644
--- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
@@ -1,4 +1,93 @@
[
+ {
+ "@timestamp": "2020-05-07T08:14:44.489Z",
+ "event": {
+ "code": 23,
+ "kind": "event",
+ "module": "sysmon",
+ "provider": "Microsoft-Windows-Sysmon"
+ },
+ "fields": {
+ "event": {
+ "category": [
+ "file"
+ ],
+ "type": [
+ "deletion"
+ ]
+ }
+ },
+ "file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001",
+ "extension": "exe",
+ "name": "test.test.exe",
+ "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe"
+ },
+ "hash": {
+ "imphash": "d90d8c7812aec8da0fa173afa1293ab2",
+ "md5": "199e1cf5b2250bd515ecccf4ca686301"
+ },
+ "host": {
+ "name": "vagrant-2012-r2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "process": {
+ "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}",
+ "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe",
+ "hash": {
+ "md5": "199e1cf5b2250bd515ecccf4ca686301"
+ },
+ "name": "go.exe",
+ "pe": {
+ "imphash": "d90d8c7812aec8da0fa173afa1293ab2"
+ },
+ "pid": 2184
+ },
+ "related": {
+ "hash": [
+ "199e1cf5b2250bd515ecccf4ca686301",
+ "d90d8c7812aec8da0fa173afa1293ab2"
+ ],
+ "user": "vagrant"
+ },
+ "rule": {
+ "name": "-"
+ },
+ "sysmon": {
+ "file": {
+ "archived": true,
+ "is_executable": true
+ }
+ },
+ "user": {
+ "domain": "VAGRANT-2012-R2",
+ "name": "vagrant"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "computer_name": "vagrant-2012-r2",
+ "event_id": 23,
+ "process": {
+ "pid": 664,
+ "thread": {
+ "id": 2360
+ }
+ },
+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+ "provider_name": "Microsoft-Windows-Sysmon",
+ "record_id": 612,
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 5
+ }
+ },
{
"@timestamp": "2020-05-07T07:27:18.722Z",
"event": {
@@ -18,7 +107,10 @@
}
},
"file": {
- "name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat"
+ "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local",
+ "extension": "dat",
+ "name": "lastalive0.dat",
+ "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat"
},
"hash": {
"sha1": "115106f5b338c87ae6836d50dd890de3da296367"
@@ -32,9 +124,16 @@
"process": {
"entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}",
"executable": "C:\\Windows\\System32\\svchost.exe",
+ "hash": {
+ "sha1": "115106f5b338c87ae6836d50dd890de3da296367"
+ },
"name": "svchost.exe",
"pid": 776
},
+ "related": {
+ "hash": "115106f5b338c87ae6836d50dd890de3da296367",
+ "user": "LOCAL SERVICE"
+ },
"rule": {
"name": "-"
},
@@ -70,5 +169,86 @@
},
"version": 5
}
+ },
+ {
+ "@timestamp": "2020-05-12T06:48:27.084Z",
+ "event": {
+ "code": 23,
+ "kind": "event",
+ "module": "sysmon",
+ "provider": "Microsoft-Windows-Sysmon"
+ },
+ "fields": {
+ "event": {
+ "category": [
+ "file"
+ ],
+ "type": [
+ "deletion"
+ ]
+ }
+ },
+ "file": {
+ "directory": "C:\\Windows\\System32\\LogFiles\\Scm",
+ "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d",
+ "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d"
+ },
+ "hash": {
+ "md5": "5a9bddf83be530b481f0fd24db28a6ff"
+ },
+ "host": {
+ "name": "vagrant-2012-r2"
+ },
+ "log": {
+ "level": "information"
+ },
+ "process": {
+ "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}",
+ "executable": "C:\\Windows\\system32\\svchost.exe",
+ "hash": {
+ "md5": "5a9bddf83be530b481f0fd24db28a6ff"
+ },
+ "name": "svchost.exe",
+ "pid": 820
+ },
+ "related": {
+ "hash": "5a9bddf83be530b481f0fd24db28a6ff",
+ "user": "SYSTEM"
+ },
+ "rule": {
+ "name": "-"
+ },
+ "sysmon": {
+ "file": {
+ "archived": true,
+ "is_executable": false
+ }
+ },
+ "user": {
+ "domain": "NT AUTHORITY",
+ "name": "SYSTEM"
+ },
+ "winlog": {
+ "api": "wineventlog",
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "computer_name": "vagrant-2012-r2",
+ "event_id": 23,
+ "process": {
+ "pid": 1188,
+ "thread": {
+ "id": 1600
+ }
+ },
+ "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
+ "provider_name": "Microsoft-Windows-Sysmon",
+ "record_id": 2243,
+ "user": {
+ "domain": "NT AUTHORITY",
+ "identifier": "S-1-5-18",
+ "name": "SYSTEM",
+ "type": "Well Known Group"
+ },
+ "version": 5
+ }
}
]
\ No newline at end of file
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
index 3608a7889edb..cddd6776a82a 100644
--- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
+++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
@@ -119,6 +119,9 @@
"command_line": "C:\\Windows\\Sysmon.exe",
"entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}",
"executable": "C:\\Windows\\Sysmon.exe",
+ "hash": {
+ "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e"
+ },
"name": "Sysmon.exe",
"parent": {
"args": [
@@ -133,6 +136,10 @@
"pid": 4860,
"working_directory": "C:\\Windows\\system32\\"
},
+ "related": {
+ "hash": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e",
+ "user": "SYSTEM"
+ },
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
@@ -202,6 +209,9 @@
"command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding",
"entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}",
"executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe",
+ "hash": {
+ "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678"
+ },
"name": "unsecapp.exe",
"parent": {
"args": [
@@ -218,6 +228,10 @@
"pid": 5028,
"working_directory": "C:\\Windows\\system32\\"
},
+ "related": {
+ "hash": "6df8163a6320b80b60733f9d62e2f39b4b16b678",
+ "user": "SYSTEM"
+ },
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
@@ -387,6 +401,9 @@
"command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
"entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}",
"executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
+ "hash": {
+ "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21"
+ },
"name": "WmiPrvSE.exe",
"parent": {
"args": [
@@ -403,6 +420,10 @@
"pid": 4508,
"working_directory": "C:\\Windows\\system32\\"
},
+ "related": {
+ "hash": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21",
+ "user": "SYSTEM"
+ },
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
@@ -483,6 +504,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "a00:20f:0:0:18a2:6e00:e0:ffff",
+ "a00:203:3000:3000:3000:3000:3000:3300"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "a00:20f:0:0:18a2:6e00:e0:ffff",
"port": 62141
@@ -557,6 +585,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "10.0.2.3"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -632,6 +667,13 @@
"name": "chrome.exe",
"pid": 1600
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "40.77.226.250"
+ ],
+ "user": "vagrant"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -707,6 +749,13 @@
"name": "chrome.exe",
"pid": 1600
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "40.77.226.250"
+ ],
+ "user": "vagrant"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -782,6 +831,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "10.0.2.255"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -861,6 +917,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.255",
+ "10.0.2.15"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"ip": "10.0.2.255",
"port": 137
@@ -938,6 +1001,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "fe80:0:0:0:e488:b85c:5262:ff86",
+ "ff02:0:0:0:0:0:1:3"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "fe80:0:0:0:e488:b85c:5262:ff86",
@@ -1013,6 +1083,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "a00:20f:0:0:18a2:6e00:e0:ffff",
+ "e000:fc:4300:6800:7200:6f00:6d00:6500"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "a00:20f:0:0:18a2:6e00:e0:ffff",
"port": 55542
@@ -1087,6 +1164,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "169.254.180.25",
+ "169.254.255.255"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"ip": "169.254.180.25",
"port": 137
@@ -1164,6 +1248,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "169.254.255.255",
+ "169.254.180.25"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"ip": "169.254.255.255",
"port": 137
@@ -1241,6 +1332,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "fe80:0:0:0:616f:32fa:b04f:b419",
+ "ff02:0:0:0:0:0:1:3"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "fe80:0:0:0:616f:32fa:b04f:b419",
"port": 55717
@@ -1315,6 +1413,13 @@
"name": "svchost.exe",
"pid": 924
},
+ "related": {
+ "ip": [
+ "a9fe:b419:0:0:f880:2301:e0:ffff",
+ "e000:fc:0:0:0:0:0:0"
+ ],
+ "user": "NETWORK SERVICE"
+ },
"source": {
"ip": "a9fe:b419:0:0:f880:2301:e0:ffff",
"port": 55717
@@ -1389,6 +1494,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "40.77.226.250"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1467,6 +1579,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "10.0.2.3"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1545,6 +1664,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "169.254.255.255"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1623,6 +1749,13 @@
"name": "System",
"pid": 4
},
+ "related": {
+ "ip": [
+ "10.0.2.15",
+ "169.254.180.25"
+ ],
+ "user": "SYSTEM"
+ },
"source": {
"domain": "vagrant-2012-r2.local.crowbird.com",
"ip": "10.0.2.15",
@@ -1777,6 +1910,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data",
+ "extension": "tmp",
+ "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp"
},
"host": {
@@ -1837,6 +1973,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data",
+ "extension": "tmp",
+ "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp"
},
"host": {
@@ -1897,6 +2036,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
+ "extension": "tmp",
+ "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp"
},
"host": {
@@ -1957,6 +2099,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default",
+ "extension": "tmp",
+ "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp"
},
"host": {
@@ -2067,6 +2212,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def",
+ "extension": "tmp",
+ "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp"
},
"host": {
@@ -2127,6 +2275,9 @@
}
},
"file": {
+ "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def",
+ "extension": "tmp",
+ "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp",
"path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp"
},
"host": {