diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index ae08bd0d16f..2ad730015f5 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.2" + changes: + - description: Do not populate `related.hosts` with IP values. + type: bugfix + link: https://github.com/elastic/integrations/pull/8684 - version: "1.26.1" changes: - description: Fix exclude_files pattern. diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmsearch-streaming.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmsearch-streaming.log-expected.json index 02abbb7bb34..27d3f898163 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmsearch-streaming.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-cspmsearch-streaming.log-expected.json @@ -48,7 +48,7 @@ "kind": "alert", "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": [{\n\t\t\t\"Key\": \"cstag-business\",\n\t\t\t\"ValueString\": \"Sales\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-accounting\",\n\t\t\t\"ValueString\": \"dev\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-department\",\n\t\t\t\"ValueString\": \"Sales - 310000\"\n\t\t}, {\n\t\t\t\"Key\": \"Slackbot Env UUID\",\n\t\t\t\"ValueString\": \"C68EC25E-32BD-11ED-AE4B-0EBCA3237C75\"\n\t\t}, {\n\t\t\t\"Key\": \"Name\",\n\t\t\t\"ValueString\": \"CS-SE-Demo-KALI-ROBERT.WILSON\"\n\t\t}, {\n\t\t\t\"Key\": \"Slack_User\",\n\t\t\t\"ValueString\": \"bob.smith\"\n\t\t}, {\n\t\t\t\"Key\": \"cstag-owner\",\n\t\t\t\"ValueString\": \"jane.doe\"\n\t\t}],\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}", "outcome": "failure", - "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\u0026policy_id=26\u0026scan_id=1a8adc1c36aa7d83e90e5c06\u0026service=EC2", + "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2", "severity": 1, "type": [ "info", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-detection-summary.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-detection-summary.log-expected.json index f8648225622..024db95ab1d 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-detection-summary.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-detection-summary.log-expected.json @@ -166,7 +166,7 @@ "preserve_original_event" ], "threat": { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "name": [ "Malware" diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json index 1a1f97d4c94..365a72db6a7 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json @@ -105,7 +105,7 @@ "preserve_original_event" ], "threat": { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "name": [ "Malware" diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json index 0e2155ae470..a43c256defb 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-firewall.log-expected.json @@ -55,7 +55,7 @@ "host": { "name": "TESTDEVICE01" }, - "message": "Firewall Rule: 'Inbound SMB Block \u0026 Log Private' triggered - Action: 'Blocked'", + "message": "Firewall Rule: 'Inbound SMB Block & Log Private' triggered - Action: 'Blocked'", "network": { "direction": "ingress", "type": "ipv4" @@ -84,7 +84,7 @@ "rule": { "category": "fec73e96a1bf4481be582c3f89b234fa", "id": "4877172638743447345", - "name": "Inbound SMB Block \u0026 Log Private", + "name": "Inbound SMB Block & Log Private", "ruleset": "SMB Rules" }, "source": { diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json index 7602c7c5155..93403c9f671 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json @@ -70,7 +70,7 @@ "preserve_original_event" ], "threat": { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": [ "CSTA0009" diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-recon-notification.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-recon-notification.log-expected.json index 5d9c78e938e..5f44c2d3705 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-recon-notification.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-recon-notification.log-expected.json @@ -5,7 +5,7 @@ "crowdstrike": { "event": { "Highlights": [ - "Some highlighed text \u0026lt;cs-highlight\u0026gt;test\u0026lt;/cs-highlight\u0026gt; \u0026lt;cs-highlight\u0026gt;gdsfgasd\u0026lt;/cs-highlight\u0026gt;.\n\nAs an Some more text" + "Some highlighed text <cs-highlight>test</cs-highlight> <cs-highlight>gdsfgasd</cs-highlight>.\n\nAs an Some more text" ], "ItemPostedTimestamp": 1686873909000, "ItemType": "post", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json index 99c4a3cf7d6..6e4ff2df0e6 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json @@ -54,7 +54,7 @@ "host": { "name": "TESTDEVICE01" }, - "message": "Firewall Rule: 'Inbound SMB Block \u0026 Log Private' triggered - Action: 'Blocked'", + "message": "Firewall Rule: 'Inbound SMB Block & Log Private' triggered - Action: 'Blocked'", "network": { "direction": "ingress", "type": "ipv4" @@ -78,7 +78,7 @@ "rule": { "category": "fec73e96a1bf4481be582c3f89b234fa", "id": "4877172638743447345", - "name": "Inbound SMB Block \u0026 Log Private", + "name": "Inbound SMB Block & Log Private", "ruleset": "SMB Rules" }, "source": { @@ -540,7 +540,7 @@ "preserve_original_event" ], "threat": { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "name": [ "Machine Learning" diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags-list.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags-list.log-expected.json index 4578135cb31..2e2b4dceb29 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags-list.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags-list.log-expected.json @@ -48,7 +48,7 @@ "kind": "alert", "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": \"SensorGroupingTags/TEACHER, SensorGroupingTags/XYZ, 321, 1111\",\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}", "outcome": "failure", - "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\u0026policy_id=26\u0026scan_id=1a8adc1c36aa7d83e90e5c06\u0026service=EC2", + "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2", "severity": 1, "type": [ "info", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags.log-expected.json index aa849b00883..41d316136f6 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-tags.log-expected.json @@ -48,7 +48,7 @@ "kind": "alert", "original": "{\n\t\"metadata\": {\n\n\t\t\"customerIDString\": \"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\n\t\t\"offset\": 54712611,\n\t\t\"eventType\": \"CSPMSearchStreamingEvent\",\n\t\t\"eventCreationTime\": 1663009688832,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"AccountId\": \"XXXXXXXXXXXX\",\n\t\t\"Region\": \"us-west-2\",\n\t\t\"ResourceId\": \"i-0108fce80eXXXXXXX\",\n\t\t\"ResourceIdType\": \"Instance Id\",\n\t\t\"ResourceName\": \"\",\n\t\t\"ResourceCreateTime\": 0,\n\t\t\"PolicyStatement\": \"EC2 NACL configured for global ingress\",\n\t\t\"PolicyId\": 26,\n\t\t\"Severity\": 1,\n\t\t\"SeverityName\": \"High\",\n\t\t\"CloudPlatform\": \"AWS\",\n\t\t\"CloudService\": \"EC2\",\n\t\t\"Disposition\": \"Failed\",\n\t\t\"ResourceUrl\": \"https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#InstanceDetails:instanceId=i-0108fce80eXXXXXXX\",\n\t\t\"Finding\": \"Instance ID: i-0108fce80e5ab5129|VPC ID: vpc-0e886040c27d9f526|Network ACL ID: acl-005e6bb98e75ac17e|Rule Number: 100|CIDR Block: 0.0.0.0/0|Protocol: All\",\n\t\t\"ResourceAttributes\": \"{\\\"ACL ID\\\": \\\"acl - 005e6 bb98e75ac17e\\\",\\\"VPC ID\\\": \\\"vpc - 0e886040 c27d9f526\\\",\\\"Platform\\\": \\\"Linux\\\",\\\"Instance ID\\\": \\\"i - 0108 fce80eXXXXXXX\\\",\\\"Launch Time\\\": \\\"2022 - 09 - 12 17: 11: 06 + 00\\\",\\\"Instance State\\\": \\\"running\\\"}\",\n\t\t\"Tags\": \"SensorGroupingTags/TEACHER\",\n\t\t\"ReportUrl\": \"https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\\u0026policy_id=26\\u0026scan_id=1a8adc1c36aa7d83e90e5c06\\u0026service=EC2\",\n\t\t\"Timestamp\": 1663009688832\n\t}\n}", "outcome": "failure", - "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26\u0026policy_id=26\u0026scan_id=1a8adc1c36aa7d83e90e5c06\u0026service=EC2", + "reference": "https://falcon.crowdstrike.com/cloud-security/cspm/assessment-drilldown?event-type=cspm_policy_26&policy_id=26&scan_id=1a8adc1c36aa7d83e90e5c06&service=EC2", "severity": 1, "type": [ "info", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-xdr-detection-summary.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-xdr-detection-summary.log-expected.json index 518a438d35b..c8bcaf5da6a 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-xdr-detection-summary.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-xdr-detection-summary.log-expected.json @@ -62,7 +62,7 @@ "preserve_original_event" ], "threat": { - "framework": "MITRE ATT\u0026CK", + "framework": "MITRE ATT&CK", "tactic": { "id": [ "TA0001", diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json index 30e4e867dc1..5d1825e5908 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-data.log-expected.json @@ -92,8 +92,7 @@ }, "related": { "hosts": [ - "ip-172-18-63-230.ec2.internal", - "172.17.0.1" + "ip-172-18-63-230.ec2.internal" ], "ip": [ "172.17.0.1" @@ -209,8 +208,7 @@ }, "related": { "hosts": [ - "ip-172-18-63-230.ec2.internal", - "172.17.0.1" + "ip-172-18-63-230.ec2.internal" ], "ip": [ "172.17.0.1" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index 1c1d647e731..e78bd4c2337 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -81,9 +81,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -179,9 +176,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -278,10 +272,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], "ip": [ "67.43.156.14", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -391,9 +381,6 @@ "f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018", "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -471,9 +458,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -573,9 +557,6 @@ "d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6", "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -682,10 +663,6 @@ "hash": [ "1701000200" ], - "hosts": [ - "67.43.156.14", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "0.0.0.0" @@ -778,10 +755,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "0.0.0.0" @@ -886,11 +859,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14", - "0:0:0:0:0:0:0:0", - "127.0.0.1" - ], "ip": [ "67.43.156.14", "0:0:0:0:0:0:0:0", @@ -1001,9 +969,6 @@ "a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112", "1284133626" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -1096,10 +1061,6 @@ "hash": [ "1701000200" ], - "hosts": [ - "67.43.156.14", - "0:0:0:0:0:0:0:1" - ], "ip": [ "67.43.156.14", "0:0:0:0:0:0:0:1" @@ -1186,9 +1147,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -1288,10 +1246,6 @@ "hash": [ "3469235958" ], - "hosts": [ - "67.43.156.13", - "67.43.156.14" - ], "ip": [ "67.43.156.13", "67.43.156.14" @@ -1372,9 +1326,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -1448,10 +1399,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], "ip": [ "67.43.156.14", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -1531,9 +1478,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -1605,9 +1549,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -1689,9 +1630,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -1790,10 +1728,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "0.0.0.0" @@ -1883,9 +1817,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -1969,9 +1900,6 @@ "2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9", "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -2042,10 +1970,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], "ip": [ "67.43.156.14", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -2142,9 +2066,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -2250,10 +2171,6 @@ "hash": [ "1479784503" ], - "hosts": [ - "67.43.156.14", - "67.43.156.13" - ], "ip": [ "67.43.156.14", "67.43.156.13" @@ -2373,9 +2290,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -2449,9 +2363,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -2542,10 +2453,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.13", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], "ip": [ "67.43.156.13", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -2646,10 +2553,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], "ip": [ "67.43.156.14", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -2750,10 +2653,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "0.0.0.0" @@ -2839,9 +2738,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -2915,9 +2811,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -2988,9 +2881,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -3065,9 +2955,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -3141,9 +3028,6 @@ "hash": [ "1803419442" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3247,10 +3131,6 @@ "hash": [ "1701000200" ], - "hosts": [ - "67.43.156.13", - "0:0:0:0:0:0:0:1" - ], "ip": [ "67.43.156.13", "0:0:0:0:0:0:0:1" @@ -3329,9 +3209,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3407,9 +3284,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3482,9 +3356,6 @@ "hash": [ "1156120155" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3581,9 +3452,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3658,9 +3526,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3721,9 +3586,6 @@ "hash": [ "3155796140" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3812,9 +3674,6 @@ "64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20", "2037712541" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -3892,9 +3751,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ], @@ -3973,9 +3829,6 @@ "c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2", "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -4077,9 +3930,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -4160,9 +4010,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -4225,9 +4072,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ], @@ -4327,9 +4171,6 @@ "c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198", "3967242894" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -4415,10 +4256,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.13", - "0:0:0:0:0:0:0:0" - ], "ip": [ "67.43.156.13", "0:0:0:0:0:0:0:0" @@ -4614,9 +4451,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -4702,9 +4536,6 @@ "70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005", "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -4904,9 +4735,6 @@ "d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a", "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -4967,9 +4795,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5074,9 +4899,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5158,9 +4980,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5262,7 +5081,6 @@ "3967242894" ], "hosts": [ - "67.43.156.14", "comp2" ], "ip": [ @@ -5346,9 +5164,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5429,9 +5244,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5516,9 +5328,6 @@ "hash": [ "1284133626" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5590,9 +5399,6 @@ "hash": [ "1333055909" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5687,9 +5493,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5770,9 +5573,6 @@ "hash": [ "3967242894" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5846,9 +5646,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -5944,9 +5741,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6022,9 +5816,6 @@ "hash": [ "1284133626" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6093,9 +5884,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6167,9 +5955,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6255,10 +6040,6 @@ "hash": [ "2300098580" ], - "hosts": [ - "67.43.156.14", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "0.0.0.0" @@ -6344,9 +6125,6 @@ "35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027", "1620585913" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6431,9 +6209,6 @@ "hash": [ "3712162471" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6516,9 +6291,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -6599,9 +6371,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6686,9 +6455,6 @@ "359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6", "1325353086" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ], @@ -6771,9 +6537,6 @@ "hash": [ "1620585913" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -6847,9 +6610,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -6936,10 +6696,6 @@ "hash": [ "3090255842" ], - "hosts": [ - "67.43.156.13", - "67.43.156.14" - ], "ip": [ "67.43.156.13", "67.43.156.14" @@ -7056,9 +6812,6 @@ "de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa", "4288861242" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -7157,9 +6910,6 @@ "6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0", "1789338890" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -7298,9 +7048,6 @@ "faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f", "3343111420" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -7396,9 +7143,6 @@ "3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3", "3344040805" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -7507,9 +7251,6 @@ "7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720", "3765958535" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -7595,9 +7336,6 @@ "hash": [ "2784638081" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -7677,9 +7415,6 @@ "hash": [ "4288861242" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -7790,9 +7525,6 @@ "3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3", "3344040805" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -7891,9 +7623,6 @@ "hash": [ "3899738370" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -7991,11 +7720,6 @@ "hash": [ "1306766522" ], - "hosts": [ - "67.43.156.13", - "0.0.0.0", - "67.43.156.14" - ], "ip": [ "67.43.156.13", "0.0.0.0", @@ -8102,10 +7826,6 @@ "hash": [ "2602391615" ], - "hosts": [ - "67.43.156.13", - "67.43.156.14" - ], "ip": [ "67.43.156.13", "67.43.156.14" @@ -8205,9 +7925,6 @@ "hash": [ "3011122681" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ], @@ -8268,7 +7985,7 @@ ] }, "file": { - "device": "PCI\\VEN_1000\u0026DEV_0054\u0026SUBSYS_197615AD\u0026REV_01\\4\u00261f16fef7\u00260\u002600A8", + "device": "PCI\\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\\4&1f16fef7&0&00A8", "directory": "\\Device\\HarddiskVolume2\\Users\\user10\\AppData\\Local\\Temp", "extension": "dll", "hash": { @@ -8317,9 +8034,6 @@ "d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182", "3011122681" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -8400,7 +8114,6 @@ "3950066843" ], "hosts": [ - "67.43.156.13", "srv2" ], "ip": [ @@ -8506,9 +8219,6 @@ "hash": [ "537307300" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -8597,11 +8307,6 @@ "hash": [ "3765958535" ], - "hosts": [ - "67.43.156.14", - "127.0.0.1", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "127.0.0.1", @@ -8706,8 +8411,6 @@ "3011122681" ], "hosts": [ - "67.43.156.13", - "67.43.156.14", "com1" ], "ip": [ @@ -8803,9 +8506,6 @@ "hash": [ "3343111420" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -8898,9 +8598,6 @@ "295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a", "230795414" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -8977,9 +8674,6 @@ "hash": [ "3338885535" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -9053,9 +8747,6 @@ "hash": [ "3338885535" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -9158,9 +8849,6 @@ "hash": [ "1763245019" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -9252,9 +8940,6 @@ "hash": [ "402097454" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -9346,9 +9031,6 @@ "hash": [ "3343111420" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ], @@ -9440,11 +9122,6 @@ "hash": [ "203564169" ], - "hosts": [ - "67.43.156.14", - "0:0:0:0:0:0:0:0", - "0:0:0:0:0:0:0:1" - ], "ip": [ "67.43.156.14", "0:0:0:0:0:0:0:0", @@ -9540,7 +9217,6 @@ "3338885535" ], "hosts": [ - "67.43.156.13", "srv1" ], "ip": [ @@ -9675,9 +9351,6 @@ "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6", "4193986770" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -9773,9 +9446,6 @@ "hash": [ "1763245019" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -9913,9 +9583,6 @@ "87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f", "2030177841" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -10011,9 +9678,6 @@ "hash": [ "3338885535" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -10102,11 +9766,6 @@ "hash": [ "3765958535" ], - "hosts": [ - "67.43.156.14", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "0:0:0:0:0:0:0:0" - ], "ip": [ "67.43.156.14", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", @@ -10208,9 +9867,6 @@ "e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d", "1457965279" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -10285,9 +9941,6 @@ "hash": [ "3011122681" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ], @@ -10391,10 +10044,6 @@ "hash": [ "1858880895" ], - "hosts": [ - "67.43.156.14", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], "ip": [ "67.43.156.14", "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" @@ -10495,9 +10144,6 @@ "fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583", "1789338890" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -10582,10 +10228,6 @@ "hash": [ "203564169" ], - "hosts": [ - "67.43.156.14", - "0:0:0:0:0:0:0:0" - ], "ip": [ "67.43.156.14", "0:0:0:0:0:0:0:0" @@ -10669,9 +10311,6 @@ "hash": [ "3765958535" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -10721,7 +10360,7 @@ ] }, "file": { - "device": "PCI\\VEN_8086\u0026DEV_31E3\u0026SUBSYS_080C1028\u0026REV_03\\3\u002611583659\u00260\u002690" + "device": "PCI\\VEN_8086&DEV_31E3&SUBSYS_080C1028&REV_03\\3&11583659&0&90" }, "host": { "os": { @@ -10756,9 +10395,6 @@ } }, "related": { - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -10843,11 +10479,6 @@ "hash": [ "1789338890" ], - "hosts": [ - "67.43.156.14", - "127.0.0.1", - "0.0.0.0" - ], "ip": [ "67.43.156.14", "127.0.0.1", @@ -10937,9 +10568,6 @@ "hash": [ "3338885535" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ], @@ -11018,9 +10646,6 @@ "hash": [ "3338885535" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -11069,7 +10694,7 @@ ] }, "file": { - "device": "PCI\\VEN_1179\u0026DEV_0113\u0026SUBSYS_00011179\u0026REV_01\\4\u00263ad42678\u00260\u002600E0", + "device": "PCI\\VEN_1179&DEV_0113&SUBSYS_00011179&REV_01\\4&3ad42678&0&00E0", "directory": "\\Device\\HarddiskVolume3\\Users\\user12\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads", "extension": "partial", "inode": "f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100", @@ -11114,9 +10739,6 @@ "hash": [ "3338885535" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -11225,9 +10847,6 @@ "b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37", "3998263252" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -11303,9 +10922,6 @@ "hash": [ "1457965279" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ], @@ -11388,9 +11004,6 @@ "hash": [ "1874387338" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -11431,7 +11044,7 @@ "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}" }, "file": { - "device": "USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255", + "device": "USB\\VID_1058&PID_2621\\57583431453939315A4C5255", "directory": "\\Device\\HarddiskVolume5", "extension": "tmp$$", "inode": "262fbc677256cf4c8d6c6a227285a072c06830873b000000", @@ -11476,9 +11089,6 @@ "hash": [ "2642284486" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ], @@ -11559,9 +11169,6 @@ "hash": [ "666346415" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -11632,9 +11239,6 @@ "hash": [ "3429017943" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] @@ -11709,7 +11313,6 @@ }, "related": { "hosts": [ - "67.43.156.14", "mac1" ], "ip": [ @@ -11792,7 +11395,6 @@ "3950066843" ], "hosts": [ - "67.43.156.13", "srv2" ], "ip": [ @@ -11920,9 +11522,6 @@ "f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2", "518095218" ], - "hosts": [ - "89.160.20.120" - ], "ip": [ "89.160.20.120" ] @@ -12002,9 +11601,6 @@ "hash": [ "666346415" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] @@ -12072,9 +11668,6 @@ }, "related": { "hosts": [ - "67.43.156.13", - "67.43.156.14", - "81.2.69.192", "HQ-sadhkbasHS" ], "ip": [ @@ -12172,9 +11765,6 @@ "hash": [ "666346415" ], - "hosts": [ - "67.43.156.13" - ], "ip": [ "67.43.156.13" ] diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdrv2-notmanaged.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdrv2-notmanaged.log-expected.json index cb435996033..298b74290bb 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdrv2-notmanaged.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdrv2-notmanaged.log-expected.json @@ -46,11 +46,7 @@ }, "related": { "hosts": [ - "192.168.255.7", - "192.168.240.243", - "xxxxxxxxxxxxxxxx", - "192.168.1.129", - "192.168.1.35" + "xxxxxxxxxxxxxxxx" ], "ip": [ "192.168.255.7", diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 5c4d861f2c7..6e2f0792e69 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -1480,7 +1480,7 @@ processors: field: observer.ip processor: append: - field: related.hosts + field: related.ip value: '{{{_ingest._value}}}' allow_duplicates: false @@ -2018,7 +2018,7 @@ processors: field: crowdstrike.LocalAddressIP4 processor: append: - field: related.hosts + field: related.ip value: '{{{_ingest._value}}}' allow_duplicates: false - foreach: @@ -2026,16 +2026,16 @@ processors: field: crowdstrike.LocalAddressIP6 processor: append: - field: related.hosts + field: related.ip value: '{{{_ingest._value}}}' allow_duplicates: false - append: - field: related.hosts + field: related.ip value: '{{{source.ip}}}' allow_duplicates: false if: ctx.source?.ip != null && ctx.source.ip != "" - append: - field: related.hosts + field: related.ip value: "{{{destination.ip}}}" allow_duplicates: false if: ctx.destination?.ip != null && ctx.destination.ip != "" diff --git a/packages/crowdstrike/data_stream/fdr/sample_event.json b/packages/crowdstrike/data_stream/fdr/sample_event.json index b92d024d1ba..8abd5243f50 100644 --- a/packages/crowdstrike/data_stream/fdr/sample_event.json +++ b/packages/crowdstrike/data_stream/fdr/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-11-08T09:58:32.519Z", "agent": { - "ephemeral_id": "880f9fe6-5a16-493d-acd6-5315c9ad19d0", - "id": "e249dc3d-a28d-40a5-b6e9-de9d81952432", + "ephemeral_id": "1d4acd01-8377-46d2-861f-b4a12ad9ff96", + "id": "7792163c-69c6-4be5-98c2-8956ea4ad25e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.11.1" }, "crowdstrike": { "ConfigStateHash": "1763245019", @@ -67,9 +67,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "e249dc3d-a28d-40a5-b6e9-de9d81952432", + "id": "7792163c-69c6-4be5-98c2-8956ea4ad25e", "snapshot": false, - "version": "8.11.0" + "version": "8.11.1" }, "event": { "action": "RansomwareOpenFile", @@ -80,7 +80,7 @@ "created": "2020-11-08T17:07:22.091Z", "dataset": "crowdstrike.fdr", "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2023-11-28T03:18:09Z", + "ingested": "2023-12-10T23:07:10Z", "kind": "alert", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "outcome": "success", @@ -107,7 +107,7 @@ }, "log": { "file": { - "path": "https://elastic-package-crowdstrike-fdr-62458.s3.us-east-1.amazonaws.com/data" + "path": "https://elastic-package-crowdstrike-fdr-86289.s3.us-east-1.amazonaws.com/data" }, "offset": 95203 }, @@ -142,9 +142,6 @@ "hash": [ "1763245019" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index 196817b64ff..41d86e163e7 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -1108,11 +1108,11 @@ An example event for `fdr` looks as following: { "@timestamp": "2020-11-08T09:58:32.519Z", "agent": { - "ephemeral_id": "880f9fe6-5a16-493d-acd6-5315c9ad19d0", - "id": "e249dc3d-a28d-40a5-b6e9-de9d81952432", + "ephemeral_id": "1d4acd01-8377-46d2-861f-b4a12ad9ff96", + "id": "7792163c-69c6-4be5-98c2-8956ea4ad25e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.11.1" }, "crowdstrike": { "ConfigStateHash": "1763245019", @@ -1174,9 +1174,9 @@ An example event for `fdr` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "e249dc3d-a28d-40a5-b6e9-de9d81952432", + "id": "7792163c-69c6-4be5-98c2-8956ea4ad25e", "snapshot": false, - "version": "8.11.0" + "version": "8.11.1" }, "event": { "action": "RansomwareOpenFile", @@ -1187,7 +1187,7 @@ An example event for `fdr` looks as following: "created": "2020-11-08T17:07:22.091Z", "dataset": "crowdstrike.fdr", "id": "ffffffff-1111-11eb-9756-06fe7f8f682f", - "ingested": "2023-11-28T03:18:09Z", + "ingested": "2023-12-10T23:07:10Z", "kind": "alert", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "outcome": "success", @@ -1214,7 +1214,7 @@ An example event for `fdr` looks as following: }, "log": { "file": { - "path": "https://elastic-package-crowdstrike-fdr-62458.s3.us-east-1.amazonaws.com/data" + "path": "https://elastic-package-crowdstrike-fdr-86289.s3.us-east-1.amazonaws.com/data" }, "offset": 95203 }, @@ -1249,9 +1249,6 @@ An example event for `fdr` looks as following: "hash": [ "1763245019" ], - "hosts": [ - "67.43.156.14" - ], "ip": [ "67.43.156.14" ] diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index bec42b41624..700d9484215 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.26.1" +version: "1.26.2" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.0"