From 87b46503f68a575197d5242d7cb6a073ab84d871 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 11 Nov 2024 14:29:06 +0200 Subject: [PATCH 1/4] Parse new coordinates fields --- OCSF/ocsf/ingest/parser.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 765a6a76d..67859cf11 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -454,8 +454,8 @@ stages: host.geo.city_name: "{{ parse_event.message.device.location.city }}" host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" - host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}" - host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}" + host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] or parse_event.message.device.location.long }}" + host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] or parse_event.message.device.location.lat }}" host.geo.name: "{{ parse_event.message.device.location.desc }}" host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" @@ -534,7 +534,8 @@ stages: - set: source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}" source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}" - source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}" + source.geo.location.lon: "{{ parse_event.message.src_endpoint.location.coordinates[0] or parse_event.message.src_endpoint.location.long }}" + source.geo.location.lat: "{{ parse_event.message.src_endpoint.location.coordinates[1] or parse_event.message.src_endpoint.location.lat }}" source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}" source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}" source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}" @@ -557,8 +558,8 @@ stages: - set: destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" - destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}" - destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}" + destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] or parse_event.message.dst_endpoint.location.long }}" + destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] or parse_event.message.dst_endpoint.location.lat }}" destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" From ee80c51721c0d1599f979a7939ad9f931d31934a Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 11 Nov 2024 15:25:34 +0200 Subject: [PATCH 2/4] Support new event types --- OCSF/ocsf/ingest/parser.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 67859cf11..b76dd0a34 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -79,16 +79,16 @@ pipeline: - name: set_common_fields - name: pipeline_object_actor - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" - name: pipeline_object_attack - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,7004,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" - name: pipeline_object_device - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6004,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" - name: pipeline_object_http_request filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.get('http_request') != None }}" @@ -100,7 +100,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.get('dst_endpoint') != None or parse_event.message.get('src_endpoint') != None }}" - name: pipeline_object_process - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,7003,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" - name: pipeline_object_proxy filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.get('proxy') != None }}" @@ -115,7 +115,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.get('user') != None }}" - name: pipeline_object_file - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,7002,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" - name: pipeline_object_system_activity_helper filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}" From 8bea0aff54a582569ef9a0031f3332f82b71ece9 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 12 Nov 2024 10:22:34 +0200 Subject: [PATCH 3/4] Tests and smart descriptions --- OCSF/ocsf/_meta/smart-descriptions.json | 44 +++++++++ ...generated_file_remediation_activity_1.json | 39 ++++++++ ...generated_file_remediation_activity_2.json | 39 ++++++++ ...generated_file_remediation_activity_3.json | 43 ++++++++ ...erated_network_remediation_activity_1.json | 29 ++++++ ...erated_network_remediation_activity_2.json | 30 ++++++ ...erated_process_remediation_activity_1.json | 78 +++++++++++++++ ...erated_process_remediation_activity_2.json | 69 +++++++++++++ .../tests/generated_windows_service_1.json | 97 +++++++++++++++++++ 9 files changed, 468 insertions(+) create mode 100644 OCSF/ocsf/tests/generated_file_remediation_activity_1.json create mode 100644 OCSF/ocsf/tests/generated_file_remediation_activity_2.json create mode 100644 OCSF/ocsf/tests/generated_file_remediation_activity_3.json create mode 100644 OCSF/ocsf/tests/generated_network_remediation_activity_1.json create mode 100644 OCSF/ocsf/tests/generated_network_remediation_activity_2.json create mode 100644 OCSF/ocsf/tests/generated_process_remediation_activity_1.json create mode 100644 OCSF/ocsf/tests/generated_process_remediation_activity_2.json create mode 100644 OCSF/ocsf/tests/generated_windows_service_1.json diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index d03bc41fb..6947b5762 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -928,5 +928,49 @@ "field": "ocsf.activity_name" } ] + }, + { + "value": "File Remediation Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Process Remediation Activity: {ocsf.activity_name} file {file.name} by process {process.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "process.name" + } + ] + }, + { + "value": "{ocsf.class_name}: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_name" + }, + { + "field": "ocsf.activity_name" + } + ] } ] diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_1.json b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json new file mode 100644 index 000000000..29fe10f1c --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}" + }, + "expected": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}", + "event": { + "action": "evict", + "category": [], + "code": "ethnic", + "duration": 559843632000000, + "provider": "consolidated month mil", + "severity": 99, + "type": [] + }, + "@timestamp": "2024-11-11T12:36:34.225000Z", + "file": { + "directory": "canyon upgrading wool/marco.fla", + "hash": { + "ssdeep": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + }, + "mime_type": "pr/anything", + "name": "html.pkg", + "path": "canyon upgrading wool/marco.fla/html.pkg", + "type": "Local Socket" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_2.json b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json new file mode 100644 index 000000000..9af77e1ab --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}" + }, + "expected": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}", + "event": { + "action": "harden", + "category": [], + "provider": "suggests assure sacred", + "reason": "oils tissue non", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:01.430000Z", + "file": { + "accessed": "2024-11-11T12:37:01.427000Z", + "directory": "sage petite tracy/supplement.deskthemepack", + "inode": "a6338964-a029-11ef-9cb6-0242ac110007", + "name": "panama.jsp", + "path": "sage petite tracy/supplement.deskthemepack/panama.jsp", + "type": "Unknown", + "x509": { + "issuer": { + "distinguished_name": "shaw further heaven" + }, + "not_after": "2024-11-11T12:37:01.426000Z", + "serial_number": "museum every fa", + "version_number": "1.3.0" + } + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "File Remediation Activity", + "class_uid": 7002 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_3.json b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json new file mode 100644 index 000000000..35f27d49f --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json @@ -0,0 +1,43 @@ +{ + "input": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}", + "event": { + "action": "evict", + "category": [], + "provider": "sections sides trembl", + "reason": "baker testimonials approx", + "severity": 0, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:07.583000Z", + "file": { + "directory": "violin economic czech/regular.accdb", + "hash": { + "sha1": "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + }, + "mime_type": "agree/diego", + "name": "brazilian.tar.gz", + "owner": "Enrolled", + "path": "violin economic czech/regular.accdb/brazilian.tar.gz", + "type": "Regular File", + "uid": "a9de1552-a029-11ef-9be5-0242ac110007" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + ], + "user": [ + "Enrolled" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_1.json b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json new file mode 100644 index 000000000..4209eb1be --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json @@ -0,0 +1,29 @@ +{ + "input": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}", + "event": { + "action": "restore", + "category": [], + "provider": "expertise browse courier", + "reason": "kills routine cookie", + "severity": 4, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:44.401000Z", + "network": { + "direction": [ + "unknown" + ], + "iana_number": "62" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_2.json b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json new file mode 100644 index 000000000..afc4afcbe --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json @@ -0,0 +1,30 @@ +{ + "input": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}", + "event": { + "action": "restore", + "category": [], + "outcome": "unknown", + "provider": "defence ignore carroll", + "reason": "virtue carb keeps", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:54.181000Z", + "network": { + "direction": [ + "inbound" + ], + "iana_number": "88" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_1.json b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json new file mode 100644 index 000000000..ac2f48c8a --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json @@ -0,0 +1,78 @@ +{ + "input": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}", + "event": { + "action": "harden", + "category": [], + "outcome": "unknown", + "provider": "seller deserve sharing", + "reason": "heaven country sugar", + "sequence": 26, + "severity": 5, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:16.994000Z", + "file": { + "directory": "guilty different comply/expects.accdb", + "hash": { + "sha256": "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698", + "tlsh": "6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0" + }, + "name": "earliest.pdb", + "owner": "Tee", + "path": "guilty different comply/expects.accdb/earliest.pdb", + "type": "Regular File", + "uid": "223ad95e-a02f-11ef-8523-0242ac110007" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "Process Remediation Activity", + "class_uid": 7003, + "process": { + "parent": { + "user": { + "email": "Li@scientific.travel", + "full_name": "Anita Rosanna" + } + } + } + }, + "process": { + "command_line": "guided stretch phrases", + "name": "Success", + "parent": { + "command_line": "suits chris sega", + "entity_id": "223b4aa6-a02f-11ef-9d39-0242ac110007", + "name": "Em", + "pid": 60, + "start": "2024-11-11T13:16:16.999000Z", + "user": { + "id": [ + "223b30c0-a02f-11ef-87cb-0242ac110007" + ], + "name": "Membership" + } + }, + "pid": 94, + "start": "2024-11-11T13:16:16.996000Z", + "user": { + "id": [ + "223aed7c-a02f-11ef-943c-0242ac110007" + ], + "name": "Livestock" + } + }, + "related": { + "hash": [ + "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698" + ], + "user": [ + "Tee" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_2.json b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json new file mode 100644 index 000000000..899ec4fb5 --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}" + }, + "expected": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}", + "event": { + "action": "unknown", + "category": [], + "code": "digit", + "provider": "arg handed dock", + "reason": "sellers besides hl", + "severity": 1, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:28.061000Z", + "file": { + "hash": { + "md5": "89759E1284E2479B991D2669DE104942", + "ssdeep": "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + }, + "inode": "28d43742-a02f-11ef-9ec1-0242ac110007", + "name": "propose.pptx", + "type": "Folder" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Process Remediation Activity", + "class_uid": 7003 + }, + "process": { + "command_line": "characters vocal tracy", + "entity_id": "28d4de90-a02f-11ef-98b9-0242ac110007", + "name": "Prince", + "parent": { + "command_line": "commission relying steady", + "entity_id": "28d53f16-a02f-11ef-9a1e-0242ac110007", + "pid": 40, + "start": "2024-11-11T13:16:28.074000Z", + "thread": { + "id": 51 + }, + "user": { + "id": [ + "28d53156-a02f-11ef-aa73-0242ac110007" + ] + } + }, + "pid": 7, + "start": "2024-11-11T13:16:28.072000Z", + "thread": { + "id": 47 + }, + "user": { + "id": [ + "28d4888c-a02f-11ef-82fc-0242ac110007" + ], + "name": "Pork" + } + }, + "related": { + "hash": [ + "89759E1284E2479B991D2669DE104942", + "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_windows_service_1.json b/OCSF/ocsf/tests/generated_windows_service_1.json new file mode 100644 index 000000000..c474de045 --- /dev/null +++ b/OCSF/ocsf/tests/generated_windows_service_1.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}" + }, + "expected": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}", + "event": { + "action": "stop", + "category": [], + "outcome": "failure", + "provider": "foo canada biodiversity", + "reason": "gear technologies garlic", + "severity": 3, + "start": "2024-11-12T08:21:47.936000Z", + "type": [] + }, + "@timestamp": "2024-11-12T08:21:47.936000Z", + "file": { + "directory": "vg tunisia river/favorite.wsf", + "hash": { + "sha1": "9280AE13A255F18D841739D0D18222BB950C8FC7" + }, + "name": "developmental.otf", + "path": "vg tunisia river/favorite.wsf/developmental.otf", + "type": "Regular File" + }, + "host": { + "id": "29092d44-a0cf-11ef-8baa-0242ac110007", + "risk": { + "static_level": "Critical" + }, + "type": "IDS" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Stop", + "class_name": "Windows Service Activity", + "class_uid": 201004, + "process": { + "parent": { + "user": { + "full_name": "Roland Nichol" + } + }, + "user": { + "domain": "tuition gst cheese", + "full_name": "Lynsey Sherise", + "groups": [ + { + "name": "overview friendly ul" + } + ] + } + } + }, + "process": { + "command_line": "hdtv il murder", + "entity_id": "2909c8d0-a0cf-11ef-82af-0242ac110007", + "name": "Don", + "parent": { + "command_line": "bull retailers sensitivity", + "end": "2024-11-12T08:21:47.935000Z", + "entity_id": "290a756e-a0cf-11ef-86a9-0242ac110007", + "name": "Indoor", + "pid": 29, + "start": "2024-11-12T08:21:47.900000Z", + "user": { + "id": [ + "290a520a-a0cf-11ef-a44f-0242ac110007" + ], + "name": "Asian" + } + }, + "pid": 38, + "start": "2024-11-12T08:21:47.895000Z", + "user": { + "id": [ + "2909b99e-a0cf-11ef-946c-0242ac110007" + ], + "name": "Journal" + } + }, + "related": { + "hash": [ + "9280AE13A255F18D841739D0D18222BB950C8FC7" + ], + "user": [ + "Hearing" + ] + }, + "user": { + "domain": "thinking answered refurbished", + "id": "290fefee-a0cf-11ef-ba87-0242ac110007", + "name": "Hearing" + } + } +} \ No newline at end of file From 43aec5548cbf98b36997762a457d179b9c421406 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 13 Dec 2024 16:37:19 +0100 Subject: [PATCH 4/4] chore(OCSF): update the supported version of the specification --- OCSF/ocsf/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml index b8f0e2b86..5e5fa828c 100644 --- a/OCSF/ocsf/_meta/manifest.yml +++ b/OCSF/ocsf/_meta/manifest.yml @@ -7,7 +7,7 @@ slug: ocsf description: >- The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. - Supported version: **1.1** + Supported version: **1.3** data_sources: File monitoring: OCSF allows collecting system activities