SentinelOne Cloud Funnel 2.0
Overview
SentinelOne Cloud Funnel 2.0 is the state of the art method to collect SentinelOne Deep Visibility data and extend the SentinelOne EDR to provide full visibility into endpoint data. Its patented kernel-based monitoring allows a near real-time search across endpoints for all indicators of compromise (IOC) to empower security teams to augment real-time threat detection capabilities with a powerful tool that enables threat hunting.
- Vendor: SentinelOne
- Supported environment: SaaS
- Detection based on: Telemetry
- Supported application or feature: Network intrusion detection system
SentinelOne Deep Visibility logs provides in-depth logs that are useful for detection and investigation purposes.
Note
No additional installation or configuration on the agents is needed.
Warning
Alerts and Events logs from the SentinelOne console are not available with CloudFunnel. To collect events to be able to have information on access to the console, one must configure the SentinelOne log collection from API as documented here.
Please find bellow a short list of activities that are available for security supervision thanks to SentinelOne Deep Visibility logs:
- Process Creation
- Command Script
- Duplicate Process Handle
- Duplicate Thread Handle
- Open Remote Process Handle
- Remote Thread Creation
- DNS Resolved
- DNS Unresolved
- File Creation
- File Deletion
- File Scan
- File Modification
- File Rename
- Pre Execution Detection
- Behavioral Indicators
- Login
- Logout
- Module Load
- Driver Load
- IP Connect
- IP Listen
- Registry Key Create
- Registry Key Delete
- Registry Key Export
- Registry Key Import
- Registry Key Security Changed
- Registry Key Rename
- Registry Value Create
- Registry Value Delete
- Registry Value Modified
- Scheduled Task Start
- Scheduled Task Delete
- Scheduled Task Update
- Scheduled Task Register
- Scheduled Task Trigger
- URL
Configure
This setup guide will show you how to pull events produced by SentinelOne Deep Visibility on Sekoia.io.
Create a AWS S3 bucket
The AWS S3 bucket used to store SentinelOne Deep Visibility telemetry can be created in any preferred AWS region. However, it is important to ensure that the chosen bucket name adheres to the AWS naming rules and remains globally unique.
To enable SentinelOne's AWS account to perform necessary operations such as listing and writing objects in your bucket, it is required to authorize their account with the appropriate permissions. You can refer to the SentinelOne documentation to obtain the account's canonical ID, which is necessary for the authorization process.
By following these steps, you can set up the AWS S3 bucket to seamlessly handle SentinelOne Deep Visibility telemetry data.
Setup SentinelOne Cloud Funnel 2.0
Once the AWS S3 bucket is created, you can configure your SentinelOne instance to stream the telemetry to it. This is done in the "Settings > Integrations > Cloud Funnel" page of your SentinelOne instance.
A SentinelOne admin account with a "Account" user scope is required to perform this configuration.
Warning
If you have multiple SentinelOne Management Consoles, you must configure Cloud Funnel 2.0 for each console.
Create a SentinelOne Cloud Funnel 2.0 intake
In the Sekoia.io Operations Center:
- Click on the
Intake
page - Search for
SentinelOne Cloud Funnel 2.0
by navigating the page or using the search bar - Click
Create
on the relevant object - Specify the
Name
of your intake that will be displayed and select theEntity
needed
Pull events
To start pulling events, follow these steps:
- Go to the playbook page
- Create a new playbook with the AWS Fetch new logs on S3 connector
- Set up the module configuration with the AWS Access Key, the secret key and the region name
- Set up the trigger configuration with the name of the SQS queue and the intake key (from the intake previously created)
- Start the playbook and enjoy your events
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"src.process.parent.isStorylineRoot": true,
"event.category": "command_script",
"tgt.file.modificationTime": -11644473600000,
"osSrc.process.parent.sessionId": 0,
"src.process.parent.image.sha1": "9b77e09375790ea1ea0a9ca9fc1d69e8e32fe597",
"site.id": "1640744535583677559",
"tgt.file.location": "Local",
"src.process.parent.displayName": "Host Process for Windows Tasks",
"src.process.image.binaryIsExecutable": true,
"osSrc.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"osSrc.process.parent.name": "svchost.exe",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorRansomwareCount": 0,
"osSrc.process.parent.startTime": 1680169387386,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 272,
"src.process.parent.name": "taskhostw.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1680184001306,
"src.process.image.md5": "e610d62f73d68a280d364d1ccd6fea30",
"src.process.indicatorReconnaissanceCount": 5,
"src.process.storyline.id": "3ED9E6E7AB538ED5",
"src.process.childProcCount": 1,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"cmdScript.isComplete": true,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "SCRIPTS",
"src.process.parent.integrityLevel": "HIGH",
"osSrc.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"osSrc.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "3ED9E6E7AB538ED5",
"tgt.file.creationTime": -11644473600000,
"src.process.integrityLevel": "HIGH",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680183967040,
"osSrc.process.parent.isStorylineRoot": true,
"timestamp": "2023-03-30T13:46:07.040Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"tgt.file.size": 2593,
"src.process.image.sha1": "9b1d2f446cdb7d412775dffe05ebf35db5f12ccd",
"src.process.isStorylineRoot": false,
"cmdScript.applicationName": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1",
"src.process.parent.image.path": "C:\\Windows\\System32\\taskhostw.exe",
"tgt.file.sha1": "6f8e508526af2f5a9ab618ebb26b140e8b2811b4",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 7488,
"osSrc.process.parent.integrityLevel": "SYSTEM",
"tgt.file.isSigned": "signed",
"src.process.cmdline": "C:\\Windows\\System32\\sdiagnhost.exe -Embedding",
"src.process.publisher": "MICROSOFT WINDOWS",
"sca:ingestTime": 1680184006,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"osSrc.process.parent.signedStatus": "signed",
"tgt.file.isExecutable": false,
"event.id": "01GWSCAFNK8CGJZYXP5JNDA8VW_166",
"src.process.parent.cmdline": "taskhostw.exe",
"osSrc.process.parent.displayName": "Host Process for Windows Services",
"cmdScript.content": "{(Format-DiskSpaceMB $_.Space) + \"MB\"}",
"src.process.image.path": "C:\\Windows\\System32\\sdiagnhost.exe",
"src.process.tgtFileModificationCount": 2,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"tgt.file.path": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\TS_DiagnosticHistory.ps1",
"cmdScript.sha256": "6f7db8ffe9379313fda22bcf6b6888ca8405dbab4a6ee58504b2bb34cda3def6",
"tgt.file.extension": "ps1",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1680183962201,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"tgt.file.type": "UNKNOWN",
"osSrc.process.parent.isNative64Bit": false,
"src.process.displayName": "Scripted Diagnostics Native Host",
"tgt.file.sha256": "00915c9baba87359a458d23e18f412647852a3260280a0d64af5e91307c01bce",
"src.process.parent.sessionId": 2,
"src.process.isNative64Bit": false,
"src.process.uid": "64D9E6E7AB538ED5",
"src.process.parent.image.md5": "a00bf82660835224cd6606a248321c5d",
"osSrc.process.parent.publisher": "MICROSOFT WINDOWS",
"osSrc.process.parent.isRedirectCmdProcessor": false,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "64D9E6E7AB538ED5",
"cmdScript.originalSize": 76,
"osSrc.process.parent.storyline.id": "0F91E6E7AB538ED5",
"osSrc.process.parent.pid": 832,
"src.process.parent.uid": "3DD9E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "e63709209d09bc0247e785f075ddb28a98c348206109e2b8ba321ad958402728",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "3ED9E6E7AB538ED5",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1680183961002,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GWSCAFNK8CGJZYXP5JNDA8VW",
"src.process.name": "sdiagnhost.exe",
"tgt.file.md5": "6f42efe37f2f73bc4d5531a5906844c5",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.image.sha256": "e5ec6b5b20a16383cc953ad5e478dcdf95ba46281f4fe971673c954d4145c0c4",
"osSrc.process.parent.user": "NT AUTHORITY\\SYSTEM",
"src.process.indicatorGeneralCount": 4,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "7F72001C135D479586722BA2913C81E1",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"tgt.file.id": "59D9E6E7AB538ED5",
"osSrc.process.parent.uid": "0E91E6E7AB538ED5",
"event.type": "Command Script",
"task.path": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\TS_DiagnosticHistory.ps1",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 6276
}
{
"src.process.parent.isStorylineRoot": false,
"event.category": "command_script",
"tgt.file.modificationTime": -11644473600000,
"src.process.parent.image.sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
"site.id": "1470095163515336467",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Windows Command Processor",
"src.process.user": "AUTORITE NT\\Syst\u00e8me",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 7,
"src.process.activeContent.signedStatus": "unsigned",
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 1800,
"i.version": "preprocess-lib-1.0",
"src.process.parent.name": "cmd.exe",
"src.process.activeContentType": "FILE",
"src.process.parent.activeContent.id": "3EFA3EFA3EFA3EFA",
"src.process.image.md5": "097ce5761c89434367598b34fe32893b",
"src.process.storyline.id": "7FABCCD60C10799B",
"src.process.indicatorReconnaissanceCount": 69,
"src.process.childProcCount": 6,
"mgmt.url": "euce1-sns-mssp.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"cmdScript.isComplete": true,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "SCRIPTS",
"src.process.parent.integrityLevel": "SYSTEM",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "7FABCCD60C10799B",
"tgt.file.creationTime": -11644473600000,
"src.process.integrityLevel": "SYSTEM",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1722588221803,
"timestamp": "2024-08-02T08:43:41.803Z",
"account.id": "1470095162995242762",
"dataSource.name": "SentinelOne",
"endpoint.name": "ntrsql15",
"src.process.image.sha1": "044a0cf1f6bc478a7172bf207eef1e201a18ba02",
"tgt.file.size": 50105,
"cmdScript.applicationName": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.14393.0",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\Windows\\System32\\cmd.exe",
"tgt.file.sha1": "4b09001438b32e54b91cbe27685c75a316f8cdf5",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 3744,
"src.process.parent.activeContent.hash": "1b11fdf894b9a205b690add505ff5f2193c1fe48",
"tgt.file.isSigned": "signed",
"src.process.cmdline": "powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 ",
"src.process.publisher": "MICROSOFT WINDOWS",
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.activeContentType": "CLI",
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.parent.activeContent.path": "\\\\Unknown device\\Unknown file",
"src.process.crossProcessCount": 7,
"src.process.signedStatus": "signed",
"tgt.file.isExecutable": false,
"event.id": "01J4945B0JAAYZXWF8ZG4A0VMZ_638",
"src.process.parent.cmdline": "cmd /C \"powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 \"",
"cmdScript.content": "{ updateInfo_Serveurs -instance_name $instance -datas_res $res_infos }",
"src.process.image.path": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.EXE",
"src.process.tgtFileModificationCount": 21,
"src.process.indicatorEvasionCount": 101,
"src.process.netConnOutCount": 0,
"cmdScript.sha256": "b285d770802aac13330fd7d2a0ade3c9a7adf575d160a81dfc30614c7a89e775",
"tgt.file.path": "C:\\zabbix\\scripts\\sb.mssql.ps1",
"tgt.file.extension": "ps1",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1722588220577,
"mgmt.id": "16205",
"os.name": "Windows Server 2016 Standard",
"tgt.file.type": "UNKNOWN",
"src.process.activeContent.id": "B76839D30C10799B",
"src.process.displayName": "Windows PowerShell",
"src.process.activeContent.path": "C:\\zabbix\\scripts\\sb.mssql.ps1",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "07AED4D60C10799B",
"src.process.parent.image.md5": "f4f684066175b77e0c3a000549d2922c",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "07AED4D60C10799B",
"cmdScript.originalSize": 140,
"agent.version": "23.4.4.223",
"src.process.parent.uid": "05AED4D60C10799B",
"src.process.parent.image.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "14393",
"group.id": "7FABCCD60C10799B",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1722588220333,
"src.process.dnsCount": 0,
"endpoint.type": "server",
"trace.id": "01J4945B0JAAYZXWF8ZG4A0VMZ",
"src.process.name": "powershell.EXE",
"agent.uuid": "f373bf5f3c5541a49aad49c5d39deac8",
"src.process.activeContent.hash": "4b09001438b32e54b91cbe27685c75a316f8cdf5",
"src.process.image.sha256": "ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436",
"src.process.indicatorGeneralCount": 161,
"src.process.crossProcessOutOfStorylineCount": 1,
"packet.id": "C6BB63A4EEC044B7BFEDC8B39D2594AD",
"src.process.registryChangeCount": 0,
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "AUTORITE NT\\Syst\u00e8me",
"tgt.file.id": "B76839D30C10799B",
"account.name": "S - SOCRAM BANQUE",
"event.type": "Command Script",
"task.path": "C:\\zabbix\\scripts\\sb.mssql.ps1",
"src.process.indicatorPostExploitationCount": 8,
"src.process.parent.activeContent.signedStatus": "unsigned",
"src.process.parent.pid": 3776
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "dns",
"osSrc.process.parent.sessionId": 0,
"src.process.parent.image.sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb",
"site.id": "1640744535583677559",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.parent.displayName": "Shell Infrastructure Host",
"src.process.image.binaryIsExecutable": true,
"osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"osSrc.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"osSrc.process.crossProcessOpenProcessCount": 0,
"osSrc.process.publisher": "MICROSOFT WINDOWS",
"osSrc.process.parent.name": "svchost.exe",
"osSrc.process.crossProcessDupThreadHandleCount": 0,
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorRansomwareCount": 0,
"osSrc.process.parent.startTime": 1679394829780,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.crossProcessOutOfStorylineCount": 0,
"osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.tgtFileCreationCount": 0,
"osSrc.process.childProcCount": 0,
"src.process.indicatorInjectionCount": 0,
"osSrc.process.indicatorReconnaissanceCount": 13,
"src.process.moduleCount": 183,
"src.process.parent.name": "sihost.exe",
"i.version": "preprocess-lib-1.0",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1679402348269,
"src.process.image.md5": "da7063b17dbb8bbb3015351016868006",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "6EB4E5E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"osSrc.process.crossProcessThreadCreateCount": 0,
"osSrc.process.moduleCount": 215,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "DNS",
"src.process.parent.integrityLevel": "HIGH",
"osSrc.process.user": "NT AUTHORITY\\NETWORK SERVICE",
"osSrc.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"osSrc.process.image.binaryIsExecutable": true,
"osSrc.process.tgtFileModificationCount": 0,
"osSrc.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"src.process.indicatorExploitationCount": 0,
"osSrc.process.registryChangeCount": 0,
"src.process.parent.storyline.id": "BE98E5E7AB538ED5",
"osSrc.process.netConnInCount": 0,
"i.scheme": "edr",
"src.process.integrityLevel": "LOW",
"osSrc.process.indicatorInjectionCount": 0,
"osSrc.process.pid": 1560,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679402338819,
"event.dns.response": "type: 5 arc.trafficmanager.net;type: 5 iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com;20.82.209.183;",
"osSrc.process.parent.isStorylineRoot": true,
"timestamp": "2023-03-21T12:38:58.819Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 0,
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\sihost.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 3844,
"osSrc.process.parent.integrityLevel": "SYSTEM",
"osSrc.process.uid": "AB96E5E7AB538ED5",
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679402353,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.integrityLevel": "SYSTEM",
"osSrc.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"osSrc.process.subsystem": "SYS_WIN32",
"osSrc.process.parent.signedStatus": "signed",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
"event.id": "01GW22WAJV99Z1NW9K3F6QFVZW_89",
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "sihost.exe",
"osSrc.process.parent.displayName": "Host Process for Windows Services",
"src.process.image.path": "C:\\Windows\\System32\\backgroundTaskHost.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "svchost.exe",
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 2,
"osSrc.process.startTime": 1679394831656,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 5,
"osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679402333356,
"osSrc.process.indicatorRansomwareCount": 0,
"mgmt.id": "16964",
"osSrc.process.netConnCount": 5,
"os.name": "Windows 10 Pro",
"osSrc.process.indicatorGeneral.count": 7,
"osSrc.process.parent.isNative64Bit": false,
"src.process.displayName": "Background Task Host",
"osSrc.process.dnsCount": 5,
"event.dns.request": "arc.msn.com",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 2,
"osSrc.process.sessionId": 0,
"src.process.uid": "6DB4E5E7AB538ED5",
"src.process.parent.image.md5": "a21e7719d73d0322e2e7d61802cb8f80",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p",
"osSrc.process.parent.publisher": "MICROSOFT WINDOWS",
"osSrc.process.parent.isRedirectCmdProcessor": false,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "6DB4E5E7AB538ED5",
"osSrc.process.parent.storyline.id": "5696E5E7AB538ED5",
"osSrc.process.parent.pid": 852,
"src.process.parent.uid": "BD98E5E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00",
"src.process.sessionId": 2,
"src.process.netConnCount": 2,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"group.id": "6EB4E5E7AB538ED5",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1679394873882,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 2,
"osSrc.process.tgtFileDeletionCount": 0,
"osSrc.process.indicatorEvasionCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GW22WAJV99Z1NW9K3F6QFVZW",
"src.process.name": "backgroundTaskHost.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"osSrc.process.displayName": "Host Process for Windows Services",
"src.process.image.sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50",
"osSrc.process.parent.user": "NT AUTHORITY\\SYSTEM",
"src.process.indicatorGeneralCount": 5,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "75E7BCB69CB14C3DA5B6290CF70ECE02",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"osSrc.process.parent.uid": "5596E5E7AB538ED5",
"osSrc.process.storyline.id": "AC96E5E7AB538ED5",
"event.type": "DNS Resolved",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 4164
}
{
"src.process.image.path": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper",
"src.process.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.parent.isStorylineRoot": true,
"event.category": "dns",
"src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.parent.image.sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"src.process.parent.storyline.id": "0A62D926-DFE7-4968-AA28-F0024BAC804D",
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.publisher": "<Type=DevID/ID=com.google.Chrome/Subject=OU:DESKTOP001>",
"src.process.parent.startTime": 1713167784335,
"endpoint.type": "laptop",
"endpoint.os": "osx",
"src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.parent.displayName": "Google Chrome",
"src.process.name": "Google Chrome Helper",
"src.process.startTime": 1713167795818,
"agent.uuid": "75084C59-0F8A-479D-A9C4-2232C37D9D51",
"event.dns.response": "type: 5 edge-web-gew4.dual-gslb.spotify.com;2600:1901:1:4be::;",
"src.process.image.sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"src.process.user": "jdoe",
"timestamp": "2024-06-26T08:44:30.000Z",
"src.process.displayName": "Google Chrome Helper",
"endpoint.name": "MXY2XC6J7VJ",
"src.process.image.sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
"event.dns.request": "type: 28 gew4-spclient.spotify.com",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "CF37475F-BCA9-4F89-8A31-7B6C88CC6F1E",
"src.process.parent.image.md5": "68b329da9893e34099c7d8ad5cb9c940",
"src.process.parent.user": "psinha",
"src.process.pid": 1063,
"src.process.parent.name": "Google Chrome",
"src.process.cmdline": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25",
"src.process.publisher": "<Type=DevID/ID=com.google.Chrome.helper/Subject=OU:DESKTOP001>",
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.image.md5": "68b329da9893e34099c7d8ad5cb9c940",
"src.process.storyline.id": "0A62D926-DFE7-4968-AA28-F0024BAC804D",
"event.type": "DNS Resolved",
"agent.version": "24.1.2.7444",
"src.process.signedStatus": "signed",
"src.process.parent.image.sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"src.process.parent.cmdline": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
"src.process.sessionId": 0,
"src.process.parent.pid": 790
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "driver",
"tgt.file.modificationTime": -11644473600000,
"src.process.parent.image.sha1": "f00f4ab908ec90b3a6a5939d340df144046b6e91",
"site.id": "1640744535583677559",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "NT Kernel & System",
"src.process.user": "SYSTEM",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 0,
"src.process.parent.name": "ntoskrnl.exe",
"i.version": "preprocess-lib-1.0",
"driver.startType": 7,
"sca:atlantisIngestTime": 1680604015448,
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "4735E7E7AB538ED5",
"src.process.childProcCount": 2,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "DRIVERLOAD",
"src.process.parent.integrityLevel": "SYSTEM",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "4735E7E7AB538ED5",
"driver.peSha1": "2b4e0fc4fb2d2cbf0cc2e86c52e3d6f568c8ad75",
"tgt.file.creationTime": -11644473600000,
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680603997497,
"timestamp": "2023-04-04T10:26:37.497Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"tgt.file.size": 47104,
"src.process.image.sha1": "f00f4ab908ec90b3a6a5939d340df144046b6e91",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\ntoskrnl.exe",
"tgt.file.sha1": "3f558347c2750e2a7e512e32870f04d917b936b7",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 4,
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1680604021,
"dataSource.category": "security",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"tgt.file.description": "Indirect displays kernel-mode filter driver",
"driver.certificate.thumbprintAlgorithm": 1704979472,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"tgt.file.isExecutable": false,
"event.id": "01GX5WW9NEJCT67Y7FV3YKQGAC_104",
"src.process.image.path": "C:\\Windows\\System32\\ntoskrnl.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"tgt.file.path": "C:\\Windows\\System32\\drivers\\IndirectKmd.sys",
"tgt.file.extension": "sys",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1680601639956,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"tgt.file.type": "UNKNOWN",
"src.process.displayName": "NT Kernel & System",
"tgt.file.sha256": "2f4fe50c3abb7a37e0adb4429f18b8067ede0608bc4539bac626c2c6d75844b7",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "4635E7E7AB538ED5",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "4635E7E7AB538ED5",
"driver.peSha256": "415e3a47fe8655f49e152197e63b3509a816fa584d7b9c6539f1493d6bf779ce",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "4635E7E7AB538ED5",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"driver.isLoadedBeforeMonitor": false,
"group.id": "4735E7E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1680601639956,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GX5WW9NEJCT67Y7FV3YKQGAC",
"src.process.name": "ntoskrnl.exe",
"tgt.file.md5": "9b943585ef2a4917e1bc2186045e4b64",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.indicatorGeneralCount": 0,
"tgt.file.internalName": "IndirectKmd.sys",
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "1E58F722484E4850B02469C4B6DDEBF3",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "SYSTEM",
"tgt.file.id": "5382E3E7AB538ED5",
"driver.loadVerdict": "BENIGN",
"event.type": "Driver Load",
"task.path": "C:\\Windows\\System32\\drivers\\IndirectKmd.sys",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 4
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "file",
"tgt.file.modificationTime": 1679329231269,
"src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
"site.id": "1640744535583677559",
"tgt.file.location": "Local",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Windows Explorer",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 2,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 34,
"src.process.parent.name": "explorer.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1679329289765,
"src.process.image.md5": "8a2122e8162dbef04694b9c3e0b6cdee",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "DA84E5E7AB538ED5",
"src.process.childProcCount": 2,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "FILECREATION",
"src.process.parent.integrityLevel": "HIGH",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "0447E5E7AB538ED5",
"tgt.file.creationTime": 1679329231269,
"i.scheme": "edr",
"src.process.integrityLevel": "HIGH",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679329231269,
"timestamp": "2023-03-20T16:20:31.269Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"tgt.file.size": 0,
"src.process.image.sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\explorer.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 7620,
"sca:ingestTime": 1679329295,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"tgt.file.isExecutable": false,
"event.id": "01GVZX6RZEB3094AVABXWGMYP4_0",
"src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
"src.process.image.path": "C:\\Windows\\System32\\cmd.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 2,
"src.process.netConnOutCount": 0,
"tgt.file.path": "C:\\Users\\john.doe\\Desktop\\TEST FILE ARY_2",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679328877107,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"tgt.file.type": "UNKNOWN",
"src.process.displayName": "Windows Command Processor",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 2,
"src.process.uid": "D984E5E7AB538ED5",
"src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "D984E5E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "0347E5E7AB538ED5",
"src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "DA84E5E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679328586417,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GVZX6RZEB3094AVABXWGMYP4",
"src.process.name": "cmd.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
"src.process.indicatorGeneralCount": 12,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "E0C3EB49976C4B329FC386C214376CA6",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"tgt.file.id": "2E85E5E7AB538ED5",
"event.type": "File Creation",
"task.path": "C:\\Users\\john.doe\\Desktop\\TEST FILE ARY_2",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 2280
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "file",
"tgt.file.modificationTime": 1680183665718,
"src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
"site.id": "1640744535583677559",
"tgt.file.location": "Local",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.parent.displayName": "Windows Explorer",
"src.process.image.binaryIsExecutable": true,
"osSrc.process.image.md5": "fbbcd4101d9daa064e2686834b1296be",
"osSrc.process.crossProcessOpenProcessCount": 0,
"osSrc.process.publisher": "MICROSOFT CORPORATION",
"osSrc.process.crossProcessDupThreadHandleCount": 0,
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 587,
"osSrc.process.crossProcessOutOfStorylineCount": 0,
"osSrc.process.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
"src.process.activeContent.signedStatus": "unsigned",
"src.process.tgtFileCreationCount": 235,
"osSrc.process.childProcCount": 0,
"src.process.indicatorInjectionCount": 0,
"osSrc.process.indicatorReconnaissanceCount": 0,
"src.process.moduleCount": 755,
"src.process.parent.name": "explorer.exe",
"i.version": "preprocess-lib-1.0",
"src.process.activeContentType": "FILE",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1680203775822,
"src.process.image.md5": "fbbcd4101d9daa064e2686834b1296be",
"src.process.indicatorReconnaissanceCount": 1,
"src.process.storyline.id": "14C2E6E7AB538ED5",
"src.process.childProcCount": 25,
"osSrc.process.activeContentType": "FILE",
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"osSrc.process.crossProcessThreadCreateCount": 0,
"osSrc.process.moduleCount": 89,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "FILEDELETION",
"src.process.parent.integrityLevel": "HIGH",
"osSrc.process.user": "desktop-jdoe\\john.doe",
"osSrc.process.image.binaryIsExecutable": true,
"osSrc.process.tgtFileModificationCount": 2,
"src.process.indicatorExploitationCount": 1,
"osSrc.process.registryChangeCount": 1,
"src.process.parent.storyline.id": "96BFE6E7AB538ED5",
"tgt.file.creationTime": 1680183598071,
"osSrc.process.netConnInCount": 0,
"src.process.integrityLevel": "HIGH",
"i.scheme": "edr",
"osSrc.process.indicatorInjectionCount": 0,
"osSrc.process.pid": 6348,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680203773098,
"timestamp": "2023-03-30T19:16:13.098Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 0,
"endpoint.name": "desktop-jdoe",
"tgt.file.size": 1385914,
"src.process.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\explorer.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 6384,
"osSrc.process.uid": "9AC2E6E7AB538ED5",
"src.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
"src.process.publisher": "MICROSOFT CORPORATION",
"sca:ingestTime": 1680203781,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": false,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.integrityLevel": "LOW",
"src.process.crossProcessCount": 606,
"src.process.signedStatus": "signed",
"osSrc.process.subsystem": "SYS_WIN32",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
"tgt.file.isExecutable": false,
"event.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3_29",
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
"src.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"src.process.tgtFileModificationCount": 246,
"osSrc.process.name": "msedge.exe",
"src.process.indicatorEvasionCount": 19,
"src.process.netConnOutCount": 0,
"tgt.file.path": "C:\\Users\\john.doe\\AppData\\Local\\Temp\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp",
"osSrc.process.startTime": 1680183591983,
"tgt.file.extension": "tmp",
"src.process.crossProcessDupThreadHandleCount": 19,
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 0,
"osSrc.process.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
"src.process.tgtFileDeletionCount": 60,
"src.process.startTime": 1680183585577,
"osSrc.process.indicatorRansomwareCount": 0,
"mgmt.id": "16964",
"osSrc.process.netConnCount": 0,
"os.name": "Windows 10 Pro",
"osSrc.process.indicatorGeneral.count": 6,
"tgt.file.type": "UNKNOWN",
"src.process.displayName": "Microsoft Edge",
"osSrc.process.dnsCount": 0,
"src.process.parent.sessionId": 2,
"src.process.isNative64Bit": false,
"osSrc.process.sessionId": 2,
"src.process.uid": "13C2E6E7AB538ED5",
"src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --instant-process --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --time-ticks-at-unix-epoch=-1680169371680820 --launch-time-ticks=14220180564 --mojo-platform-channel-handle=4512 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:1",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "13C2E6E7AB538ED5",
"src.process.parent.uid": "95BFE6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"group.id": "14C2E6E7AB538ED5",
"osSrc.process.activeContent.signedStatus": "unsigned",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1680183557249,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 0,
"osSrc.process.indicatorEvasionCount": 1,
"osSrc.process.tgtFileDeletionCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3",
"src.process.name": "msedge.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.displayName": "Microsoft Edge",
"src.process.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
"src.process.indicatorGeneralCount": 168,
"src.process.crossProcessOutOfStorylineCount": 11,
"src.process.registryChangeCount": 35,
"packet.id": "6E623DBE96C14642980FE486FCC335F2",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"tgt.file.id": "00C3E6E7AB538ED5",
"osSrc.process.storyline.id": "14C2E6E7AB538ED5",
"event.type": "File Deletion",
"task.path": "C:\\Users\\john.doe\\AppData\\Local\\Temp\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 4492
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "file",
"tgt.file.modificationTime": -11644473600000,
"src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
"site.id": "1640744535583677559",
"tgt.file.location": "Local",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Services and Controller app",
"src.process.user": "NT AUTHORITY\\SYSTEM",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 5,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 288,
"src.process.parent.name": "services.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1679577677249,
"src.process.image.md5": "88cbcd6927355b5dccd9827aeb1e6dbd",
"src.process.indicatorReconnaissanceCount": 7,
"src.process.storyline.id": "85D1E5E7AB538ED5",
"src.process.childProcCount": 5,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "FILERENAME",
"src.process.parent.integrityLevel": "SYSTEM",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "D7D0E5E7AB538ED5",
"tgt.file.creationTime": -11644473600000,
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679577675272,
"timestamp": "2023-03-23T13:21:15.272Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"tgt.file.size": 2048,
"src.process.image.sha1": "c6ef4c5e8090a4913fbfd8372c9df08450fe8005",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 2484,
"sca:ingestTime": 1679577682,
"dataSource.category": "security",
"src.process.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WindowsAzureGuestAgent.exe",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 5,
"tgt.file.isExecutable": false,
"event.id": "01GW7A2YG38DG8CTD6M5WV2DZH_68",
"src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
"src.process.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WindowsAzureGuestAgent.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 1,
"src.process.netConnOutCount": 19,
"tgt.file.path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus_20230323132115270.json",
"tgt.file.extension": "json",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679577547094,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"tgt.file.type": "UNKNOWN",
"src.process.displayName": "WindowsAzureGuestAgent",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "84D1E5E7AB538ED5",
"src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "84D1E5E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "D6D0E5E7AB538ED5",
"src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"src.process.sessionId": 0,
"src.process.netConnCount": 19,
"mgmt.osRevision": "19044",
"group.id": "85D1E5E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679577539634,
"src.process.dnsCount": 0,
"tgt.file.oldPath": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus.json",
"endpoint.type": "desktop",
"trace.id": "01GW7A2YG38DG8CTD6M5WV2DZH",
"src.process.name": "WindowsAzureGuestAgent.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "4779d3eecbc47b0a389187ef411c727920a5898c9c0785e33aabf7338c994364",
"src.process.indicatorGeneralCount": 6,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "AABF3FC035554DC3A72C57304DE3131B",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"tgt.file.id": "F7D2E5E7AB538ED5",
"event.type": "File Rename",
"task.path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus_20230323132115270.json",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 676
}
{
"src.process.parent.isStorylineRoot": false,
"event.category": "file",
"src.process.parent.image.sha1": "0000000",
"site.id": "00000000",
"tgt.file.location": "Local",
"src.process.parent.displayName": "pparent",
"src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 1,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 0,
"i.version": "preprocess-lib-1.0",
"src.process.parent.name": "pname",
"src.process.storyline.id": "00000-0000-0000-0000000",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.childProcCount": 0,
"aaaa.url": "redacted.sentinelone.net",
"src.process.parent.eUserName": "aaaaaaaa",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.eUserName": "aaaaaaaa",
"src.process.subsystem": "SUBSYSTEM_UNKNOWN",
"meta.event.name": "FILERENAME",
"src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "0000000-0000-0000-00000000",
"tgt.file.creationTime": 1722852662250,
"src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"i.scheme": "edr",
"site.name": "sitename",
"src.process.netConnInCount": 0,
"event.time": 1722853381979,
"timestamp": "2024-08-05T10:23:01.979Z",
"account.id": "00000000000",
"dataSource.name": "SentinelOne",
"endpoint.name": "aaaaaaaaa",
"src.process.image.sha1": "aaaaaaaaaaaaaa",
"tgt.file.size": 750,
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "/bin/pparent",
"src.process.lUserName": "aaaaaaaa",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 31304,
"tgt.file.isSigned": "unsigned",
"src.process.cmdline": " /usr/cmd -",
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.parent.rUserUid": 1111,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "unsigned",
"event.id": "01J4H129Q4744MK0FX0CNXASK1_414",
"src.process.image.path": "/usr/path",
"src.process.tgtFileModificationCount": 2,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"tgt.file.path": "/new/new/file/path/path",
"src.process.eUserUid": 1111,
"src.process.lUserUid": 1111,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "linux",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1722853381100,
"mgmt.id": "00000",
"os.name": "Linux",
"tgt.file.type": "UNKNOWN",
"src.process.displayName": "aaaaaaaaa",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.rUserUid": 1111,
"src.process.uid": "000000000-0000-0000-00000000000",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "000000000-0000-0000-000000000",
"src.process.parent.eUserUid": 112,
"agent.version": "1",
"src.process.parent.uid": "000000000-0000-0000-0000000000000000",
"src.process.parent.rUserName": "aaaaaaaaa",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "Debian",
"group.id": "000000000-0000-0000-00000000",
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.startTime": 1722853381090,
"src.process.dnsCount": 0,
"endpoint.type": "server",
"tgt.file.oldPath": "/old/path/name/tmp.aaaa",
"trace.id": "00000000000",
"src.process.rUserName": "aaaaaaaaa",
"src.process.name": "aaaaa",
"agent.uuid": "00000-0000-0000-000000",
"src.process.parent.lUserName": "aaaaaaaa",
"src.process.indicatorGeneralCount": 0,
"src.process.parent.lUserUid": 1111,
"src.process.crossProcessOutOfStorylineCount": 0,
"packet.id": "000000-0000-0000-000000000000",
"src.process.registryChangeCount": 0,
"src.process.indicatorPersistenceCount": 3,
"src.process.parent.signedStatus": "unsigned",
"tgt.file.id": "00000-0000-0000-0000000000",
"account.name": "account_name",
"event.type": "File Rename",
"task.path": "/var/aaa/aaa/aaaa/aaaa",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 111111
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "group",
"src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
"site.id": "1640744535583677559",
"src.process.parent.displayName": "Windows Explorer",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.activeContent.signedStatus": "unsigned",
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 66,
"src.process.parent.name": "explorer.exe",
"i.version": "preprocess-lib-1.0",
"src.process.activeContentType": "FILE",
"sca:atlantisIngestTime": 1680190602792,
"src.process.image.md5": "999a30979f6195bf562068639ffc4426",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "8EE6E6E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "GROUPCREATION",
"src.process.parent.integrityLevel": "HIGH",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "96BFE6E7AB538ED5",
"src.process.integrityLevel": "HIGH",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680190543346,
"timestamp": "2023-03-30T15:35:43.346Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "d4f2663aabc03478975382b3c69f24b3c6bd2aa9",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\explorer.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 7400,
"tgt.file.isSigned": "signed",
"src.process.cmdline": "\"regedit.exe\" \"C:\\Users\\john.doe\\Desktop\\test.reg\"",
"src.process.publisher": "MICROSOFT WINDOWS",
"sca:ingestTime": 1680190608,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"event.id": "01GWSJKYK06EX50CNYW0M34QBF_18",
"src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
"src.process.image.path": "C:\\Windows\\regedit.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 1,
"src.process.netConnOutCount": 0,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1680190543341,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"src.process.activeContent.id": "72E6E6E7AB538ED5",
"src.process.displayName": "Registry Editor",
"src.process.activeContent.path": "C:\\Users\\john.doe\\Desktop\\test.reg",
"src.process.parent.sessionId": 2,
"src.process.isNative64Bit": false,
"src.process.uid": "8DE6E6E7AB538ED5",
"src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "8DE6E6E7AB538ED5",
"src.process.parent.uid": "95BFE6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "8EE6E6E7AB538ED5",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1680183557249,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GWSJKYK06EX50CNYW0M34QBF",
"src.process.name": "regedit.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.activeContent.hash": "8b3d7f4397dd79d66b753745a676da89439ed38e",
"src.process.image.sha256": "92f24fed2ba2927173aad58981f6e0643c6b89815b117e8a7c4a0988ac918170",
"src.process.indicatorGeneralCount": 2,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 3,
"packet.id": "635ACC7D4F504B698769ED4A8E380CEF",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"event.type": "Group Creation",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 4492
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "indicators",
"src.process.parent.image.sha1": "a87dd7a7ad343205aac883c18fb55fc7bba54093",
"site.id": "1640744535583677559",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Microsoft Edge",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.parent.subsystem": "SYS_WIN32",
"indicator.category": "Evasion",
"src.process.indicatorRansomwareCount": 0,
"indicator.metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.activeContent.signedStatus": "unsigned",
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"indicator.description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {<a href=\"https://attack.mitre.org/techniques/T1055/012/\" target=\"_blank\">T1055.012</a>}, Privilege Escalation {<a href=\"https://attack.mitre.org/techniques/T1055/012/\" target=\"_blank\">T1055.012</a>}",
"src.process.moduleCount": 84,
"src.process.parent.name": "msedge.exe",
"i.version": "preprocess-lib-1.0",
"src.process.activeContentType": "FILE",
"sca:atlantisIngestTime": 1679651845743,
"src.process.image.md5": "44d867f6684855e16738b65a446937c5",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "2D1EE6E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "BEHAVIORALINDICATORS",
"src.process.parent.integrityLevel": "HIGH",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "2D1EE6E7AB538ED5",
"i.scheme": "edr",
"src.process.integrityLevel": "LOW",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679651799952,
"timestamp": "2023-03-24T09:56:39.952Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "a87dd7a7ad343205aac883c18fb55fc7bba54093",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"src.process.tid": 0,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 8064,
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679651851,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4272 --field-trial-handle=1904,i,13954562701905874655,10086179210364072054,131072 /prefetch:8",
"src.process.publisher": "MICROSOFT CORPORATION",
"src.process.parent.activeContentType": "FILE",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"event.id": "01GW9GTD03G3KP42RNTBE4KYSR_5",
"src.process.parent.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
"src.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"src.process.tgtFileModificationCount": 3,
"src.process.indicatorEvasionCount": 1,
"src.process.netConnOutCount": 0,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679651799947,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"src.process.displayName": "Microsoft Edge",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 2,
"src.process.uid": "F328E6E7AB538ED5",
"src.process.parent.image.md5": "44d867f6684855e16738b65a446937c5",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "F328E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "2C1EE6E7AB538ED5",
"src.process.parent.image.sha256": "d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "2D1EE6E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT CORPORATION",
"src.process.parent.startTime": 1679651174169,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GW9GTD03G3KP42RNTBE4KYSR",
"src.process.name": "msedge.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693",
"src.process.indicatorGeneralCount": 7,
"indicator.name": "PreloadInjection",
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 1,
"packet.id": "A53019B8AC7E4786BC77B654E737149B",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"event.type": "Behavioral Indicators",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.activeContent.signedStatus": "unsigned",
"src.process.parent.pid": 6728
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "ip",
"src.process.parent.image.sha1": "68d7290a70ae3a396a0bd5164919694346047384",
"site.id": "1640744535583677559",
"src.process.parent.displayName": "Microsoft Azure\u00c2\u00ae",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "NT AUTHORITY\\SYSTEM",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 168,
"src.process.parent.name": "WaAppAgent.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1679405948601,
"src.process.image.md5": "c15e04000a62f18f0f726991d1d032dc",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "EE96E5E7AB538ED5",
"src.process.childProcCount": 1,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "TCPV4",
"src.process.parent.integrityLevel": "SYSTEM",
"src.port.number": 50755,
"event.network.protocolName": "http",
"src.process.indicatorExploitationCount": 1,
"src.process.parent.storyline.id": "EE96E5E7AB538ED5",
"src.process.integrityLevel": "SYSTEM",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679405946954,
"timestamp": "2023-03-21T13:39:06.954Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "410ddcff4d90f02fe4878a6b37f0766d33892b04",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
"dst.port.number": 80,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 7020,
"tgt.file.isSigned": "signed",
"src.process.cmdline": "\"CollectGuestLogs.exe\" -Mode:ga -FileName:D:\\CollectGuestLogsTemp\\VMAgentLogs.zip",
"src.process.publisher": "MICROSOFT WINDOWS",
"sca:ingestTime": 1679405954,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"event.id": "01GW26A6QWPJXQ3NZRZTVMTMWZ_13",
"src.process.parent.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
"src.process.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\CollectGuestLogs.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 1,
"event.network.direction": "OUTGOING",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.ip.address": "10.0.0.11",
"src.process.startTime": 1679405934712,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"src.process.displayName": "CollectGuestLogs",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"src.process.uid": "60B6E5E7AB538ED5",
"src.process.parent.image.md5": "ec038f4fd73993de139b889e7bcf2f66",
"event.network.connectionStatus": "SUCCESS",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "60B6E5E7AB538ED5",
"src.process.parent.uid": "ED96E5E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9",
"src.process.sessionId": 0,
"src.process.netConnCount": 1,
"mgmt.osRevision": "19044",
"dst.ip.address": "168.63.129.16",
"group.id": "EE96E5E7AB538ED5",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1679394836723,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GW26A6QWPJXQ3NZRZTVMTMWZ",
"src.process.name": "CollectGuestLogs.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "b3c6abea2eed98449416fd9942afeddff9960c9dd55e2268657c7d2003bfcf72",
"src.process.indicatorGeneralCount": 2,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "1701C18FFEE943BAB1EA019E610E9D8B",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"event.type": "IP Connect",
"event.repetitionCount": 1,
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 2304
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "ip",
"src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
"site.id": "1640744535583677559",
"src.process.parent.displayName": "Services and Controller app",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "NT AUTHORITY\\NETWORK SERVICE",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 290,
"src.process.parent.name": "services.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1680187241789,
"src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"src.process.indicatorReconnaissanceCount": 2,
"src.process.storyline.id": "1B91E6E7AB538ED5",
"src.process.childProcCount": 1,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "TCPV4",
"src.process.parent.integrityLevel": "SYSTEM",
"src.port.number": 13470,
"event.network.protocolName": "ms-wbt-server",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "0591E6E7AB538ED5",
"src.process.integrityLevel": "SYSTEM",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 15,
"event.time": 1680187214991,
"timestamp": "2023-03-30T14:40:14.991Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
"dst.port.number": 3389,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 784,
"tgt.file.isSigned": "signed",
"src.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService",
"src.process.publisher": "MICROSOFT WINDOWS",
"sca:ingestTime": 1680187247,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"event.id": "01GWSFDCGBJQTT4N3NDHS3WR5B_6",
"src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
"src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"event.network.direction": "INCOMING",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.ip.address": "184.105.247.194",
"src.process.startTime": 1680169388118,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"src.process.displayName": "Host Process for Windows Services",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"src.process.uid": "1A91E6E7AB538ED5",
"src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
"event.network.connectionStatus": "SUCCESS",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "1A91E6E7AB538ED5",
"src.process.parent.uid": "0491E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"src.process.sessionId": 0,
"src.process.netConnCount": 15,
"mgmt.osRevision": "19044",
"dst.ip.address": "10.0.0.11",
"group.id": "1B91E6E7AB538ED5",
"src.process.parent.publisher": "MICROSOFT WINDOWS PUBLISHER",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1680169387098,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GWSFDCGBJQTT4N3NDHS3WR5B",
"src.process.name": "svchost.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.indicatorGeneralCount": 12,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "ACF2D802403946EAB4FC44D3BDA2268A",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"event.type": "IP Connect",
"event.repetitionCount": 2,
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 676
}
{
"src.process.parent.isStorylineRoot": false,
"event.category": "ip",
"src.process.parent.image.sha1": "020c0ff3208f4c94856742122a8535565c979686",
"site.id": "1640744535583677559",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "AttestationExtension",
"src.process.user": "NT AUTHORITY\\SYSTEM",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 93,
"src.process.parent.name": "AttestationExtension.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1680198343920,
"src.process.image.md5": "830ab0741415bfe65817accb022b64d9",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "B491E6E7AB538ED5",
"src.process.childProcCount": 1,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "TCPV4",
"src.process.parent.integrityLevel": "SYSTEM",
"src.port.number": 52343,
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "B491E6E7AB538ED5",
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"site.name": "Default site",
"src.process.netConnInCount": 4,
"event.time": 1680198321581,
"timestamp": "2023-03-30T17:45:21.581Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "101d2bd70fb62dd0838483f2dc62bbd93f0dd009",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationExtension.exe",
"dst.port.number": 52342,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 724,
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1680198349,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationClient.exe\" -a \"\" -r \"\" -l C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21 -h C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\Status\\HeartBeat.Json -s C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\Status\\0.status -e C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\Events -v 1.0.1.21",
"src.process.publisher": "MICROSOFT AZURE CODE SIGN",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"event.id": "01GWST06SETGGAFBFHCC8YP6XD_19",
"src.process.parent.cmdline": "\"C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationExtension.exe\" enable",
"src.process.image.path": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationClient.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 4,
"src.process.reasonSignatureInvalid": "SignedNotVerified",
"src.process.netConnOutCount": 19,
"event.network.direction": "OUTGOING",
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.ip.address": "127.0.0.1",
"src.process.startTime": 1680169453286,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"src.process.displayName": "AttestationClient.exe",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "F492E6E7AB538ED5",
"src.process.parent.image.md5": "f4ad5b3598df100f80e240039f4fbed1",
"event.network.connectionStatus": "SUCCESS",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "F492E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "EF92E6E7AB538ED5",
"src.process.parent.image.sha256": "9cf3b22aaa92f8b6b1f817452cf12791a41cd3969674b46bd1e3718c328a6a44",
"src.process.sessionId": 0,
"src.process.netConnCount": 23,
"mgmt.osRevision": "19044",
"dst.ip.address": "127.0.0.1",
"group.id": "B491E6E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "unverified",
"src.process.parent.startTime": 1680169451297,
"src.process.dnsCount": 3,
"endpoint.type": "desktop",
"trace.id": "01GWST06SETGGAFBFHCC8YP6XD",
"src.process.name": "AttestationClient.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "139e2d3b4629933268034a68e6d5202f8c305d9ae29f728790711cc9841ae654",
"src.process.indicatorGeneralCount": 6,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "1014097947594B0B8EF4843F10BCFFB9",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "unsigned",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"event.type": "IP Connect",
"event.repetitionCount": 1,
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 3444
}
{
"event.category": "logins",
"src.process.parent.isStorylineRoot": false,
"src.process.parent.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
"site.id": "1640744535583677559",
"src.process.parent.displayName": "sshd",
"src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 0,
"src.process.parent.name": "sshd",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1681370638780,
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "55a4d014-9141-dea7-0774-371da18a6469",
"src.process.childProcCount": 1,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.parent.eUserName": "root",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.eUserName": "root",
"meta.event.name": "WINLOGONATTEMPT",
"src.process.subsystem": "SUBSYSTEM_UNKNOWN",
"event.login.type": "REMOTE_INTERACTIVE",
"src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "55a4cfe4-1718-2ae2-dc40-bc3f342f0eca",
"event.login.loginIsSuccessful": true,
"src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1681370589631,
"src.endpoint.ip.address": "83.167.43.106",
"timestamp": "2023-04-13T07:23:09.631Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "linux-desktop-S1",
"src.process.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "/usr/sbin/sshd",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 1669,
"tgt.file.isSigned": "unsigned",
"src.process.cmdline": " sshd: jdoe [priv]",
"sca:ingestTime": 1681370644,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.rUserUid": 0,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "unsigned",
"event.id": "01GXWQZSEQ5HPDZ88XCF016WAM_25",
"event.login.accountName": "jdoe",
"src.process.parent.cmdline": " sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups",
"src.process.image.path": "/usr/sbin/sshd",
"src.process.tgtFileModificationCount": 5,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"src.process.eUserUid": 0,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "linux",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1681370581710,
"mgmt.id": "16964",
"os.name": "Linux",
"src.process.displayName": "sshd",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"src.process.rUserUid": 0,
"src.process.uid": "55a4d014-764d-907e-3edd-f7aa19bbf4af",
"event.login.sessionId": 0,
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "55a4d014-764d-907e-3edd-f7aa19bbf4af",
"src.process.parent.eUserUid": 0,
"event.login.isAdministratorEquivalent": false,
"agent.version": "22.4.2.4",
"src.process.parent.uid": "55a4cfe3-efa4-0d32-96df-11e5be1ac48d",
"src.process.parent.rUserName": "root",
"event.login.userName": "jdoe",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64",
"group.id": "55a4d014-9141-dea7-0774-371da18a6469",
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.startTime": 1681370573560,
"src.process.dnsCount": 0,
"endpoint.type": "server",
"trace.id": "01GXWQZSEQ5HPDZ88XCF016WAM",
"src.process.name": "sshd",
"src.process.rUserName": "root",
"agent.uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad",
"src.process.indicatorGeneralCount": 0,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "55afd0af-4609-018d-f36a-cbd2a92b6a59",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "unsigned",
"event.type": "Login",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 647
}
{
"src.process.parent.isStorylineRoot": false,
"event.category": "logins",
"src.process.parent.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
"site.id": "1640744535583677559",
"src.process.parent.displayName": "sshd",
"src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 0,
"i.version": "preprocess-lib-1.0",
"src.process.parent.name": "sshd",
"sca:atlantisIngestTime": 1681315742455,
"src.process.storyline.id": "55d21a33-24e0-2280-8049-e395c2fe0885",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.parent.eUserName": "root",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.eUserName": "root",
"meta.event.name": "WINLOGOFF",
"src.process.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "55d21a32-95e8-7a56-ad57-a9e6aac5a7bd",
"src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1681315720511,
"timestamp": "2023-04-12T16:08:40.511Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "linux-desktop-S1",
"src.process.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "/usr/sbin/sshd",
"src.process.lUserName": "jdoe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 1153,
"tgt.file.isSigned": "unsigned",
"src.process.cmdline": " sshd: jdoe [priv]",
"dataSource.category": "security",
"sca:ingestTime": 1681315747,
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.rUserUid": 0,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "unsigned",
"event.id": "01GXV3MFMWN2TKVYBBQT6WR04X_21",
"src.process.parent.cmdline": " sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups",
"src.process.image.path": "/usr/sbin/sshd",
"src.process.tgtFileModificationCount": 2,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"src.process.eUserUid": 0,
"src.process.lUserUid": 1000,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "linux",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1681308825830,
"mgmt.id": "16964",
"os.name": "Linux",
"src.process.displayName": "sshd",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.rUserUid": 0,
"src.process.uid": "55d21a33-1090-cfe3-3e71-3be4cb5098b8",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "55d21a33-1090-cfe3-3e71-3be4cb5098b8",
"src.process.parent.eUserUid": 0,
"agent.version": "22.4.2.4",
"src.process.parent.uid": "55d21a32-6fa0-ec6b-21df-509b3ca7f0ed",
"src.process.parent.rUserName": "root",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64",
"group.id": "55d21a33-24e0-2280-8049-e395c2fe0885",
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.startTime": 1681308331040,
"src.process.dnsCount": 0,
"endpoint.type": "server",
"trace.id": "01GXV3MFMWN2TKVYBBQT6WR04X",
"src.process.name": "sshd",
"src.process.rUserName": "root",
"agent.uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad",
"src.process.indicatorGeneralCount": 0,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "55c23dd3-0577-86b3-7357-f1fc8662a4a0",
"src.process.parent.signedStatus": "unsigned",
"src.process.indicatorPersistenceCount": 0,
"event.type": "Logout",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 720
}
{
"tgt.process.displayName": "ip",
"src.process.parent.isStorylineRoot": false,
"event.category": "process",
"src.process.parent.image.sha1": "50e2a658cfe2243cfe3e6f722f049b0ba377b7e4",
"tgt.process.eUserName": "root",
"site.id": "1640744535583677559",
"src.process.parent.displayName": "python3.9",
"tgt.process.storyline.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"tgt.process.isNative64Bit": false,
"src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 0,
"src.process.parent.name": "python3.9",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1681309502217,
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"src.process.childProcCount": 1,
"src.process.parent.eUserName": "root",
"mgmt.url": "euce1-105.sentinelone.net",
"tgt.process.subsystem": "SUBSYSTEM_UNKNOWN",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.eUserName": "root",
"src.process.subsystem": "SUBSYSTEM_UNKNOWN",
"meta.event.name": "PROCESSCREATION",
"src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"tgt.process.image.path": "/usr/bin/ip",
"src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"i.scheme": "edr",
"tgt.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1681309474835,
"timestamp": "2023-04-12T14:24:34.835Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "linux-desktop-S1",
"src.process.image.sha1": "827265afe07691a445674eb09e0eb4fd025dbd43",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "/usr/bin/python3.9",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 1517,
"tgt.file.isSigned": "unsigned",
"src.process.cmdline": " /bin/sh -c ip -6 -a -o address",
"sca:ingestTime": 1681309508,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.rUserUid": 0,
"src.process.parent.isRedirectCmdProcessor": false,
"tgt.process.image.sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f",
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "unsigned",
"event.id": "01GXTXP1WXXHGR0R7A8NF27FQ3_24",
"src.process.parent.cmdline": " python3 -u /usr/sbin/waagent -run-exthandlers",
"src.process.image.path": "/usr/bin/dash",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"tgt.process.rUserUid": 0,
"src.process.eUserUid": 0,
"tgt.process.pid": 1518,
"src.process.crossProcessDupThreadHandleCount": 0,
"tgt.process.name": "ip",
"endpoint.os": "linux",
"src.process.tgtFileDeletionCount": 0,
"tgt.process.signedStatus": "unsigned",
"src.process.startTime": 1681309474590,
"mgmt.id": "16964",
"os.name": "Linux",
"tgt.process.rUserName": "root",
"tgt.process.cmdline": " ip -6 -a -o address",
"src.process.displayName": "dash",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"tgt.process.eUserUid": 0,
"src.process.rUserUid": 0,
"src.process.uid": "550f55e1-53a8-e998-adea-61da4ec754de",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "550f55e8-ffb9-9bab-2952-5ef7c734b7d4",
"src.process.parent.eUserUid": 0,
"tgt.process.uid": "550f55e8-ffb9-9bab-2952-5ef7c734b7d4",
"tgt.process.isStorylineRoot": false,
"src.process.parent.uid": "55d21a32-dd64-9b07-6e84-bd923f6d1e08",
"agent.version": "22.4.2.4",
"src.process.parent.rUserName": "root",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64",
"group.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
"tgt.process.startTime": 1681309474590,
"src.process.isRedirectCmdProcessor": false,
"src.process.parent.startTime": 1681308332200,
"src.process.dnsCount": 0,
"endpoint.type": "server",
"trace.id": "01GXTXP1WXXHGR0R7A8NF27FQ3",
"src.process.rUserName": "root",
"src.process.name": "dash",
"agent.uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad",
"src.process.indicatorGeneralCount": 0,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "551560d7-495f-7d44-7a29-52064745dff7",
"tgt.process.sessionId": 0,
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "unsigned",
"tgt.process.isRedirectCmdProcessor": false,
"event.type": "Process Creation",
"event.repetitionCount": 1,
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 911
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "logins",
"src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
"site.id": "1640744535583677559",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.parent.displayName": "Services and Controller app",
"src.process.image.binaryIsExecutable": true,
"osSrc.process.image.md5": "289d6a47b7692510e2fd3b51979a9fed",
"osSrc.process.publisher": "MICROSOFT WINDOWS",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "NT AUTHORITY\\NETWORK SERVICE",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.image.sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16",
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 658,
"src.process.parent.name": "services.exe",
"i.version": "preprocess-lib-1.0",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1679405768536,
"src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"src.process.indicatorReconnaissanceCount": 4,
"src.process.storyline.id": "6196E5E7AB538ED5",
"src.process.childProcCount": 3,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "WINLOGONATTEMPT",
"src.process.parent.integrityLevel": "SYSTEM",
"event.login.type": "NETWORK",
"osSrc.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.image.binaryIsExecutable": true,
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "4896E5E7AB538ED5",
"event.login.loginIsSuccessful": false,
"src.process.integrityLevel": "SYSTEM",
"i.scheme": "edr",
"osSrc.process.pid": 684,
"site.name": "Default site",
"src.process.netConnInCount": 65,
"event.time": 1679405708938,
"src.endpoint.ip.address": "180.163.86.35",
"timestamp": "2023-03-21T13:35:08.938Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 740,
"osSrc.process.uid": "4996E5E7AB538ED5",
"tgt.file.isSigned": "signed",
"src.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService",
"src.process.publisher": "MICROSOFT WINDOWS",
"sca:ingestTime": 1679405774,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.integrityLevel": "SYSTEM",
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"osSrc.process.subsystem": "SYS_WIN32",
"event.id": "01GW264PY7BGAP7QD40Y666TD8_1",
"src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
"event.login.accountName": "-",
"src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "lsass.exe",
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"osSrc.process.startTime": 1679394829462,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"osSrc.process.image.sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679394830438,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"src.process.displayName": "Host Process for Windows Services",
"src.process.parent.sessionId": 0,
"src.process.isNative64Bit": false,
"osSrc.process.sessionId": 0,
"event.login.failureReason": "Unknown user name or bad password.",
"src.process.uid": "6096E5E7AB538ED5",
"src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\system32\\lsass.exe",
"event.login.sessionId": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "6096E5E7AB538ED5",
"src.process.parent.uid": "4796E5E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"event.login.userName": "USER",
"src.process.sessionId": 0,
"src.process.netConnCount": 65,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\lsass.exe",
"group.id": "6196E5E7AB538ED5",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1679394829443,
"src.process.dnsCount": 0,
"event.login.accountDomain": "-",
"endpoint.type": "desktop",
"trace.id": "01GW264PY7BGAP7QD40Y666TD8",
"src.process.name": "svchost.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.displayName": "Local Security Authority Process",
"src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.indicatorGeneralCount": 14,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "CB26CB516DA94909A17845A03C2ED5E0",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.storyline.id": "4A96E5E7AB538ED5",
"event.type": "Login",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 676,
"event.login.accountSid": "S-1-0-0"
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "logins",
"src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
"site.id": "1640744535583677559",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Services and Controller app",
"osSrc.process.image.md5": "289d6a47b7692510e2fd3b51979a9fed",
"osSrc.process.crossProcessOpenProcessCount": 164,
"osSrc.process.publisher": "MICROSOFT WINDOWS PUBLISHER",
"osSrc.process.crossProcessDupThreadHandleCount": 0,
"src.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 19,
"osSrc.process.crossProcessOutOfStorylineCount": 164,
"osSrc.process.image.sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16",
"src.process.tgtFileCreationCount": 0,
"osSrc.process.childProcCount": 0,
"src.process.indicatorInjectionCount": 24,
"osSrc.process.indicatorReconnaissanceCount": 1,
"src.process.moduleCount": 7591,
"src.process.parent.name": "services.exe",
"i.version": "preprocess-lib-1.0",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1680604015448,
"src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"src.process.indicatorReconnaissanceCount": 1459,
"src.process.storyline.id": "C136E7E7AB538ED5",
"src.process.childProcCount": 90,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 227,
"osSrc.process.crossProcessThreadCreateCount": 0,
"osSrc.process.moduleCount": 124,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "WINLOGONATTEMPT",
"event.login.type": "UNLOCK",
"src.process.parent.integrityLevel": "SYSTEM",
"osSrc.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.image.binaryIsExecutable": true,
"osSrc.process.tgtFileModificationCount": 0,
"src.process.indicatorExploitationCount": 0,
"osSrc.process.registryChangeCount": 0,
"src.process.parent.storyline.id": "AB36E7E7AB538ED5",
"event.login.loginIsSuccessful": true,
"osSrc.process.netConnInCount": 0,
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"osSrc.process.indicatorInjectionCount": 0,
"osSrc.process.pid": 688,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680603998952,
"src.endpoint.ip.address": "109.190.253.14",
"timestamp": "2023-04-04T10:26:38.952Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 164,
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 536,
"osSrc.process.uid": "AC36E7E7AB538ED5",
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1680604021,
"dataSource.category": "security",
"src.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.integrityLevel": "SYSTEM",
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 252,
"osSrc.process.subsystem": "SYS_WIN32",
"event.id": "01GX5WW9NEJCT67Y7FV3YKQGAC_115",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
"event.login.accountName": "desktop-jdoe$",
"src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "lsass.exe",
"src.process.indicatorEvasionCount": 3,
"src.process.netConnOutCount": 102,
"osSrc.process.startTime": 1680601657543,
"src.process.crossProcessDupThreadHandleCount": 6,
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 0,
"osSrc.process.image.sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1680601658531,
"mgmt.id": "16964",
"osSrc.process.indicatorRansomwareCount": 0,
"osSrc.process.netConnCount": 0,
"os.name": "Windows 10 Pro",
"osSrc.process.indicatorGeneral.count": 66,
"src.process.displayName": "Host Process for Windows Services",
"osSrc.process.dnsCount": 0,
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"osSrc.process.sessionId": 0,
"src.process.uid": "C036E7E7AB538ED5",
"src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\system32\\lsass.exe",
"event.login.sessionId": 0,
"src.process.indicatorInfostealerCount": 127,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "C036E7E7AB538ED5",
"event.login.isAdministratorEquivalent": true,
"agent.version": "22.3.2.373",
"src.process.parent.uid": "AA36E7E7AB538ED5",
"src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"event.login.userName": "john.doe",
"src.process.sessionId": 0,
"src.process.netConnCount": 102,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\lsass.exe",
"group.id": "C136E7E7AB538ED5",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS PUBLISHER",
"src.process.parent.startTime": 1680601657524,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 40,
"event.login.accountDomain": "WORKGROUP",
"osSrc.process.tgtFileDeletionCount": 0,
"osSrc.process.indicatorEvasionCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GX5WW9NEJCT67Y7FV3YKQGAC",
"src.process.name": "svchost.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.displayName": "Local Security Authority Process",
"src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.indicatorGeneralCount": 261,
"src.process.crossProcessOutOfStorylineCount": 252,
"src.process.registryChangeCount": 0,
"packet.id": "1E58F722484E4850B02469C4B6DDEBF3",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.storyline.id": "AD36E7E7AB538ED5",
"event.type": "Login",
"src.process.indicatorPostExploitationCount": 0,
"event.login.accountSid": "S-1-5-18",
"src.process.parent.pid": 680
}
{
"tgt.process.displayName": "Runtime Broker",
"src.process.parent.isStorylineRoot": true,
"event.category": "process",
"osSrc.process.parent.sessionId": 0,
"src.process.parent.image.sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb",
"site.id": "1640744535583677559",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.parent.displayName": "Shell Infrastructure Host",
"src.process.image.binaryIsExecutable": true,
"tgt.process.storyline.id": "86B6E5E7AB538ED5",
"osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"tgt.process.isNative64Bit": false,
"osSrc.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"osSrc.process.crossProcessOpenProcessCount": 1,
"osSrc.process.publisher": "MICROSOFT WINDOWS",
"osSrc.process.parent.name": "svchost.exe",
"osSrc.process.crossProcessDupThreadHandleCount": 0,
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorRansomwareCount": 0,
"osSrc.process.parent.startTime": 1679394829780,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.crossProcessOutOfStorylineCount": 86,
"osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.tgtFileCreationCount": 0,
"osSrc.process.childProcCount": 121,
"src.process.indicatorInjectionCount": 0,
"osSrc.process.indicatorReconnaissanceCount": 2,
"src.process.moduleCount": 93,
"src.process.parent.name": "sihost.exe",
"i.version": "preprocess-lib-1.0",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1679406008310,
"src.process.image.md5": "da7063b17dbb8bbb3015351016868006",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "86B6E5E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"tgt.process.subsystem": "SYS_WIN32",
"src.process.crossProcessOpenProcessCount": 0,
"tgt.process.image.binaryIsExecutable": true,
"osSrc.process.crossProcessThreadCreateCount": 0,
"tgt.process.image.sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628",
"osSrc.process.moduleCount": 199,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "PROCESSCREATION",
"src.process.parent.integrityLevel": "HIGH",
"osSrc.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"osSrc.process.image.binaryIsExecutable": true,
"osSrc.process.tgtFileModificationCount": 0,
"osSrc.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"tgt.process.publisher": "MICROSOFT WINDOWS",
"src.process.indicatorExploitationCount": 0,
"osSrc.process.registryChangeCount": 0,
"src.process.parent.storyline.id": "BE98E5E7AB538ED5",
"tgt.process.verifiedStatus": "verified",
"osSrc.process.netConnInCount": 0,
"tgt.process.image.path": "C:\\Windows\\System32\\RuntimeBroker.exe",
"i.scheme": "edr",
"src.process.integrityLevel": "LOW",
"tgt.process.integrityLevel": "HIGH",
"osSrc.process.indicatorInjectionCount": 0,
"osSrc.process.pid": 852,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"tgt.process.image.md5": "ba4cfe6461afa1004c52f19c8f2169dc",
"event.time": 1679405965868,
"osSrc.process.parent.isStorylineRoot": true,
"timestamp": "2023-03-21T13:39:25.868Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 86,
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\sihost.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 2096,
"osSrc.process.parent.integrityLevel": "SYSTEM",
"osSrc.process.uid": "5596E5E7AB538ED5",
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679406014,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"tgt.process.image.sha1": "ab8539ef6b2a93ff9589dec4b34a0257b6296c92",
"osSrc.process.integrityLevel": "SYSTEM",
"osSrc.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"osSrc.process.subsystem": "SYS_WIN32",
"osSrc.process.parent.signedStatus": "signed",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 85,
"event.id": "01GW26C1B7ME6MS4EC7X0K5R6X_12",
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "sihost.exe",
"osSrc.process.parent.displayName": "Host Process for Windows Services",
"src.process.image.path": "C:\\Windows\\System32\\backgroundTaskHost.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "svchost.exe",
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"osSrc.process.startTime": 1679394829780,
"tgt.process.pid": 3212,
"src.process.crossProcessDupThreadHandleCount": 0,
"tgt.process.name": "RuntimeBroker.exe",
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 0,
"osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"tgt.process.signedStatus": "signed",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679405965779,
"osSrc.process.indicatorRansomwareCount": 0,
"mgmt.id": "16964",
"osSrc.process.netConnCount": 0,
"os.name": "Windows 10 Pro",
"osSrc.process.indicatorGeneral.count": 12,
"osSrc.process.parent.isNative64Bit": false,
"tgt.process.cmdline": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding",
"src.process.displayName": "Background Task Host",
"osSrc.process.dnsCount": 0,
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 2,
"osSrc.process.sessionId": 0,
"src.process.uid": "85B6E5E7AB538ED5",
"src.process.parent.image.md5": "a21e7719d73d0322e2e7d61802cb8f80",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
"osSrc.process.parent.publisher": "MICROSOFT WINDOWS",
"osSrc.process.parent.isRedirectCmdProcessor": false,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "87B6E5E7AB538ED5",
"tgt.process.uid": "87B6E5E7AB538ED5",
"tgt.process.isStorylineRoot": false,
"osSrc.process.parent.storyline.id": "5696E5E7AB538ED5",
"osSrc.process.parent.pid": 852,
"src.process.parent.uid": "BD98E5E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"group.id": "86B6E5E7AB538ED5",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.isRedirectCmdProcessor": false,
"tgt.process.startTime": 1679405965867,
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1679394873882,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 0,
"osSrc.process.tgtFileDeletionCount": 0,
"osSrc.process.indicatorEvasionCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GW26C1B7ME6MS4EC7X0K5R6X",
"src.process.name": "backgroundTaskHost.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"osSrc.process.displayName": "Host Process for Windows Services",
"src.process.image.sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50",
"osSrc.process.parent.user": "NT AUTHORITY\\SYSTEM",
"tgt.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorGeneralCount": 3,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "8179FCF2337A43CA9FB82DC8E38EEBD2",
"tgt.process.sessionId": 2,
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"tgt.process.isRedirectCmdProcessor": false,
"osSrc.process.parent.uid": "5596E5E7AB538ED5",
"osSrc.process.storyline.id": "5696E5E7AB538ED5",
"event.type": "Process Creation",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 4164
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "registry",
"src.process.parent.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
"site.id": "1640744535583677559",
"registry.valueFullSize": 24,
"src.process.parent.displayName": "Microsoft Edge",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.indicatorRansomwareCount": 0,
"registry.oldValueType": "BINARY",
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.activeContent.signedStatus": "unsigned",
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 156,
"src.process.parent.name": "msedge.exe",
"i.version": "preprocess-lib-1.0",
"src.process.activeContentType": "FILE",
"sca:atlantisIngestTime": 1680203775822,
"src.process.image.md5": "fbbcd4101d9daa064e2686834b1296be",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "14C2E6E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"registry.oldValueFullSize": 24,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "REGVALUEMODIFIED",
"src.process.parent.integrityLevel": "HIGH",
"src.process.indicatorExploitationCount": 2,
"src.process.parent.storyline.id": "14C2E6E7AB538ED5",
"src.process.integrityLevel": "LOW",
"i.scheme": "edr",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680203773063,
"timestamp": "2023-03-30T19:16:13.063Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 6912,
"tgt.file.isSigned": "signed",
"src.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:2",
"src.process.publisher": "MICROSOFT CORPORATION",
"sca:ingestTime": 1680203781,
"dataSource.category": "security",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.activeContentType": "FILE",
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.crossProcessCount": 0,
"src.process.signedStatus": "signed",
"event.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3_20",
"src.process.parent.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
"registry.value": "3929AC173C63D90100000000000000000000000002000000",
"src.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 1,
"src.process.netConnOutCount": 0,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1680183590099,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"registry.keyPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-1124497873-2276302922-1472590183-500\\\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"src.process.displayName": "Microsoft Edge",
"src.process.parent.sessionId": 2,
"src.process.isNative64Bit": false,
"src.process.uid": "6DC2E6E7AB538ED5",
"src.process.parent.image.md5": "fbbcd4101d9daa064e2686834b1296be",
"src.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.indicatorInfostealerCount": 0,
"process.unique.key": "6DC2E6E7AB538ED5",
"registry.valueType": "BINARY",
"src.process.parent.uid": "13C2E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "14C2E6E7AB538ED5",
"src.process.parent.publisher": "MICROSOFT CORPORATION",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.startTime": 1680183585577,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3",
"src.process.name": "msedge.exe",
"registry.oldValueIsComplete": true,
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
"src.process.indicatorGeneralCount": 4,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 1,
"packet.id": "6E623DBE96C14642980FE486FCC335F2",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"registry.oldValue": "C9C6A9173C63D90100000000000000000000000002000000",
"event.type": "Registry Value Modified",
"src.process.indicatorPostExploitationCount": 0,
"registry.valueIsComplete": true,
"src.process.parent.activeContent.signedStatus": "unsigned",
"src.process.parent.pid": 6384
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "registry",
"src.process.parent.image.sha1": "68d7290a70ae3a396a0bd5164919694346047384",
"site.id": "1640744535583677559",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Microsoft Azure\u00c2\u00ae",
"src.process.user": "NT AUTHORITY\\SYSTEM",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 33,
"src.process.parent.name": "WaAppAgent.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1679651173876,
"src.process.image.md5": "e30e7a42a010bf95524514bdf2035695",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "B91AE6E7AB538ED5",
"src.process.childProcCount": 1,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "REGKEYCREATE",
"src.process.parent.integrityLevel": "SYSTEM",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "B91AE6E7AB538ED5",
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679651168286,
"timestamp": "2023-03-24T09:46:08.286Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "3f38989e61670025c2585a9e3cc8f1e1c9f229e9",
"src.process.isStorylineRoot": false,
"src.process.parent.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 2532,
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679651179,
"dataSource.category": "security",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.cmdline": "\"wevtutil.exe\" im C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\AzureEvents.man",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"event.id": "01GW9G5WH7M8ZDX974Z857TJT3_959",
"src.process.parent.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
"src.process.image.path": "C:\\Windows\\System32\\wevtutil.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679651062627,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"registry.keyPath": "MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-Application\\{9e3b8bee-15eb-444b-a692-bab4546644f2}",
"src.process.displayName": "Eventing Command Line Utility",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "081BE6E7AB538ED5",
"src.process.parent.image.md5": "ec038f4fd73993de139b889e7bcf2f66",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "081BE6E7AB538ED5",
"src.process.parent.uid": "B81AE6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "B91AE6E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679651056550,
"src.process.dnsCount": 0,
"endpoint.type": "desktop",
"trace.id": "01GW9G5WH7M8ZDX974Z857TJT3",
"src.process.name": "wevtutil.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "20db4abf4539d2e054fbadde48078452a5a4adbca9eaeff66aba89f2c9164055",
"src.process.indicatorGeneralCount": 2,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "338EC859EB214768AD336A240538CC9B",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"event.type": "Registry Key Create",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 2308
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "registry",
"src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
"site.id": "1640744535583677559",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Services and Controller app",
"osSrc.process.image.md5": "60ff40cfd7fb8fe41ee4fe9ae5fe1c51",
"osSrc.process.crossProcessOpenProcessCount": 0,
"osSrc.process.publisher": "MICROSOFT WINDOWS",
"osSrc.process.crossProcessDupThreadHandleCount": 0,
"src.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 14,
"osSrc.process.crossProcessOutOfStorylineCount": 0,
"osSrc.process.image.sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
"src.process.tgtFileCreationCount": 0,
"osSrc.process.childProcCount": 0,
"src.process.indicatorInjectionCount": 0,
"osSrc.process.indicatorReconnaissanceCount": 0,
"src.process.moduleCount": 447,
"src.process.parent.name": "services.exe",
"i.version": "preprocess-lib-1.0",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1679651246067,
"src.process.image.md5": "ec038f4fd73993de139b889e7bcf2f66",
"src.process.indicatorReconnaissanceCount": 119,
"src.process.storyline.id": "B91AE6E7AB538ED5",
"src.process.childProcCount": 15,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"osSrc.process.crossProcessThreadCreateCount": 0,
"osSrc.process.moduleCount": 172,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 0,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "REGKEYSECURITYCHANGED",
"src.process.parent.integrityLevel": "SYSTEM",
"osSrc.process.user": "NT AUTHORITY\\NETWORK SERVICE",
"osSrc.process.image.binaryIsExecutable": true,
"osSrc.process.tgtFileModificationCount": 0,
"src.process.indicatorExploitationCount": 1,
"osSrc.process.registryChangeCount": 0,
"src.process.parent.storyline.id": "381AE6E7AB538ED5",
"osSrc.process.netConnInCount": 0,
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"osSrc.process.indicatorInjectionCount": 0,
"osSrc.process.pid": 2996,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679651207497,
"timestamp": "2023-03-24T09:46:47.497Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 0,
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "68d7290a70ae3a396a0bd5164919694346047384",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 2308,
"osSrc.process.uid": "F21AE6E7AB538ED5",
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679651252,
"dataSource.category": "security",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.integrityLevel": "SYSTEM",
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 14,
"osSrc.process.subsystem": "SYS_WIN32",
"event.id": "01GW9G83044XT7MEFV9Z37STGM_351",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
"src.process.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "WmiPrvSE.exe",
"src.process.indicatorEvasionCount": 2,
"src.process.netConnOutCount": 12,
"osSrc.process.startTime": 1679651059528,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 0,
"osSrc.process.image.sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679651056550,
"mgmt.id": "16964",
"osSrc.process.indicatorRansomwareCount": 0,
"osSrc.process.netConnCount": 0,
"os.name": "Windows 10 Pro",
"osSrc.process.indicatorGeneral.count": 3,
"registry.keyPath": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001",
"src.process.displayName": "Microsoft Azure\u00c2\u00ae",
"osSrc.process.dnsCount": 0,
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"osSrc.process.sessionId": 0,
"src.process.uid": "B81AE6E7AB538ED5",
"src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "B81AE6E7AB538ED5",
"src.process.parent.uid": "371AE6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"src.process.sessionId": 0,
"src.process.netConnCount": 12,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"group.id": "B91AE6E7AB538ED5",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679651047714,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 1,
"osSrc.process.tgtFileDeletionCount": 0,
"endpoint.type": "desktop",
"osSrc.process.indicatorEvasionCount": 0,
"trace.id": "01GW9G83044XT7MEFV9Z37STGM",
"src.process.name": "WaAppAgent.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.displayName": "WMI Provider Host",
"src.process.image.sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9",
"src.process.indicatorGeneralCount": 7,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "DE00CD9C6B074221B3EEF81AB421B43F",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.storyline.id": "F31AE6E7AB538ED5",
"event.type": "Registry Key Security Changed",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 676
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "registry",
"src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
"site.id": "1640744535583677559",
"registry.valueFullSize": 8,
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Services and Controller app",
"src.process.user": "NT AUTHORITY\\LOCAL SERVICE",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"registry.oldValueType": "QWORD",
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"src.process.tgtFileCreationCount": 0,
"src.process.indicatorInjectionCount": 0,
"src.process.moduleCount": 60,
"src.process.parent.name": "services.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1679651725979,
"src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"src.process.indicatorReconnaissanceCount": 4,
"src.process.storyline.id": "C21AE6E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"registry.oldValueFullSize": 8,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "REGVALUEMODIFIED",
"src.process.parent.integrityLevel": "SYSTEM",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "381AE6E7AB538ED5",
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679651714861,
"timestamp": "2023-03-24T09:55:14.861Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 2400,
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679651731,
"dataSource.category": "security",
"src.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"event.id": "01GW9GPQS7DA4A1MEAAWC62TV0_17",
"src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
"registry.value": "0x01D95E36BB59E231",
"src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"src.process.tgtFileModificationCount": 0,
"src.process.indicatorEvasionCount": 0,
"src.process.netConnOutCount": 0,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679651056705,
"mgmt.id": "16964",
"os.name": "Windows 10 Pro",
"registry.keyPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\W32Time\\Config\\LastKnownGoodTime",
"src.process.displayName": "Host Process for Windows Services",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"src.process.uid": "C11AE6E7AB538ED5",
"src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "C11AE6E7AB538ED5",
"registry.valueType": "QWORD",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "371AE6E7AB538ED5",
"src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"group.id": "C21AE6E7AB538ED5",
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679651047714,
"src.process.dnsCount": 1,
"endpoint.type": "desktop",
"trace.id": "01GW9GPQS7DA4A1MEAAWC62TV0",
"src.process.name": "svchost.exe",
"registry.oldValueIsComplete": true,
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.indicatorGeneralCount": 3,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "138ED27662FD4857B56CA60142FA1C2F",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"registry.oldValue": "0x01D95E36B1CF068C",
"event.type": "Registry Value Modified",
"src.process.indicatorPostExploitationCount": 0,
"registry.valueIsComplete": true,
"src.process.parent.pid": 676
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "scheduled_task",
"src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
"site.id": "1640744535583677559",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Windows Explorer",
"osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"osSrc.process.crossProcessOpenProcessCount": 219,
"osSrc.process.publisher": "MICROSOFT WINDOWS",
"osSrc.process.crossProcessDupThreadHandleCount": 4,
"src.process.user": "desktop-jdoe\\john.doe",
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.crossProcessOutOfStorylineCount": 232,
"osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.tgtFileCreationCount": 0,
"osSrc.process.childProcCount": 73,
"src.process.indicatorInjectionCount": 2,
"osSrc.process.indicatorReconnaissanceCount": 15044,
"src.process.moduleCount": 397,
"src.process.parent.name": "explorer.exe",
"i.version": "preprocess-lib-1.0",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1679668709665,
"src.process.image.md5": "cdbae87d50068565cf2ed20e99246a2e",
"src.process.indicatorReconnaissanceCount": 3,
"src.process.storyline.id": "5084E6E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"osSrc.process.crossProcessThreadCreateCount": 0,
"osSrc.process.moduleCount": 44431,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 53,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "SCHEDTASKREGISTER",
"src.process.parent.integrityLevel": "HIGH",
"osSrc.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.image.binaryIsExecutable": true,
"task.name": "\\Task John",
"osSrc.process.tgtFileModificationCount": 16,
"src.process.indicatorExploitationCount": 0,
"osSrc.process.registryChangeCount": 0,
"src.process.parent.storyline.id": "FA1CE6E7AB538ED5",
"osSrc.process.netConnInCount": 0,
"i.scheme": "edr",
"src.process.integrityLevel": "HIGH",
"osSrc.process.indicatorInjectionCount": 1,
"osSrc.process.pid": 796,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679668702878,
"timestamp": "2023-03-24T14:38:22.878Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 232,
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "4a8b68a1ad588175d018944aacca6151e2cb4e3c",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\explorer.exe",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 5228,
"osSrc.process.uid": "4D1AE6E7AB538ED5",
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679668715,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\taskschd.msc\" /s",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"osSrc.process.integrityLevel": "SYSTEM",
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"osSrc.process.subsystem": "SYS_WIN32",
"event.id": "01GWA0X1G6W27RX89K1YWD3SB8_10",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 9,
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
"src.process.image.path": "C:\\Windows\\System32\\mmc.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "svchost.exe",
"src.process.indicatorEvasionCount": 2,
"src.process.netConnOutCount": 0,
"osSrc.process.startTime": 1679651050062,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 86,
"osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679668633169,
"mgmt.id": "16964",
"osSrc.process.indicatorRansomwareCount": 0,
"osSrc.process.netConnCount": 86,
"os.name": "Windows 10 Pro",
"osSrc.process.indicatorGeneral.count": 1041,
"src.process.displayName": "Microsoft Management Console",
"osSrc.process.dnsCount": 28,
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 2,
"osSrc.process.sessionId": 0,
"src.process.uid": "4F84E6E7AB538ED5",
"src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "4F84E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "F91CE6E7AB538ED5",
"src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
"src.process.sessionId": 2,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"group.id": "5084E6E7AB538ED5",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679651150108,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 0,
"osSrc.process.tgtFileDeletionCount": 0,
"osSrc.process.indicatorEvasionCount": 3,
"endpoint.type": "desktop",
"trace.id": "01GWA0X1G6W27RX89K1YWD3SB8",
"src.process.name": "mmc.exe",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"osSrc.process.displayName": "Host Process for Windows Services",
"src.process.image.sha256": "3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e",
"src.process.indicatorGeneralCount": 36,
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 0,
"packet.id": "47785FD0B1924C13905B7665CF4053FA",
"src.process.indicatorPersistenceCount": 1,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "desktop-jdoe\\john.doe",
"osSrc.process.storyline.id": "4E1AE6E7AB538ED5",
"event.type": "Task Register",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 5044
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "scheduled_task",
"tgt.file.modificationTime": -11644473600000,
"src.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"site.id": "1640744535583677559",
"tgt.file.location": "Local",
"osSrc.process.isRedirectCmdProcessor": false,
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Host Process for Windows Services",
"osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"osSrc.process.crossProcessOpenProcessCount": 157,
"osSrc.process.publisher": "MICROSOFT WINDOWS",
"osSrc.process.crossProcessDupThreadHandleCount": 5,
"src.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.indicatorPersistenceCount": 0,
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 0,
"osSrc.process.crossProcessOutOfStorylineCount": 172,
"osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
"src.process.activeContent.signedStatus": "signed",
"src.process.tgtFileCreationCount": 1,
"osSrc.process.childProcCount": 80,
"src.process.indicatorInjectionCount": 0,
"osSrc.process.indicatorReconnaissanceCount": 5902,
"src.process.moduleCount": 53,
"src.process.parent.name": "svchost.exe",
"i.version": "preprocess-lib-1.0",
"src.process.activeContentType": "FILE",
"osSrc.process.signedStatus": "signed",
"sca:atlantisIngestTime": 1680188502213,
"src.process.image.md5": "ef3179d498793bf4234f708d3be28633",
"src.process.indicatorReconnaissanceCount": 0,
"src.process.storyline.id": "7322E6E7AB538ED5",
"src.process.childProcCount": 0,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 0,
"osSrc.process.crossProcessThreadCreateCount": 0,
"osSrc.process.moduleCount": 38352,
"osSrc.process.indicatorPostExploitationCount": 0,
"osSrc.process.indicatorInfostealerCount": 115,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "SCHEDTASKSTART",
"src.process.parent.integrityLevel": "SYSTEM",
"osSrc.process.user": "NT AUTHORITY\\SYSTEM",
"osSrc.process.image.binaryIsExecutable": true,
"task.name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask",
"osSrc.process.tgtFileModificationCount": 59,
"src.process.indicatorExploitationCount": 0,
"osSrc.process.registryChangeCount": 0,
"src.process.parent.storyline.id": "4E1AE6E7AB538ED5",
"tgt.file.creationTime": -11644473600000,
"osSrc.process.netConnInCount": 0,
"i.scheme": "edr",
"src.process.integrityLevel": "SYSTEM",
"osSrc.process.indicatorInjectionCount": 0,
"osSrc.process.pid": 544,
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1680188461660,
"timestamp": "2023-03-30T15:01:01.660Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"osSrc.process.crossProcessCount": 172,
"endpoint.name": "desktop-jdoe",
"tgt.file.size": 71680,
"src.process.image.sha1": "dd399ae46303343f9f0da189aee11c67bd868222",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
"tgt.file.sha1": "dd399ae46303343f9f0da189aee11c67bd868222",
"osSrc.process.isNative64Bit": false,
"dataSource.vendor": "SentinelOne",
"src.process.pid": 5304,
"osSrc.process.uid": "1E91E6E7AB538ED5",
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1680188507,
"dataSource.category": "security",
"src.process.cmdline": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\PcaSvc.dll,PcaPatchSdbTask",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"osSrc.process.isStorylineRoot": true,
"src.process.parent.isRedirectCmdProcessor": false,
"tgt.file.description": "Windows host process (Rundll32)",
"osSrc.process.integrityLevel": "SYSTEM",
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 0,
"osSrc.process.subsystem": "SYS_WIN32",
"tgt.file.isExecutable": true,
"event.id": "01GWSGKVAAKE9CKCSVVN8QVWA2_7",
"osSrc.process.crossProcessDupRemoteProcessHandleCount": 10,
"osSrc.process.tgtFileCreationCount": 0,
"src.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
"src.process.image.path": "C:\\Windows\\System32\\rundll32.exe",
"src.process.tgtFileModificationCount": 0,
"osSrc.process.name": "svchost.exe",
"src.process.indicatorEvasionCount": 1,
"src.process.netConnOutCount": 0,
"tgt.file.path": "C:\\Windows\\System32\\rundll32.exe",
"tgt.file.extension": "exe",
"osSrc.process.startTime": 1680169388191,
"src.process.crossProcessDupThreadHandleCount": 0,
"endpoint.os": "windows",
"osSrc.process.netConnOutCount": 99,
"osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.tgtFileDeletionCount": 0,
"src.process.startTime": 1679651234837,
"mgmt.id": "16964",
"osSrc.process.indicatorRansomwareCount": 0,
"osSrc.process.netConnCount": 99,
"os.name": "Windows 10 Pro",
"tgt.file.type": "PE",
"osSrc.process.indicatorGeneral.count": 591,
"src.process.activeContent.id": "B928E3E7AB538ED5",
"src.process.displayName": "Windows host process (Rundll32)",
"osSrc.process.dnsCount": 51,
"tgt.file.sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
"src.process.activeContent.path": "C:\\Windows\\System32\\pcasvc.dll",
"src.process.isNative64Bit": false,
"src.process.parent.sessionId": 0,
"osSrc.process.sessionId": 0,
"src.process.uid": "7222E6E7AB538ED5",
"src.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
"osSrc.process.verifiedStatus": "verified",
"osSrc.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
"src.process.indicatorInfostealerCount": 0,
"src.process.indicatorBootConfigurationUpdateCount": 0,
"process.unique.key": "7222E6E7AB538ED5",
"agent.version": "22.3.2.373",
"src.process.parent.uid": "4D1AE6E7AB538ED5",
"src.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"src.process.sessionId": 0,
"src.process.netConnCount": 0,
"mgmt.osRevision": "19044",
"osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
"group.id": "7322E6E7AB538ED5",
"osSrc.process.indicatorBootConfigurationUpdateCount": 0,
"src.process.isRedirectCmdProcessor": false,
"src.process.verifiedStatus": "verified",
"src.process.parent.publisher": "MICROSOFT WINDOWS",
"src.process.parent.startTime": 1679651050062,
"osSrc.process.indicatorExploitationCount": 0,
"src.process.dnsCount": 0,
"osSrc.process.tgtFileDeletionCount": 0,
"osSrc.process.indicatorEvasionCount": 3,
"endpoint.type": "desktop",
"trace.id": "01GWSGKVAAKE9CKCSVVN8QVWA2",
"src.process.name": "rundll32.exe",
"tgt.file.md5": "ef3179d498793bf4234f708d3be28633",
"agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
"src.process.activeContent.hash": "4baee77d42bd0b2fa2660852eeac7962aa27a2f1",
"osSrc.process.displayName": "Host Process for Windows Services",
"src.process.image.sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
"src.process.indicatorGeneralCount": 3,
"tgt.file.internalName": "rundll",
"src.process.crossProcessOutOfStorylineCount": 0,
"src.process.registryChangeCount": 2,
"packet.id": "2343644B9C0D4EBFA0956CF728E11DDC",
"src.process.indicatorPersistenceCount": 0,
"src.process.parent.signedStatus": "signed",
"src.process.parent.user": "NT AUTHORITY\\SYSTEM",
"tgt.file.id": "F58AE3E7AB538ED5",
"osSrc.process.storyline.id": "1F91E6E7AB538ED5",
"event.type": "Task Start",
"task.path": "C:\\Windows\\System32\\rundll32.exe",
"src.process.indicatorPostExploitationCount": 0,
"src.process.parent.pid": 796
}
{
"src.process.parent.isStorylineRoot": true,
"event.category": "url",
"src.process.parent.image.sha1": "f2460307d8f0c264df4f101b5adaf6927d4116cf",
"site.id": "1640744535583677559",
"src.process.image.binaryIsExecutable": true,
"src.process.parent.displayName": "Userinit Logon Application",
"src.process.user": "desktop-jdoe\\john.doe",
"src.process.parent.subsystem": "SYS_WIN32",
"src.process.indicatorRansomwareCount": 0,
"src.process.crossProcessDupRemoteProcessHandleCount": 13,
"src.process.tgtFileCreationCount": 11,
"src.process.indicatorInjectionCount": 1,
"src.process.moduleCount": 1652,
"src.process.parent.name": "userinit.exe",
"i.version": "preprocess-lib-1.0",
"sca:atlantisIngestTime": 1679651786046,
"src.process.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
"src.process.indicatorReconnaissanceCount": 6,
"src.process.storyline.id": "FA1CE6E7AB538ED5",
"src.process.childProcCount": 14,
"mgmt.url": "euce1-105.sentinelone.net",
"src.process.crossProcessOpenProcessCount": 1,
"src.process.subsystem": "SYS_WIN32",
"meta.event.name": "HTTP",
"src.process.parent.integrityLevel": "HIGH",
"src.process.indicatorExploitationCount": 0,
"src.process.parent.storyline.id": "F81CE6E7AB538ED5",
"i.scheme": "edr",
"src.process.integrityLevel": "HIGH",
"url.address": "https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v3/Condition_Badge/D200PartlySunny.svg",
"site.name": "Default site",
"src.process.netConnInCount": 0,
"event.time": 1679651744782,
"timestamp": "2023-03-24T09:55:44.782Z",
"account.id": "1640744534476381289",
"dataSource.name": "SentinelOne",
"endpoint.name": "desktop-jdoe",
"src.process.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
"src.process.isStorylineRoot": true,
"src.process.parent.image.path": "C:\\Windows\\System32\\userinit.exe",
"dataSource.vendor": "SentinelOne",
"src.process.pid": 5044,
"tgt.file.isSigned": "signed",
"sca:ingestTime": 1679651791,
"dataSource.category": "security",
"src.process.cmdline": "C:\\Windows\\Explorer.EXE",
"src.process.publisher": "MICROSOFT WINDOWS",
"src.process.crossProcessThreadCreateCount": 0,
"src.process.parent.isNative64Bit": false,
"src.process.parent.isRedirectCmdProcessor": false,
"src.process.signedStatus": "signed",
"src.process.crossProcessCount": 18,
"event.id": "01GW9GRJCPRADP5V80KH7RQMGX_4",
"src.process.parent.cmdline": "C:\\Windows\\system32\\userinit.exe",
"src.process.image.path": "C:\\Windows\\explorer.exe",
"src.process.tgtFileModificationCount": 114,
"src.process.indicatorEvasionCount": 1,
"src.process.netConnOutCount": 3,
"src.process.crossProcessDupThreadHandleCount": 4,
"endpoint.os": "windows",
"src.process.tgtFileDeletionCount": 5,
"src.process.startTime": 1679651150108,