Skip to content

SentinelOne Cloud Funnel 2.0

Overview

SentinelOne Cloud Funnel 2.0 is the state of the art method to collect SentinelOne Deep Visibility data and extend the SentinelOne EDR to provide full visibility into endpoint data. Its patented kernel-based monitoring allows a near real-time search across endpoints for all indicators of compromise (IOC) to empower security teams to augment real-time threat detection capabilities with a powerful tool that enables threat hunting.

  • Vendor: SentinelOne
  • Supported environment: SaaS
  • Detection based on: Telemetry
  • Supported application or feature: Network intrusion detection system

SentinelOne Deep Visibility logs provides in-depth logs that are useful for detection and investigation purposes.

Note

No additional installation or configuration on the agents is needed.

Warning

Alerts and Events logs from the SentinelOne console are not available with CloudFunnel. To collect events to be able to have information on access to the console, one must configure the SentinelOne log collection from API as documented here.

Please find bellow a short list of activities that are available for security supervision thanks to SentinelOne Deep Visibility logs:

  • Process Creation
  • Command Script
  • Duplicate Process Handle
  • Duplicate Thread Handle
  • Open Remote Process Handle
  • Remote Thread Creation
  • DNS Resolved
  • DNS Unresolved
  • File Creation
  • File Deletion
  • File Scan
  • File Modification
  • File Rename
  • Pre Execution Detection
  • Behavioral Indicators
  • Login
  • Logout
  • Module Load
  • Driver Load
  • IP Connect
  • IP Listen
  • Registry Key Create
  • Registry Key Delete
  • Registry Key Export
  • Registry Key Import
  • Registry Key Security Changed
  • Registry Key Rename
  • Registry Value Create
  • Registry Value Delete
  • Registry Value Modified
  • Scheduled Task Start
  • Scheduled Task Delete
  • Scheduled Task Update
  • Scheduled Task Register
  • Scheduled Task Trigger
  • URL

Configure

This setup guide will show you how to pull events produced by SentinelOne Deep Visibility on Sekoia.io.

Create a AWS S3 bucket

The AWS S3 bucket used to store SentinelOne Deep Visibility telemetry can be created in any preferred AWS region. However, it is important to ensure that the chosen bucket name adheres to the AWS naming rules and remains globally unique.

To enable SentinelOne's AWS account to perform necessary operations such as listing and writing objects in your bucket, it is required to authorize their account with the appropriate permissions. You can refer to the SentinelOne documentation to obtain the account's canonical ID, which is necessary for the authorization process.

By following these steps, you can set up the AWS S3 bucket to seamlessly handle SentinelOne Deep Visibility telemetry data.

Setup SentinelOne Cloud Funnel 2.0

Once the AWS S3 bucket is created, you can configure your SentinelOne instance to stream the telemetry to it. This is done in the "Settings > Integrations > Cloud Funnel" page of your SentinelOne instance.

A SentinelOne admin account with a "Account" user scope is required to perform this configuration.

Warning

If you have multiple SentinelOne Management Consoles, you must configure Cloud Funnel 2.0 for each console.

Create a SentinelOne Cloud Funnel 2.0 intake

In the Sekoia.io Operations Center:

  1. Click on the Intake page
  2. Search for SentinelOne Cloud Funnel 2.0 by navigating the page or using the search bar
  3. Click Create on the relevant object
  4. Specify the Name of your intake that will be displayed and select the Entity needed

Pull events

To start pulling events, follow these steps:

  1. Go to the playbook page
  2. Create a new playbook with the AWS Fetch new logs on S3 connector
  3. Set up the module configuration with the AWS Access Key, the secret key and the region name
  4. Set up the trigger configuration with the name of the SQS queue and the intake key (from the intake previously created)
  5. Start the playbook and enjoy your events

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "command_script",
    "tgt.file.modificationTime": -11644473600000,
    "osSrc.process.parent.sessionId": 0,
    "src.process.parent.image.sha1": "9b77e09375790ea1ea0a9ca9fc1d69e8e32fe597",
    "site.id": "1640744535583677559",
    "tgt.file.location": "Local",
    "src.process.parent.displayName": "Host Process for Windows Tasks",
    "src.process.image.binaryIsExecutable": true,
    "osSrc.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "osSrc.process.parent.name": "svchost.exe",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorRansomwareCount": 0,
    "osSrc.process.parent.startTime": 1680169387386,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 272,
    "src.process.parent.name": "taskhostw.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1680184001306,
    "src.process.image.md5": "e610d62f73d68a280d364d1ccd6fea30",
    "src.process.indicatorReconnaissanceCount": 5,
    "src.process.storyline.id": "3ED9E6E7AB538ED5",
    "src.process.childProcCount": 1,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "cmdScript.isComplete": true,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "SCRIPTS",
    "src.process.parent.integrityLevel": "HIGH",
    "osSrc.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
    "osSrc.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "3ED9E6E7AB538ED5",
    "tgt.file.creationTime": -11644473600000,
    "src.process.integrityLevel": "HIGH",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680183967040,
    "osSrc.process.parent.isStorylineRoot": true,
    "timestamp": "2023-03-30T13:46:07.040Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "tgt.file.size": 2593,
    "src.process.image.sha1": "9b1d2f446cdb7d412775dffe05ebf35db5f12ccd",
    "src.process.isStorylineRoot": false,
    "cmdScript.applicationName": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1",
    "src.process.parent.image.path": "C:\\Windows\\System32\\taskhostw.exe",
    "tgt.file.sha1": "6f8e508526af2f5a9ab618ebb26b140e8b2811b4",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 7488,
    "osSrc.process.parent.integrityLevel": "SYSTEM",
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "C:\\Windows\\System32\\sdiagnhost.exe -Embedding",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "sca:ingestTime": 1680184006,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "signed",
    "osSrc.process.parent.signedStatus": "signed",
    "tgt.file.isExecutable": false,
    "event.id": "01GWSCAFNK8CGJZYXP5JNDA8VW_166",
    "src.process.parent.cmdline": "taskhostw.exe",
    "osSrc.process.parent.displayName": "Host Process for Windows Services",
    "cmdScript.content": "{(Format-DiskSpaceMB $_.Space) + \"MB\"}",
    "src.process.image.path": "C:\\Windows\\System32\\sdiagnhost.exe",
    "src.process.tgtFileModificationCount": 2,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "tgt.file.path": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\TS_DiagnosticHistory.ps1",
    "cmdScript.sha256": "6f7db8ffe9379313fda22bcf6b6888ca8405dbab4a6ee58504b2bb34cda3def6",
    "tgt.file.extension": "ps1",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1680183962201,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "tgt.file.type": "UNKNOWN",
    "osSrc.process.parent.isNative64Bit": false,
    "src.process.displayName": "Scripted Diagnostics Native Host",
    "tgt.file.sha256": "00915c9baba87359a458d23e18f412647852a3260280a0d64af5e91307c01bce",
    "src.process.parent.sessionId": 2,
    "src.process.isNative64Bit": false,
    "src.process.uid": "64D9E6E7AB538ED5",
    "src.process.parent.image.md5": "a00bf82660835224cd6606a248321c5d",
    "osSrc.process.parent.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.parent.isRedirectCmdProcessor": false,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "64D9E6E7AB538ED5",
    "cmdScript.originalSize": 76,
    "osSrc.process.parent.storyline.id": "0F91E6E7AB538ED5",
    "osSrc.process.parent.pid": 832,
    "src.process.parent.uid": "3DD9E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "e63709209d09bc0247e785f075ddb28a98c348206109e2b8ba321ad958402728",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "3ED9E6E7AB538ED5",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1680183961002,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GWSCAFNK8CGJZYXP5JNDA8VW",
    "src.process.name": "sdiagnhost.exe",
    "tgt.file.md5": "6f42efe37f2f73bc4d5531a5906844c5",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.image.sha256": "e5ec6b5b20a16383cc953ad5e478dcdf95ba46281f4fe971673c954d4145c0c4",
    "osSrc.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "src.process.indicatorGeneralCount": 4,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "7F72001C135D479586722BA2913C81E1",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "tgt.file.id": "59D9E6E7AB538ED5",
    "osSrc.process.parent.uid": "0E91E6E7AB538ED5",
    "event.type": "Command Script",
    "task.path": "C:\\Windows\\Temp\\SDIAG_a0e33bf6-3533-4a09-9528-c8c20ec69f57\\TS_DiagnosticHistory.ps1",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 6276
}
{
    "src.process.parent.isStorylineRoot": false,
    "event.category": "command_script",
    "tgt.file.modificationTime": -11644473600000,
    "src.process.parent.image.sha1": "99ae9c73e9bee6f9c76d6f4093a9882df06832cf",
    "site.id": "1470095163515336467",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Windows Command Processor",
    "src.process.user": "AUTORITE NT\\Syst\u00e8me",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 7,
    "src.process.activeContent.signedStatus": "unsigned",
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 1800,
    "i.version": "preprocess-lib-1.0",
    "src.process.parent.name": "cmd.exe",
    "src.process.activeContentType": "FILE",
    "src.process.parent.activeContent.id": "3EFA3EFA3EFA3EFA",
    "src.process.image.md5": "097ce5761c89434367598b34fe32893b",
    "src.process.storyline.id": "7FABCCD60C10799B",
    "src.process.indicatorReconnaissanceCount": 69,
    "src.process.childProcCount": 6,
    "mgmt.url": "euce1-sns-mssp.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "cmdScript.isComplete": true,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "SCRIPTS",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "7FABCCD60C10799B",
    "tgt.file.creationTime": -11644473600000,
    "src.process.integrityLevel": "SYSTEM",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1722588221803,
    "timestamp": "2024-08-02T08:43:41.803Z",
    "account.id": "1470095162995242762",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "ntrsql15",
    "src.process.image.sha1": "044a0cf1f6bc478a7172bf207eef1e201a18ba02",
    "tgt.file.size": 50105,
    "cmdScript.applicationName": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.14393.0",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "C:\\Windows\\System32\\cmd.exe",
    "tgt.file.sha1": "4b09001438b32e54b91cbe27685c75a316f8cdf5",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 3744,
    "src.process.parent.activeContent.hash": "1b11fdf894b9a205b690add505ff5f2193c1fe48",
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "powershell  -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01 ",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.activeContentType": "CLI",
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.parent.activeContent.path": "\\\\Unknown device\\Unknown file",
    "src.process.crossProcessCount": 7,
    "src.process.signedStatus": "signed",
    "tgt.file.isExecutable": false,
    "event.id": "01J4945B0JAAYZXWF8ZG4A0VMZ_638",
    "src.process.parent.cmdline": "cmd /C \"powershell -executionpolicy bypass -file \"c:\\zabbix\\scripts\\sb.mssql.ps1\" poller RUIWS01  \"",
    "cmdScript.content": "{ updateInfo_Serveurs -instance_name $instance -datas_res $res_infos }",
    "src.process.image.path": "C:\\Windows\\System32\\WINDOWSPOWERSHELL\\V1.0\\powershell.EXE",
    "src.process.tgtFileModificationCount": 21,
    "src.process.indicatorEvasionCount": 101,
    "src.process.netConnOutCount": 0,
    "cmdScript.sha256": "b285d770802aac13330fd7d2a0ade3c9a7adf575d160a81dfc30614c7a89e775",
    "tgt.file.path": "C:\\zabbix\\scripts\\sb.mssql.ps1",
    "tgt.file.extension": "ps1",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1722588220577,
    "mgmt.id": "16205",
    "os.name": "Windows Server 2016 Standard",
    "tgt.file.type": "UNKNOWN",
    "src.process.activeContent.id": "B76839D30C10799B",
    "src.process.displayName": "Windows PowerShell",
    "src.process.activeContent.path": "C:\\zabbix\\scripts\\sb.mssql.ps1",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "07AED4D60C10799B",
    "src.process.parent.image.md5": "f4f684066175b77e0c3a000549d2922c",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "07AED4D60C10799B",
    "cmdScript.originalSize": 140,
    "agent.version": "23.4.4.223",
    "src.process.parent.uid": "05AED4D60C10799B",
    "src.process.parent.image.sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "14393",
    "group.id": "7FABCCD60C10799B",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1722588220333,
    "src.process.dnsCount": 0,
    "endpoint.type": "server",
    "trace.id": "01J4945B0JAAYZXWF8ZG4A0VMZ",
    "src.process.name": "powershell.EXE",
    "agent.uuid": "f373bf5f3c5541a49aad49c5d39deac8",
    "src.process.activeContent.hash": "4b09001438b32e54b91cbe27685c75a316f8cdf5",
    "src.process.image.sha256": "ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436",
    "src.process.indicatorGeneralCount": 161,
    "src.process.crossProcessOutOfStorylineCount": 1,
    "packet.id": "C6BB63A4EEC044B7BFEDC8B39D2594AD",
    "src.process.registryChangeCount": 0,
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "AUTORITE NT\\Syst\u00e8me",
    "tgt.file.id": "B76839D30C10799B",
    "account.name": "S - SOCRAM BANQUE",
    "event.type": "Command Script",
    "task.path": "C:\\zabbix\\scripts\\sb.mssql.ps1",
    "src.process.indicatorPostExploitationCount": 8,
    "src.process.parent.activeContent.signedStatus": "unsigned",
    "src.process.parent.pid": 3776
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "dns",
    "osSrc.process.parent.sessionId": 0,
    "src.process.parent.image.sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb",
    "site.id": "1640744535583677559",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.parent.displayName": "Shell Infrastructure Host",
    "src.process.image.binaryIsExecutable": true,
    "osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "osSrc.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "osSrc.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.parent.name": "svchost.exe",
    "osSrc.process.crossProcessDupThreadHandleCount": 0,
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorRansomwareCount": 0,
    "osSrc.process.parent.startTime": 1679394829780,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.crossProcessOutOfStorylineCount": 0,
    "osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.tgtFileCreationCount": 0,
    "osSrc.process.childProcCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "osSrc.process.indicatorReconnaissanceCount": 13,
    "src.process.moduleCount": 183,
    "src.process.parent.name": "sihost.exe",
    "i.version": "preprocess-lib-1.0",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1679402348269,
    "src.process.image.md5": "da7063b17dbb8bbb3015351016868006",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "6EB4E5E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "osSrc.process.moduleCount": 215,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "DNS",
    "src.process.parent.integrityLevel": "HIGH",
    "osSrc.process.user": "NT AUTHORITY\\NETWORK SERVICE",
    "osSrc.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
    "osSrc.process.image.binaryIsExecutable": true,
    "osSrc.process.tgtFileModificationCount": 0,
    "osSrc.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "src.process.indicatorExploitationCount": 0,
    "osSrc.process.registryChangeCount": 0,
    "src.process.parent.storyline.id": "BE98E5E7AB538ED5",
    "osSrc.process.netConnInCount": 0,
    "i.scheme": "edr",
    "src.process.integrityLevel": "LOW",
    "osSrc.process.indicatorInjectionCount": 0,
    "osSrc.process.pid": 1560,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679402338819,
    "event.dns.response": "type:  5 arc.trafficmanager.net;type:  5 iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com;20.82.209.183;",
    "osSrc.process.parent.isStorylineRoot": true,
    "timestamp": "2023-03-21T12:38:58.819Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 0,
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\sihost.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 3844,
    "osSrc.process.parent.integrityLevel": "SYSTEM",
    "osSrc.process.uid": "AB96E5E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679402353,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.integrityLevel": "SYSTEM",
    "osSrc.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "osSrc.process.subsystem": "SYS_WIN32",
    "osSrc.process.parent.signedStatus": "signed",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
    "event.id": "01GW22WAJV99Z1NW9K3F6QFVZW_89",
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "sihost.exe",
    "osSrc.process.parent.displayName": "Host Process for Windows Services",
    "src.process.image.path": "C:\\Windows\\System32\\backgroundTaskHost.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "svchost.exe",
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 2,
    "osSrc.process.startTime": 1679394831656,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 5,
    "osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679402333356,
    "osSrc.process.indicatorRansomwareCount": 0,
    "mgmt.id": "16964",
    "osSrc.process.netConnCount": 5,
    "os.name": "Windows 10 Pro",
    "osSrc.process.indicatorGeneral.count": 7,
    "osSrc.process.parent.isNative64Bit": false,
    "src.process.displayName": "Background Task Host",
    "osSrc.process.dnsCount": 5,
    "event.dns.request": "arc.msn.com",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 2,
    "osSrc.process.sessionId": 0,
    "src.process.uid": "6DB4E5E7AB538ED5",
    "src.process.parent.image.md5": "a21e7719d73d0322e2e7d61802cb8f80",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p",
    "osSrc.process.parent.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.parent.isRedirectCmdProcessor": false,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "6DB4E5E7AB538ED5",
    "osSrc.process.parent.storyline.id": "5696E5E7AB538ED5",
    "osSrc.process.parent.pid": 852,
    "src.process.parent.uid": "BD98E5E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 2,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "group.id": "6EB4E5E7AB538ED5",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.isRedirectCmdProcessor": false,
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1679394873882,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 2,
    "osSrc.process.tgtFileDeletionCount": 0,
    "osSrc.process.indicatorEvasionCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GW22WAJV99Z1NW9K3F6QFVZW",
    "src.process.name": "backgroundTaskHost.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "osSrc.process.displayName": "Host Process for Windows Services",
    "src.process.image.sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50",
    "osSrc.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "src.process.indicatorGeneralCount": 5,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "75E7BCB69CB14C3DA5B6290CF70ECE02",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "osSrc.process.parent.uid": "5596E5E7AB538ED5",
    "osSrc.process.storyline.id": "AC96E5E7AB538ED5",
    "event.type": "DNS Resolved",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 4164
}
{
    "src.process.image.path": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper",
    "src.process.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.parent.isStorylineRoot": true,
    "event.category": "dns",
    "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "src.process.parent.image.sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
    "src.process.parent.storyline.id": "0A62D926-DFE7-4968-AA28-F0024BAC804D",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.parent.publisher": "<Type=DevID/ID=com.google.Chrome/Subject=OU:DESKTOP001>",
    "src.process.parent.startTime": 1713167784335,
    "endpoint.type": "laptop",
    "endpoint.os": "osx",
    "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "src.process.parent.displayName": "Google Chrome",
    "src.process.name": "Google Chrome Helper",
    "src.process.startTime": 1713167795818,
    "agent.uuid": "75084C59-0F8A-479D-A9C4-2232C37D9D51",
    "event.dns.response": "type:  5 edge-web-gew4.dual-gslb.spotify.com;2600:1901:1:4be::;",
    "src.process.image.sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
    "src.process.user": "jdoe",
    "timestamp": "2024-06-26T08:44:30.000Z",
    "src.process.displayName": "Google Chrome Helper",
    "endpoint.name": "MXY2XC6J7VJ",
    "src.process.image.sha1": "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc",
    "event.dns.request": "type:  28 gew4-spclient.spotify.com",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "CF37475F-BCA9-4F89-8A31-7B6C88CC6F1E",
    "src.process.parent.image.md5": "68b329da9893e34099c7d8ad5cb9c940",
    "src.process.parent.user": "psinha",
    "src.process.pid": 1063,
    "src.process.parent.name": "Google Chrome",
    "src.process.cmdline": "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.123/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=network --shared-files --field-trial-handle=1718379636,r,10310964397040083203,6939088771020272477,262144 --variations-seed-version=20240412-130119.249000 --seatbelt-client=25",
    "src.process.publisher": "<Type=DevID/ID=com.google.Chrome.helper/Subject=OU:DESKTOP001>",
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.image.md5": "68b329da9893e34099c7d8ad5cb9c940",
    "src.process.storyline.id": "0A62D926-DFE7-4968-AA28-F0024BAC804D",
    "event.type": "DNS Resolved",
    "agent.version": "24.1.2.7444",
    "src.process.signedStatus": "signed",
    "src.process.parent.image.sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
    "src.process.parent.cmdline": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
    "src.process.sessionId": 0,
    "src.process.parent.pid": 790
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "driver",
    "tgt.file.modificationTime": -11644473600000,
    "src.process.parent.image.sha1": "f00f4ab908ec90b3a6a5939d340df144046b6e91",
    "site.id": "1640744535583677559",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "NT Kernel & System",
    "src.process.user": "SYSTEM",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 0,
    "src.process.parent.name": "ntoskrnl.exe",
    "i.version": "preprocess-lib-1.0",
    "driver.startType": 7,
    "sca:atlantisIngestTime": 1680604015448,
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "4735E7E7AB538ED5",
    "src.process.childProcCount": 2,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "DRIVERLOAD",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "4735E7E7AB538ED5",
    "driver.peSha1": "2b4e0fc4fb2d2cbf0cc2e86c52e3d6f568c8ad75",
    "tgt.file.creationTime": -11644473600000,
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680603997497,
    "timestamp": "2023-04-04T10:26:37.497Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "tgt.file.size": 47104,
    "src.process.image.sha1": "f00f4ab908ec90b3a6a5939d340df144046b6e91",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\ntoskrnl.exe",
    "tgt.file.sha1": "3f558347c2750e2a7e512e32870f04d917b936b7",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 4,
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1680604021,
    "dataSource.category": "security",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "tgt.file.description": "Indirect displays kernel-mode filter driver",
    "driver.certificate.thumbprintAlgorithm": 1704979472,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "tgt.file.isExecutable": false,
    "event.id": "01GX5WW9NEJCT67Y7FV3YKQGAC_104",
    "src.process.image.path": "C:\\Windows\\System32\\ntoskrnl.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "tgt.file.path": "C:\\Windows\\System32\\drivers\\IndirectKmd.sys",
    "tgt.file.extension": "sys",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1680601639956,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "tgt.file.type": "UNKNOWN",
    "src.process.displayName": "NT Kernel & System",
    "tgt.file.sha256": "2f4fe50c3abb7a37e0adb4429f18b8067ede0608bc4539bac626c2c6d75844b7",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "4635E7E7AB538ED5",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "4635E7E7AB538ED5",
    "driver.peSha256": "415e3a47fe8655f49e152197e63b3509a816fa584d7b9c6539f1493d6bf779ce",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "4635E7E7AB538ED5",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "driver.isLoadedBeforeMonitor": false,
    "group.id": "4735E7E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1680601639956,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GX5WW9NEJCT67Y7FV3YKQGAC",
    "src.process.name": "ntoskrnl.exe",
    "tgt.file.md5": "9b943585ef2a4917e1bc2186045e4b64",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.indicatorGeneralCount": 0,
    "tgt.file.internalName": "IndirectKmd.sys",
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "1E58F722484E4850B02469C4B6DDEBF3",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "SYSTEM",
    "tgt.file.id": "5382E3E7AB538ED5",
    "driver.loadVerdict": "BENIGN",
    "event.type": "Driver Load",
    "task.path": "C:\\Windows\\System32\\drivers\\IndirectKmd.sys",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 4
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "file",
    "tgt.file.modificationTime": 1679329231269,
    "src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
    "site.id": "1640744535583677559",
    "tgt.file.location": "Local",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Windows Explorer",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 2,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 34,
    "src.process.parent.name": "explorer.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1679329289765,
    "src.process.image.md5": "8a2122e8162dbef04694b9c3e0b6cdee",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "DA84E5E7AB538ED5",
    "src.process.childProcCount": 2,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "FILECREATION",
    "src.process.parent.integrityLevel": "HIGH",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "0447E5E7AB538ED5",
    "tgt.file.creationTime": 1679329231269,
    "i.scheme": "edr",
    "src.process.integrityLevel": "HIGH",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679329231269,
    "timestamp": "2023-03-20T16:20:31.269Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "tgt.file.size": 0,
    "src.process.image.sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\explorer.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 7620,
    "sca:ingestTime": 1679329295,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Windows\\system32\\cmd.exe\"",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "tgt.file.isExecutable": false,
    "event.id": "01GVZX6RZEB3094AVABXWGMYP4_0",
    "src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
    "src.process.image.path": "C:\\Windows\\System32\\cmd.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 2,
    "src.process.netConnOutCount": 0,
    "tgt.file.path": "C:\\Users\\john.doe\\Desktop\\TEST FILE ARY_2",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679328877107,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "tgt.file.type": "UNKNOWN",
    "src.process.displayName": "Windows Command Processor",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 2,
    "src.process.uid": "D984E5E7AB538ED5",
    "src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "D984E5E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "0347E5E7AB538ED5",
    "src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "DA84E5E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679328586417,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GVZX6RZEB3094AVABXWGMYP4",
    "src.process.name": "cmd.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
    "src.process.indicatorGeneralCount": 12,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "E0C3EB49976C4B329FC386C214376CA6",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "tgt.file.id": "2E85E5E7AB538ED5",
    "event.type": "File Creation",
    "task.path": "C:\\Users\\john.doe\\Desktop\\TEST FILE ARY_2",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 2280
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "file",
    "tgt.file.modificationTime": 1680183665718,
    "src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
    "site.id": "1640744535583677559",
    "tgt.file.location": "Local",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.parent.displayName": "Windows Explorer",
    "src.process.image.binaryIsExecutable": true,
    "osSrc.process.image.md5": "fbbcd4101d9daa064e2686834b1296be",
    "osSrc.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.publisher": "MICROSOFT CORPORATION",
    "osSrc.process.crossProcessDupThreadHandleCount": 0,
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 587,
    "osSrc.process.crossProcessOutOfStorylineCount": 0,
    "osSrc.process.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
    "src.process.activeContent.signedStatus": "unsigned",
    "src.process.tgtFileCreationCount": 235,
    "osSrc.process.childProcCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "osSrc.process.indicatorReconnaissanceCount": 0,
    "src.process.moduleCount": 755,
    "src.process.parent.name": "explorer.exe",
    "i.version": "preprocess-lib-1.0",
    "src.process.activeContentType": "FILE",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1680203775822,
    "src.process.image.md5": "fbbcd4101d9daa064e2686834b1296be",
    "src.process.indicatorReconnaissanceCount": 1,
    "src.process.storyline.id": "14C2E6E7AB538ED5",
    "src.process.childProcCount": 25,
    "osSrc.process.activeContentType": "FILE",
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "osSrc.process.moduleCount": 89,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "FILEDELETION",
    "src.process.parent.integrityLevel": "HIGH",
    "osSrc.process.user": "desktop-jdoe\\john.doe",
    "osSrc.process.image.binaryIsExecutable": true,
    "osSrc.process.tgtFileModificationCount": 2,
    "src.process.indicatorExploitationCount": 1,
    "osSrc.process.registryChangeCount": 1,
    "src.process.parent.storyline.id": "96BFE6E7AB538ED5",
    "tgt.file.creationTime": 1680183598071,
    "osSrc.process.netConnInCount": 0,
    "src.process.integrityLevel": "HIGH",
    "i.scheme": "edr",
    "osSrc.process.indicatorInjectionCount": 0,
    "osSrc.process.pid": 6348,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680203773098,
    "timestamp": "2023-03-30T19:16:13.098Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 0,
    "endpoint.name": "desktop-jdoe",
    "tgt.file.size": 1385914,
    "src.process.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\explorer.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 6384,
    "osSrc.process.uid": "9AC2E6E7AB538ED5",
    "src.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
    "src.process.publisher": "MICROSOFT CORPORATION",
    "sca:ingestTime": 1680203781,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.integrityLevel": "LOW",
    "src.process.crossProcessCount": 606,
    "src.process.signedStatus": "signed",
    "osSrc.process.subsystem": "SYS_WIN32",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
    "tgt.file.isExecutable": false,
    "event.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3_29",
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
    "src.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "src.process.tgtFileModificationCount": 246,
    "osSrc.process.name": "msedge.exe",
    "src.process.indicatorEvasionCount": 19,
    "src.process.netConnOutCount": 0,
    "tgt.file.path": "C:\\Users\\john.doe\\AppData\\Local\\Temp\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp",
    "osSrc.process.startTime": 1680183591983,
    "tgt.file.extension": "tmp",
    "src.process.crossProcessDupThreadHandleCount": 19,
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 0,
    "osSrc.process.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
    "src.process.tgtFileDeletionCount": 60,
    "src.process.startTime": 1680183585577,
    "osSrc.process.indicatorRansomwareCount": 0,
    "mgmt.id": "16964",
    "osSrc.process.netConnCount": 0,
    "os.name": "Windows 10 Pro",
    "osSrc.process.indicatorGeneral.count": 6,
    "tgt.file.type": "UNKNOWN",
    "src.process.displayName": "Microsoft Edge",
    "osSrc.process.dnsCount": 0,
    "src.process.parent.sessionId": 2,
    "src.process.isNative64Bit": false,
    "osSrc.process.sessionId": 2,
    "src.process.uid": "13C2E6E7AB538ED5",
    "src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --instant-process --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --time-ticks-at-unix-epoch=-1680169371680820 --launch-time-ticks=14220180564 --mojo-platform-channel-handle=4512 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:1",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "13C2E6E7AB538ED5",
    "src.process.parent.uid": "95BFE6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "group.id": "14C2E6E7AB538ED5",
    "osSrc.process.activeContent.signedStatus": "unsigned",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1680183557249,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 0,
    "osSrc.process.indicatorEvasionCount": 1,
    "osSrc.process.tgtFileDeletionCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3",
    "src.process.name": "msedge.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.displayName": "Microsoft Edge",
    "src.process.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
    "src.process.indicatorGeneralCount": 168,
    "src.process.crossProcessOutOfStorylineCount": 11,
    "src.process.registryChangeCount": 35,
    "packet.id": "6E623DBE96C14642980FE486FCC335F2",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "tgt.file.id": "00C3E6E7AB538ED5",
    "osSrc.process.storyline.id": "14C2E6E7AB538ED5",
    "event.type": "File Deletion",
    "task.path": "C:\\Users\\john.doe\\AppData\\Local\\Temp\\4a453731-9113-4bb7-ac7f-e092dbe67a41.tmp",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 4492
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "file",
    "tgt.file.modificationTime": -11644473600000,
    "src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
    "site.id": "1640744535583677559",
    "tgt.file.location": "Local",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Services and Controller app",
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 5,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 288,
    "src.process.parent.name": "services.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1679577677249,
    "src.process.image.md5": "88cbcd6927355b5dccd9827aeb1e6dbd",
    "src.process.indicatorReconnaissanceCount": 7,
    "src.process.storyline.id": "85D1E5E7AB538ED5",
    "src.process.childProcCount": 5,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "FILERENAME",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "D7D0E5E7AB538ED5",
    "tgt.file.creationTime": -11644473600000,
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679577675272,
    "timestamp": "2023-03-23T13:21:15.272Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "tgt.file.size": 2048,
    "src.process.image.sha1": "c6ef4c5e8090a4913fbfd8372c9df08450fe8005",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 2484,
    "sca:ingestTime": 1679577682,
    "dataSource.category": "security",
    "src.process.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WindowsAzureGuestAgent.exe",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 5,
    "tgt.file.isExecutable": false,
    "event.id": "01GW7A2YG38DG8CTD6M5WV2DZH_68",
    "src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
    "src.process.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WindowsAzureGuestAgent.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 1,
    "src.process.netConnOutCount": 19,
    "tgt.file.path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus_20230323132115270.json",
    "tgt.file.extension": "json",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679577547094,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "tgt.file.type": "UNKNOWN",
    "src.process.displayName": "WindowsAzureGuestAgent",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "84D1E5E7AB538ED5",
    "src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "84D1E5E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "D6D0E5E7AB538ED5",
    "src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 19,
    "mgmt.osRevision": "19044",
    "group.id": "85D1E5E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679577539634,
    "src.process.dnsCount": 0,
    "tgt.file.oldPath": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus.json",
    "endpoint.type": "desktop",
    "trace.id": "01GW7A2YG38DG8CTD6M5WV2DZH",
    "src.process.name": "WindowsAzureGuestAgent.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "4779d3eecbc47b0a389187ef411c727920a5898c9c0785e33aabf7338c994364",
    "src.process.indicatorGeneralCount": 6,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "AABF3FC035554DC3A72C57304DE3131B",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "tgt.file.id": "F7D2E5E7AB538ED5",
    "event.type": "File Rename",
    "task.path": "C:\\WindowsAzure\\Logs\\AggregateStatus\\aggregatestatus_20230323132115270.json",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 676
}
{
    "src.process.parent.isStorylineRoot": false,
    "event.category": "file",
    "src.process.parent.image.sha1": "0000000",
    "site.id": "00000000",
    "tgt.file.location": "Local",
    "src.process.parent.displayName": "pparent",
    "src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 1,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 0,
    "i.version": "preprocess-lib-1.0",
    "src.process.parent.name": "pname",
    "src.process.storyline.id": "00000-0000-0000-0000000",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.childProcCount": 0,
    "aaaa.url": "redacted.sentinelone.net",
    "src.process.parent.eUserName": "aaaaaaaa",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.eUserName": "aaaaaaaa",
    "src.process.subsystem": "SUBSYSTEM_UNKNOWN",
    "meta.event.name": "FILERENAME",
    "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "0000000-0000-0000-00000000",
    "tgt.file.creationTime": 1722852662250,
    "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "i.scheme": "edr",
    "site.name": "sitename",
    "src.process.netConnInCount": 0,
    "event.time": 1722853381979,
    "timestamp": "2024-08-05T10:23:01.979Z",
    "account.id": "00000000000",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "aaaaaaaaa",
    "src.process.image.sha1": "aaaaaaaaaaaaaa",
    "tgt.file.size": 750,
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "/bin/pparent",
    "src.process.lUserName": "aaaaaaaa",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 31304,
    "tgt.file.isSigned": "unsigned",
    "src.process.cmdline": " /usr/cmd -",
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.parent.rUserUid": 1111,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "unsigned",
    "event.id": "01J4H129Q4744MK0FX0CNXASK1_414",
    "src.process.image.path": "/usr/path",
    "src.process.tgtFileModificationCount": 2,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "tgt.file.path": "/new/new/file/path/path",
    "src.process.eUserUid": 1111,
    "src.process.lUserUid": 1111,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "linux",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1722853381100,
    "mgmt.id": "00000",
    "os.name": "Linux",
    "tgt.file.type": "UNKNOWN",
    "src.process.displayName": "aaaaaaaaa",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.rUserUid": 1111,
    "src.process.uid": "000000000-0000-0000-00000000000",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "000000000-0000-0000-000000000",
    "src.process.parent.eUserUid": 112,
    "agent.version": "1",
    "src.process.parent.uid": "000000000-0000-0000-0000000000000000",
    "src.process.parent.rUserName": "aaaaaaaaa",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "Debian",
    "group.id": "000000000-0000-0000-00000000",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.parent.startTime": 1722853381090,
    "src.process.dnsCount": 0,
    "endpoint.type": "server",
    "tgt.file.oldPath": "/old/path/name/tmp.aaaa",
    "trace.id": "00000000000",
    "src.process.rUserName": "aaaaaaaaa",
    "src.process.name": "aaaaa",
    "agent.uuid": "00000-0000-0000-000000",
    "src.process.parent.lUserName": "aaaaaaaa",
    "src.process.indicatorGeneralCount": 0,
    "src.process.parent.lUserUid": 1111,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "packet.id": "000000-0000-0000-000000000000",
    "src.process.registryChangeCount": 0,
    "src.process.indicatorPersistenceCount": 3,
    "src.process.parent.signedStatus": "unsigned",
    "tgt.file.id": "00000-0000-0000-0000000000",
    "account.name": "account_name",
    "event.type": "File Rename",
    "task.path": "/var/aaa/aaa/aaaa/aaaa",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 111111
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "group",
    "src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
    "site.id": "1640744535583677559",
    "src.process.parent.displayName": "Windows Explorer",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.activeContent.signedStatus": "unsigned",
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 66,
    "src.process.parent.name": "explorer.exe",
    "i.version": "preprocess-lib-1.0",
    "src.process.activeContentType": "FILE",
    "sca:atlantisIngestTime": 1680190602792,
    "src.process.image.md5": "999a30979f6195bf562068639ffc4426",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "8EE6E6E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "GROUPCREATION",
    "src.process.parent.integrityLevel": "HIGH",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "96BFE6E7AB538ED5",
    "src.process.integrityLevel": "HIGH",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680190543346,
    "timestamp": "2023-03-30T15:35:43.346Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "d4f2663aabc03478975382b3c69f24b3c6bd2aa9",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\explorer.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 7400,
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "\"regedit.exe\" \"C:\\Users\\john.doe\\Desktop\\test.reg\"",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "sca:ingestTime": 1680190608,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "signed",
    "event.id": "01GWSJKYK06EX50CNYW0M34QBF_18",
    "src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
    "src.process.image.path": "C:\\Windows\\regedit.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 1,
    "src.process.netConnOutCount": 0,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1680190543341,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "src.process.activeContent.id": "72E6E6E7AB538ED5",
    "src.process.displayName": "Registry Editor",
    "src.process.activeContent.path": "C:\\Users\\john.doe\\Desktop\\test.reg",
    "src.process.parent.sessionId": 2,
    "src.process.isNative64Bit": false,
    "src.process.uid": "8DE6E6E7AB538ED5",
    "src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "8DE6E6E7AB538ED5",
    "src.process.parent.uid": "95BFE6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "8EE6E6E7AB538ED5",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1680183557249,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GWSJKYK06EX50CNYW0M34QBF",
    "src.process.name": "regedit.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.activeContent.hash": "8b3d7f4397dd79d66b753745a676da89439ed38e",
    "src.process.image.sha256": "92f24fed2ba2927173aad58981f6e0643c6b89815b117e8a7c4a0988ac918170",
    "src.process.indicatorGeneralCount": 2,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 3,
    "packet.id": "635ACC7D4F504B698769ED4A8E380CEF",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "event.type": "Group Creation",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 4492
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "indicators",
    "src.process.parent.image.sha1": "a87dd7a7ad343205aac883c18fb55fc7bba54093",
    "site.id": "1640744535583677559",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Microsoft Edge",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.parent.subsystem": "SYS_WIN32",
    "indicator.category": "Evasion",
    "src.process.indicatorRansomwareCount": 0,
    "indicator.metadata": "To Process[ Name: \"msedge.exe\", Pid: \"8064\", UID: \"F328E6E7AB538ED5\", TrueContextID: \"2D1EE6E7AB538ED5\", IntegrityLevel: \"Low\", RelationToSource: \"Child\" ], File Path: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.activeContent.signedStatus": "unsigned",
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "indicator.description": "Code injection to other process memory space during the target process' initialization MITRE: Defense Evasion {<a href=\"https://attack.mitre.org/techniques/T1055/012/\" target=\"_blank\">T1055.012</a>}, Privilege Escalation {<a href=\"https://attack.mitre.org/techniques/T1055/012/\" target=\"_blank\">T1055.012</a>}",
    "src.process.moduleCount": 84,
    "src.process.parent.name": "msedge.exe",
    "i.version": "preprocess-lib-1.0",
    "src.process.activeContentType": "FILE",
    "sca:atlantisIngestTime": 1679651845743,
    "src.process.image.md5": "44d867f6684855e16738b65a446937c5",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "2D1EE6E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "BEHAVIORALINDICATORS",
    "src.process.parent.integrityLevel": "HIGH",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "2D1EE6E7AB538ED5",
    "i.scheme": "edr",
    "src.process.integrityLevel": "LOW",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679651799952,
    "timestamp": "2023-03-24T09:56:39.952Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "a87dd7a7ad343205aac883c18fb55fc7bba54093",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "src.process.tid": 0,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 8064,
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679651851,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4272 --field-trial-handle=1904,i,13954562701905874655,10086179210364072054,131072 /prefetch:8",
    "src.process.publisher": "MICROSOFT CORPORATION",
    "src.process.parent.activeContentType": "FILE",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "event.id": "01GW9GTD03G3KP42RNTBE4KYSR_5",
    "src.process.parent.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
    "src.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "src.process.tgtFileModificationCount": 3,
    "src.process.indicatorEvasionCount": 1,
    "src.process.netConnOutCount": 0,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679651799947,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "src.process.displayName": "Microsoft Edge",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 2,
    "src.process.uid": "F328E6E7AB538ED5",
    "src.process.parent.image.md5": "44d867f6684855e16738b65a446937c5",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "F328E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "2C1EE6E7AB538ED5",
    "src.process.parent.image.sha256": "d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "2D1EE6E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT CORPORATION",
    "src.process.parent.startTime": 1679651174169,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GW9GTD03G3KP42RNTBE4KYSR",
    "src.process.name": "msedge.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "d1ccb48eb5f5c153be93fa112314f35722582e37d39adbe88139cef2b77c7693",
    "src.process.indicatorGeneralCount": 7,
    "indicator.name": "PreloadInjection",
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 1,
    "packet.id": "A53019B8AC7E4786BC77B654E737149B",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "event.type": "Behavioral Indicators",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.activeContent.signedStatus": "unsigned",
    "src.process.parent.pid": 6728
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "ip",
    "src.process.parent.image.sha1": "68d7290a70ae3a396a0bd5164919694346047384",
    "site.id": "1640744535583677559",
    "src.process.parent.displayName": "Microsoft Azure\u00c2\u00ae",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 168,
    "src.process.parent.name": "WaAppAgent.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1679405948601,
    "src.process.image.md5": "c15e04000a62f18f0f726991d1d032dc",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "EE96E5E7AB538ED5",
    "src.process.childProcCount": 1,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "TCPV4",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.port.number": 50755,
    "event.network.protocolName": "http",
    "src.process.indicatorExploitationCount": 1,
    "src.process.parent.storyline.id": "EE96E5E7AB538ED5",
    "src.process.integrityLevel": "SYSTEM",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679405946954,
    "timestamp": "2023-03-21T13:39:06.954Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "410ddcff4d90f02fe4878a6b37f0766d33892b04",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
    "dst.port.number": 80,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 7020,
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "\"CollectGuestLogs.exe\" -Mode:ga -FileName:D:\\CollectGuestLogsTemp\\VMAgentLogs.zip",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "sca:ingestTime": 1679405954,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "signed",
    "event.id": "01GW26A6QWPJXQ3NZRZTVMTMWZ_13",
    "src.process.parent.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
    "src.process.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\CollectGuestLogs.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 1,
    "event.network.direction": "OUTGOING",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.ip.address": "10.0.0.11",
    "src.process.startTime": 1679405934712,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "src.process.displayName": "CollectGuestLogs",
    "src.process.parent.sessionId": 0,
    "src.process.isNative64Bit": false,
    "src.process.uid": "60B6E5E7AB538ED5",
    "src.process.parent.image.md5": "ec038f4fd73993de139b889e7bcf2f66",
    "event.network.connectionStatus": "SUCCESS",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "60B6E5E7AB538ED5",
    "src.process.parent.uid": "ED96E5E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 1,
    "mgmt.osRevision": "19044",
    "dst.ip.address": "168.63.129.16",
    "group.id": "EE96E5E7AB538ED5",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1679394836723,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GW26A6QWPJXQ3NZRZTVMTMWZ",
    "src.process.name": "CollectGuestLogs.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "b3c6abea2eed98449416fd9942afeddff9960c9dd55e2268657c7d2003bfcf72",
    "src.process.indicatorGeneralCount": 2,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "1701C18FFEE943BAB1EA019E610E9D8B",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "event.type": "IP Connect",
    "event.repetitionCount": 1,
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 2304
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "ip",
    "src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
    "site.id": "1640744535583677559",
    "src.process.parent.displayName": "Services and Controller app",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "NT AUTHORITY\\NETWORK SERVICE",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 290,
    "src.process.parent.name": "services.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1680187241789,
    "src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "src.process.indicatorReconnaissanceCount": 2,
    "src.process.storyline.id": "1B91E6E7AB538ED5",
    "src.process.childProcCount": 1,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "TCPV4",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.port.number": 13470,
    "event.network.protocolName": "ms-wbt-server",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "0591E6E7AB538ED5",
    "src.process.integrityLevel": "SYSTEM",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 15,
    "event.time": 1680187214991,
    "timestamp": "2023-03-30T14:40:14.991Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
    "dst.port.number": 3389,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 784,
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "sca:ingestTime": 1680187247,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "signed",
    "event.id": "01GWSFDCGBJQTT4N3NDHS3WR5B_6",
    "src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
    "src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "event.network.direction": "INCOMING",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.ip.address": "184.105.247.194",
    "src.process.startTime": 1680169388118,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "src.process.displayName": "Host Process for Windows Services",
    "src.process.parent.sessionId": 0,
    "src.process.isNative64Bit": false,
    "src.process.uid": "1A91E6E7AB538ED5",
    "src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
    "event.network.connectionStatus": "SUCCESS",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "1A91E6E7AB538ED5",
    "src.process.parent.uid": "0491E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 15,
    "mgmt.osRevision": "19044",
    "dst.ip.address": "10.0.0.11",
    "group.id": "1B91E6E7AB538ED5",
    "src.process.parent.publisher": "MICROSOFT WINDOWS PUBLISHER",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1680169387098,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GWSFDCGBJQTT4N3NDHS3WR5B",
    "src.process.name": "svchost.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.indicatorGeneralCount": 12,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "ACF2D802403946EAB4FC44D3BDA2268A",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "event.type": "IP Connect",
    "event.repetitionCount": 2,
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 676
}
{
    "src.process.parent.isStorylineRoot": false,
    "event.category": "ip",
    "src.process.parent.image.sha1": "020c0ff3208f4c94856742122a8535565c979686",
    "site.id": "1640744535583677559",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "AttestationExtension",
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 93,
    "src.process.parent.name": "AttestationExtension.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1680198343920,
    "src.process.image.md5": "830ab0741415bfe65817accb022b64d9",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "B491E6E7AB538ED5",
    "src.process.childProcCount": 1,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "TCPV4",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.port.number": 52343,
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "B491E6E7AB538ED5",
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "site.name": "Default site",
    "src.process.netConnInCount": 4,
    "event.time": 1680198321581,
    "timestamp": "2023-03-30T17:45:21.581Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "101d2bd70fb62dd0838483f2dc62bbd93f0dd009",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationExtension.exe",
    "dst.port.number": 52342,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 724,
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1680198349,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationClient.exe\" -a \"\" -r \"\" -l C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21 -h C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\Status\\HeartBeat.Json -s C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\Status\\0.status -e C:\\WindowsAzure\\Logs\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\Events -v 1.0.1.21",
    "src.process.publisher": "MICROSOFT AZURE CODE SIGN",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "event.id": "01GWST06SETGGAFBFHCC8YP6XD_19",
    "src.process.parent.cmdline": "\"C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationExtension.exe\" enable",
    "src.process.image.path": "C:\\Packages\\Plugins\\Microsoft.Azure.Security.WindowsAttestation.GuestAttestation\\1.0.1.21\\AttestationClient.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 4,
    "src.process.reasonSignatureInvalid": "SignedNotVerified",
    "src.process.netConnOutCount": 19,
    "event.network.direction": "OUTGOING",
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.ip.address": "127.0.0.1",
    "src.process.startTime": 1680169453286,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "src.process.displayName": "AttestationClient.exe",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "F492E6E7AB538ED5",
    "src.process.parent.image.md5": "f4ad5b3598df100f80e240039f4fbed1",
    "event.network.connectionStatus": "SUCCESS",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "F492E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "EF92E6E7AB538ED5",
    "src.process.parent.image.sha256": "9cf3b22aaa92f8b6b1f817452cf12791a41cd3969674b46bd1e3718c328a6a44",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 23,
    "mgmt.osRevision": "19044",
    "dst.ip.address": "127.0.0.1",
    "group.id": "B491E6E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "unverified",
    "src.process.parent.startTime": 1680169451297,
    "src.process.dnsCount": 3,
    "endpoint.type": "desktop",
    "trace.id": "01GWST06SETGGAFBFHCC8YP6XD",
    "src.process.name": "AttestationClient.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "139e2d3b4629933268034a68e6d5202f8c305d9ae29f728790711cc9841ae654",
    "src.process.indicatorGeneralCount": 6,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "1014097947594B0B8EF4843F10BCFFB9",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "unsigned",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "event.type": "IP Connect",
    "event.repetitionCount": 1,
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 3444
}
{
    "event.category": "logins",
    "src.process.parent.isStorylineRoot": false,
    "src.process.parent.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
    "site.id": "1640744535583677559",
    "src.process.parent.displayName": "sshd",
    "src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 0,
    "src.process.parent.name": "sshd",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1681370638780,
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "55a4d014-9141-dea7-0774-371da18a6469",
    "src.process.childProcCount": 1,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.parent.eUserName": "root",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.eUserName": "root",
    "meta.event.name": "WINLOGONATTEMPT",
    "src.process.subsystem": "SUBSYSTEM_UNKNOWN",
    "event.login.type": "REMOTE_INTERACTIVE",
    "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "55a4cfe4-1718-2ae2-dc40-bc3f342f0eca",
    "event.login.loginIsSuccessful": true,
    "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1681370589631,
    "src.endpoint.ip.address": "83.167.43.106",
    "timestamp": "2023-04-13T07:23:09.631Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "linux-desktop-S1",
    "src.process.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "/usr/sbin/sshd",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 1669,
    "tgt.file.isSigned": "unsigned",
    "src.process.cmdline": " sshd: jdoe [priv]",
    "sca:ingestTime": 1681370644,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.rUserUid": 0,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "unsigned",
    "event.id": "01GXWQZSEQ5HPDZ88XCF016WAM_25",
    "event.login.accountName": "jdoe",
    "src.process.parent.cmdline": " sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups",
    "src.process.image.path": "/usr/sbin/sshd",
    "src.process.tgtFileModificationCount": 5,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "src.process.eUserUid": 0,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "linux",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1681370581710,
    "mgmt.id": "16964",
    "os.name": "Linux",
    "src.process.displayName": "sshd",
    "src.process.parent.sessionId": 0,
    "src.process.isNative64Bit": false,
    "src.process.rUserUid": 0,
    "src.process.uid": "55a4d014-764d-907e-3edd-f7aa19bbf4af",
    "event.login.sessionId": 0,
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "55a4d014-764d-907e-3edd-f7aa19bbf4af",
    "src.process.parent.eUserUid": 0,
    "event.login.isAdministratorEquivalent": false,
    "agent.version": "22.4.2.4",
    "src.process.parent.uid": "55a4cfe3-efa4-0d32-96df-11e5be1ac48d",
    "src.process.parent.rUserName": "root",
    "event.login.userName": "jdoe",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64",
    "group.id": "55a4d014-9141-dea7-0774-371da18a6469",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.parent.startTime": 1681370573560,
    "src.process.dnsCount": 0,
    "endpoint.type": "server",
    "trace.id": "01GXWQZSEQ5HPDZ88XCF016WAM",
    "src.process.name": "sshd",
    "src.process.rUserName": "root",
    "agent.uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad",
    "src.process.indicatorGeneralCount": 0,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "55afd0af-4609-018d-f36a-cbd2a92b6a59",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "unsigned",
    "event.type": "Login",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 647
}
{
    "src.process.parent.isStorylineRoot": false,
    "event.category": "logins",
    "src.process.parent.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
    "site.id": "1640744535583677559",
    "src.process.parent.displayName": "sshd",
    "src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 0,
    "i.version": "preprocess-lib-1.0",
    "src.process.parent.name": "sshd",
    "sca:atlantisIngestTime": 1681315742455,
    "src.process.storyline.id": "55d21a33-24e0-2280-8049-e395c2fe0885",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.parent.eUserName": "root",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.eUserName": "root",
    "meta.event.name": "WINLOGOFF",
    "src.process.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "55d21a32-95e8-7a56-ad57-a9e6aac5a7bd",
    "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1681315720511,
    "timestamp": "2023-04-12T16:08:40.511Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "linux-desktop-S1",
    "src.process.image.sha1": "8a212f529aa0a62646438b3494b9d899de182e85",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "/usr/sbin/sshd",
    "src.process.lUserName": "jdoe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 1153,
    "tgt.file.isSigned": "unsigned",
    "src.process.cmdline": " sshd: jdoe [priv]",
    "dataSource.category": "security",
    "sca:ingestTime": 1681315747,
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.rUserUid": 0,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "unsigned",
    "event.id": "01GXV3MFMWN2TKVYBBQT6WR04X_21",
    "src.process.parent.cmdline": " sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups",
    "src.process.image.path": "/usr/sbin/sshd",
    "src.process.tgtFileModificationCount": 2,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "src.process.eUserUid": 0,
    "src.process.lUserUid": 1000,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "linux",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1681308825830,
    "mgmt.id": "16964",
    "os.name": "Linux",
    "src.process.displayName": "sshd",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.rUserUid": 0,
    "src.process.uid": "55d21a33-1090-cfe3-3e71-3be4cb5098b8",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "55d21a33-1090-cfe3-3e71-3be4cb5098b8",
    "src.process.parent.eUserUid": 0,
    "agent.version": "22.4.2.4",
    "src.process.parent.uid": "55d21a32-6fa0-ec6b-21df-509b3ca7f0ed",
    "src.process.parent.rUserName": "root",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64",
    "group.id": "55d21a33-24e0-2280-8049-e395c2fe0885",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.parent.startTime": 1681308331040,
    "src.process.dnsCount": 0,
    "endpoint.type": "server",
    "trace.id": "01GXV3MFMWN2TKVYBBQT6WR04X",
    "src.process.name": "sshd",
    "src.process.rUserName": "root",
    "agent.uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad",
    "src.process.indicatorGeneralCount": 0,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "55c23dd3-0577-86b3-7357-f1fc8662a4a0",
    "src.process.parent.signedStatus": "unsigned",
    "src.process.indicatorPersistenceCount": 0,
    "event.type": "Logout",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 720
}
{
    "tgt.process.displayName": "ip",
    "src.process.parent.isStorylineRoot": false,
    "event.category": "process",
    "src.process.parent.image.sha1": "50e2a658cfe2243cfe3e6f722f049b0ba377b7e4",
    "tgt.process.eUserName": "root",
    "site.id": "1640744535583677559",
    "src.process.parent.displayName": "python3.9",
    "tgt.process.storyline.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
    "tgt.process.isNative64Bit": false,
    "src.process.parent.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 0,
    "src.process.parent.name": "python3.9",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1681309502217,
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
    "src.process.childProcCount": 1,
    "src.process.parent.eUserName": "root",
    "mgmt.url": "euce1-105.sentinelone.net",
    "tgt.process.subsystem": "SUBSYSTEM_UNKNOWN",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.eUserName": "root",
    "src.process.subsystem": "SUBSYSTEM_UNKNOWN",
    "meta.event.name": "PROCESSCREATION",
    "src.process.parent.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
    "tgt.process.image.path": "/usr/bin/ip",
    "src.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "i.scheme": "edr",
    "tgt.process.integrityLevel": "INTEGRITY_LEVEL_UNKNOWN",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1681309474835,
    "timestamp": "2023-04-12T14:24:34.835Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "linux-desktop-S1",
    "src.process.image.sha1": "827265afe07691a445674eb09e0eb4fd025dbd43",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "/usr/bin/python3.9",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 1517,
    "tgt.file.isSigned": "unsigned",
    "src.process.cmdline": " /bin/sh -c ip -6 -a -o address",
    "sca:ingestTime": 1681309508,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.rUserUid": 0,
    "src.process.parent.isRedirectCmdProcessor": false,
    "tgt.process.image.sha1": "3c954614f2c9af7181e4d00e00ab4485e4a9c33f",
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "unsigned",
    "event.id": "01GXTXP1WXXHGR0R7A8NF27FQ3_24",
    "src.process.parent.cmdline": " python3 -u /usr/sbin/waagent -run-exthandlers",
    "src.process.image.path": "/usr/bin/dash",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "tgt.process.rUserUid": 0,
    "src.process.eUserUid": 0,
    "tgt.process.pid": 1518,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "tgt.process.name": "ip",
    "endpoint.os": "linux",
    "src.process.tgtFileDeletionCount": 0,
    "tgt.process.signedStatus": "unsigned",
    "src.process.startTime": 1681309474590,
    "mgmt.id": "16964",
    "os.name": "Linux",
    "tgt.process.rUserName": "root",
    "tgt.process.cmdline": " ip -6 -a -o address",
    "src.process.displayName": "dash",
    "src.process.parent.sessionId": 0,
    "src.process.isNative64Bit": false,
    "tgt.process.eUserUid": 0,
    "src.process.rUserUid": 0,
    "src.process.uid": "550f55e1-53a8-e998-adea-61da4ec754de",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "550f55e8-ffb9-9bab-2952-5ef7c734b7d4",
    "src.process.parent.eUserUid": 0,
    "tgt.process.uid": "550f55e8-ffb9-9bab-2952-5ef7c734b7d4",
    "tgt.process.isStorylineRoot": false,
    "src.process.parent.uid": "55d21a32-dd64-9b07-6e84-bd923f6d1e08",
    "agent.version": "22.4.2.4",
    "src.process.parent.rUserName": "root",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "Debian GNU/11 (bullseye) 5.10.0-21-cloud-amd64",
    "group.id": "55d21a32-c658-5f3f-5d8f-57420736161e",
    "tgt.process.startTime": 1681309474590,
    "src.process.isRedirectCmdProcessor": false,
    "src.process.parent.startTime": 1681308332200,
    "src.process.dnsCount": 0,
    "endpoint.type": "server",
    "trace.id": "01GXTXP1WXXHGR0R7A8NF27FQ3",
    "src.process.rUserName": "root",
    "src.process.name": "dash",
    "agent.uuid": "55cf574b-9fd7-5278-2ee0-badefd0d22ad",
    "src.process.indicatorGeneralCount": 0,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "551560d7-495f-7d44-7a29-52064745dff7",
    "tgt.process.sessionId": 0,
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "unsigned",
    "tgt.process.isRedirectCmdProcessor": false,
    "event.type": "Process Creation",
    "event.repetitionCount": 1,
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 911
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "logins",
    "src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
    "site.id": "1640744535583677559",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.parent.displayName": "Services and Controller app",
    "src.process.image.binaryIsExecutable": true,
    "osSrc.process.image.md5": "289d6a47b7692510e2fd3b51979a9fed",
    "osSrc.process.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "NT AUTHORITY\\NETWORK SERVICE",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.image.sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16",
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 658,
    "src.process.parent.name": "services.exe",
    "i.version": "preprocess-lib-1.0",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1679405768536,
    "src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "src.process.indicatorReconnaissanceCount": 4,
    "src.process.storyline.id": "6196E5E7AB538ED5",
    "src.process.childProcCount": 3,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "WINLOGONATTEMPT",
    "src.process.parent.integrityLevel": "SYSTEM",
    "event.login.type": "NETWORK",
    "osSrc.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.image.binaryIsExecutable": true,
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "4896E5E7AB538ED5",
    "event.login.loginIsSuccessful": false,
    "src.process.integrityLevel": "SYSTEM",
    "i.scheme": "edr",
    "osSrc.process.pid": 684,
    "site.name": "Default site",
    "src.process.netConnInCount": 65,
    "event.time": 1679405708938,
    "src.endpoint.ip.address": "180.163.86.35",
    "timestamp": "2023-03-21T13:35:08.938Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 740,
    "osSrc.process.uid": "4996E5E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "C:\\Windows\\System32\\svchost.exe -k NetworkService",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "sca:ingestTime": 1679405774,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.integrityLevel": "SYSTEM",
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "signed",
    "osSrc.process.subsystem": "SYS_WIN32",
    "event.id": "01GW264PY7BGAP7QD40Y666TD8_1",
    "src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
    "event.login.accountName": "-",
    "src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "lsass.exe",
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "osSrc.process.startTime": 1679394829462,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "osSrc.process.image.sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679394830438,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "src.process.displayName": "Host Process for Windows Services",
    "src.process.parent.sessionId": 0,
    "src.process.isNative64Bit": false,
    "osSrc.process.sessionId": 0,
    "event.login.failureReason": "Unknown user name or bad password.",
    "src.process.uid": "6096E5E7AB538ED5",
    "src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\system32\\lsass.exe",
    "event.login.sessionId": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "6096E5E7AB538ED5",
    "src.process.parent.uid": "4796E5E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
    "event.login.userName": "USER",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 65,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\lsass.exe",
    "group.id": "6196E5E7AB538ED5",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1679394829443,
    "src.process.dnsCount": 0,
    "event.login.accountDomain": "-",
    "endpoint.type": "desktop",
    "trace.id": "01GW264PY7BGAP7QD40Y666TD8",
    "src.process.name": "svchost.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.displayName": "Local Security Authority Process",
    "src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.indicatorGeneralCount": 14,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "CB26CB516DA94909A17845A03C2ED5E0",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.storyline.id": "4A96E5E7AB538ED5",
    "event.type": "Login",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 676,
    "event.login.accountSid": "S-1-0-0"
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "logins",
    "src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
    "site.id": "1640744535583677559",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Services and Controller app",
    "osSrc.process.image.md5": "289d6a47b7692510e2fd3b51979a9fed",
    "osSrc.process.crossProcessOpenProcessCount": 164,
    "osSrc.process.publisher": "MICROSOFT WINDOWS PUBLISHER",
    "osSrc.process.crossProcessDupThreadHandleCount": 0,
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 19,
    "osSrc.process.crossProcessOutOfStorylineCount": 164,
    "osSrc.process.image.sha1": "1754e7ee417e56c9c196b1dc7fbf663a43d15d16",
    "src.process.tgtFileCreationCount": 0,
    "osSrc.process.childProcCount": 0,
    "src.process.indicatorInjectionCount": 24,
    "osSrc.process.indicatorReconnaissanceCount": 1,
    "src.process.moduleCount": 7591,
    "src.process.parent.name": "services.exe",
    "i.version": "preprocess-lib-1.0",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1680604015448,
    "src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "src.process.indicatorReconnaissanceCount": 1459,
    "src.process.storyline.id": "C136E7E7AB538ED5",
    "src.process.childProcCount": 90,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 227,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "osSrc.process.moduleCount": 124,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "WINLOGONATTEMPT",
    "event.login.type": "UNLOCK",
    "src.process.parent.integrityLevel": "SYSTEM",
    "osSrc.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.image.binaryIsExecutable": true,
    "osSrc.process.tgtFileModificationCount": 0,
    "src.process.indicatorExploitationCount": 0,
    "osSrc.process.registryChangeCount": 0,
    "src.process.parent.storyline.id": "AB36E7E7AB538ED5",
    "event.login.loginIsSuccessful": true,
    "osSrc.process.netConnInCount": 0,
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "osSrc.process.indicatorInjectionCount": 0,
    "osSrc.process.pid": 688,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680603998952,
    "src.endpoint.ip.address": "109.190.253.14",
    "timestamp": "2023-04-04T10:26:38.952Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 164,
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 536,
    "osSrc.process.uid": "AC36E7E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1680604021,
    "dataSource.category": "security",
    "src.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.integrityLevel": "SYSTEM",
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 252,
    "osSrc.process.subsystem": "SYS_WIN32",
    "event.id": "01GX5WW9NEJCT67Y7FV3YKQGAC_115",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
    "event.login.accountName": "desktop-jdoe$",
    "src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "lsass.exe",
    "src.process.indicatorEvasionCount": 3,
    "src.process.netConnOutCount": 102,
    "osSrc.process.startTime": 1680601657543,
    "src.process.crossProcessDupThreadHandleCount": 6,
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 0,
    "osSrc.process.image.sha256": "0777fd312394ae1afeed0ad48ae2d7b5ed6e577117a4f40305eaeb4129233650",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1680601658531,
    "mgmt.id": "16964",
    "osSrc.process.indicatorRansomwareCount": 0,
    "osSrc.process.netConnCount": 0,
    "os.name": "Windows 10 Pro",
    "osSrc.process.indicatorGeneral.count": 66,
    "src.process.displayName": "Host Process for Windows Services",
    "osSrc.process.dnsCount": 0,
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "osSrc.process.sessionId": 0,
    "src.process.uid": "C036E7E7AB538ED5",
    "src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\system32\\lsass.exe",
    "event.login.sessionId": 0,
    "src.process.indicatorInfostealerCount": 127,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "C036E7E7AB538ED5",
    "event.login.isAdministratorEquivalent": true,
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "AA36E7E7AB538ED5",
    "src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
    "event.login.userName": "john.doe",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 102,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\lsass.exe",
    "group.id": "C136E7E7AB538ED5",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS PUBLISHER",
    "src.process.parent.startTime": 1680601657524,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 40,
    "event.login.accountDomain": "WORKGROUP",
    "osSrc.process.tgtFileDeletionCount": 0,
    "osSrc.process.indicatorEvasionCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GX5WW9NEJCT67Y7FV3YKQGAC",
    "src.process.name": "svchost.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.displayName": "Local Security Authority Process",
    "src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.indicatorGeneralCount": 261,
    "src.process.crossProcessOutOfStorylineCount": 252,
    "src.process.registryChangeCount": 0,
    "packet.id": "1E58F722484E4850B02469C4B6DDEBF3",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.storyline.id": "AD36E7E7AB538ED5",
    "event.type": "Login",
    "src.process.indicatorPostExploitationCount": 0,
    "event.login.accountSid": "S-1-5-18",
    "src.process.parent.pid": 680
}
{
    "tgt.process.displayName": "Runtime Broker",
    "src.process.parent.isStorylineRoot": true,
    "event.category": "process",
    "osSrc.process.parent.sessionId": 0,
    "src.process.parent.image.sha1": "5310ba14a05256e4d93e0b04338f53b4e1d680cb",
    "site.id": "1640744535583677559",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.parent.displayName": "Shell Infrastructure Host",
    "src.process.image.binaryIsExecutable": true,
    "tgt.process.storyline.id": "86B6E5E7AB538ED5",
    "osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "tgt.process.isNative64Bit": false,
    "osSrc.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "osSrc.process.crossProcessOpenProcessCount": 1,
    "osSrc.process.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.parent.name": "svchost.exe",
    "osSrc.process.crossProcessDupThreadHandleCount": 0,
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorRansomwareCount": 0,
    "osSrc.process.parent.startTime": 1679394829780,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.crossProcessOutOfStorylineCount": 86,
    "osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.tgtFileCreationCount": 0,
    "osSrc.process.childProcCount": 121,
    "src.process.indicatorInjectionCount": 0,
    "osSrc.process.indicatorReconnaissanceCount": 2,
    "src.process.moduleCount": 93,
    "src.process.parent.name": "sihost.exe",
    "i.version": "preprocess-lib-1.0",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1679406008310,
    "src.process.image.md5": "da7063b17dbb8bbb3015351016868006",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "86B6E5E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "tgt.process.subsystem": "SYS_WIN32",
    "src.process.crossProcessOpenProcessCount": 0,
    "tgt.process.image.binaryIsExecutable": true,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "tgt.process.image.sha256": "e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628",
    "osSrc.process.moduleCount": 199,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "PROCESSCREATION",
    "src.process.parent.integrityLevel": "HIGH",
    "osSrc.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
    "osSrc.process.image.binaryIsExecutable": true,
    "osSrc.process.tgtFileModificationCount": 0,
    "osSrc.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "tgt.process.publisher": "MICROSOFT WINDOWS",
    "src.process.indicatorExploitationCount": 0,
    "osSrc.process.registryChangeCount": 0,
    "src.process.parent.storyline.id": "BE98E5E7AB538ED5",
    "tgt.process.verifiedStatus": "verified",
    "osSrc.process.netConnInCount": 0,
    "tgt.process.image.path": "C:\\Windows\\System32\\RuntimeBroker.exe",
    "i.scheme": "edr",
    "src.process.integrityLevel": "LOW",
    "tgt.process.integrityLevel": "HIGH",
    "osSrc.process.indicatorInjectionCount": 0,
    "osSrc.process.pid": 852,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "tgt.process.image.md5": "ba4cfe6461afa1004c52f19c8f2169dc",
    "event.time": 1679405965868,
    "osSrc.process.parent.isStorylineRoot": true,
    "timestamp": "2023-03-21T13:39:25.868Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 86,
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "c6e63c7aae9c4e07e15c1717872c0c73f3d4fb09",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\sihost.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 2096,
    "osSrc.process.parent.integrityLevel": "SYSTEM",
    "osSrc.process.uid": "5596E5E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679406014,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Windows\\system32\\BackgroundTaskHost.exe\" -ServerName:BackgroundTaskHost.WebAccountProvider",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "tgt.process.image.sha1": "ab8539ef6b2a93ff9589dec4b34a0257b6296c92",
    "osSrc.process.integrityLevel": "SYSTEM",
    "osSrc.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "osSrc.process.subsystem": "SYS_WIN32",
    "osSrc.process.parent.signedStatus": "signed",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 85,
    "event.id": "01GW26C1B7ME6MS4EC7X0K5R6X_12",
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "sihost.exe",
    "osSrc.process.parent.displayName": "Host Process for Windows Services",
    "src.process.image.path": "C:\\Windows\\System32\\backgroundTaskHost.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "svchost.exe",
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "osSrc.process.startTime": 1679394829780,
    "tgt.process.pid": 3212,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "tgt.process.name": "RuntimeBroker.exe",
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 0,
    "osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "tgt.process.signedStatus": "signed",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679405965779,
    "osSrc.process.indicatorRansomwareCount": 0,
    "mgmt.id": "16964",
    "osSrc.process.netConnCount": 0,
    "os.name": "Windows 10 Pro",
    "osSrc.process.indicatorGeneral.count": 12,
    "osSrc.process.parent.isNative64Bit": false,
    "tgt.process.cmdline": "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding",
    "src.process.displayName": "Background Task Host",
    "osSrc.process.dnsCount": 0,
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 2,
    "osSrc.process.sessionId": 0,
    "src.process.uid": "85B6E5E7AB538ED5",
    "src.process.parent.image.md5": "a21e7719d73d0322e2e7d61802cb8f80",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
    "osSrc.process.parent.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.parent.isRedirectCmdProcessor": false,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "87B6E5E7AB538ED5",
    "tgt.process.uid": "87B6E5E7AB538ED5",
    "tgt.process.isStorylineRoot": false,
    "osSrc.process.parent.storyline.id": "5696E5E7AB538ED5",
    "osSrc.process.parent.pid": 852,
    "src.process.parent.uid": "BD98E5E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "8ee21a0ba8849d31c265b4090a9e2ebe8ba66f58a8f71d4e96509e8a78f7db00",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "group.id": "86B6E5E7AB538ED5",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.isRedirectCmdProcessor": false,
    "tgt.process.startTime": 1679405965867,
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1679394873882,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 0,
    "osSrc.process.tgtFileDeletionCount": 0,
    "osSrc.process.indicatorEvasionCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GW26C1B7ME6MS4EC7X0K5R6X",
    "src.process.name": "backgroundTaskHost.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "osSrc.process.displayName": "Host Process for Windows Services",
    "src.process.image.sha256": "20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50",
    "osSrc.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "tgt.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorGeneralCount": 3,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "8179FCF2337A43CA9FB82DC8E38EEBD2",
    "tgt.process.sessionId": 2,
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "tgt.process.isRedirectCmdProcessor": false,
    "osSrc.process.parent.uid": "5596E5E7AB538ED5",
    "osSrc.process.storyline.id": "5696E5E7AB538ED5",
    "event.type": "Process Creation",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 4164
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "registry",
    "src.process.parent.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
    "site.id": "1640744535583677559",
    "registry.valueFullSize": 24,
    "src.process.parent.displayName": "Microsoft Edge",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.indicatorRansomwareCount": 0,
    "registry.oldValueType": "BINARY",
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.activeContent.signedStatus": "unsigned",
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 156,
    "src.process.parent.name": "msedge.exe",
    "i.version": "preprocess-lib-1.0",
    "src.process.activeContentType": "FILE",
    "sca:atlantisIngestTime": 1680203775822,
    "src.process.image.md5": "fbbcd4101d9daa064e2686834b1296be",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "14C2E6E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "registry.oldValueFullSize": 24,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "REGVALUEMODIFIED",
    "src.process.parent.integrityLevel": "HIGH",
    "src.process.indicatorExploitationCount": 2,
    "src.process.parent.storyline.id": "14C2E6E7AB538ED5",
    "src.process.integrityLevel": "LOW",
    "i.scheme": "edr",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680203773063,
    "timestamp": "2023-03-30T19:16:13.063Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "c54490a0e8a6c9e665f081f3d55847f32d7cb25e",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 6912,
    "tgt.file.isSigned": "signed",
    "src.process.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 --field-trial-handle=2228,i,8041541006595259326,10836478052752419158,131072 /prefetch:2",
    "src.process.publisher": "MICROSOFT CORPORATION",
    "sca:ingestTime": 1680203781,
    "dataSource.category": "security",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.activeContentType": "FILE",
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.crossProcessCount": 0,
    "src.process.signedStatus": "signed",
    "event.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3_20",
    "src.process.parent.cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5",
    "registry.value": "3929AC173C63D90100000000000000000000000002000000",
    "src.process.image.path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 1,
    "src.process.netConnOutCount": 0,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1680183590099,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "registry.keyPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\bam\\State\\UserSettings\\S-1-5-21-1124497873-2276302922-1472590183-500\\\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "src.process.displayName": "Microsoft Edge",
    "src.process.parent.sessionId": 2,
    "src.process.isNative64Bit": false,
    "src.process.uid": "6DC2E6E7AB538ED5",
    "src.process.parent.image.md5": "fbbcd4101d9daa064e2686834b1296be",
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.indicatorInfostealerCount": 0,
    "process.unique.key": "6DC2E6E7AB538ED5",
    "registry.valueType": "BINARY",
    "src.process.parent.uid": "13C2E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "14C2E6E7AB538ED5",
    "src.process.parent.publisher": "MICROSOFT CORPORATION",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.startTime": 1680183585577,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GWSZ5Z9090XZJD6DMNCG2SZ3",
    "src.process.name": "msedge.exe",
    "registry.oldValueIsComplete": true,
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "db780e2e5d8608f9a0bc77822ccbee64c8deece0120244b31af3fc4a8336d1aa",
    "src.process.indicatorGeneralCount": 4,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 1,
    "packet.id": "6E623DBE96C14642980FE486FCC335F2",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "registry.oldValue": "C9C6A9173C63D90100000000000000000000000002000000",
    "event.type": "Registry Value Modified",
    "src.process.indicatorPostExploitationCount": 0,
    "registry.valueIsComplete": true,
    "src.process.parent.activeContent.signedStatus": "unsigned",
    "src.process.parent.pid": 6384
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "registry",
    "src.process.parent.image.sha1": "68d7290a70ae3a396a0bd5164919694346047384",
    "site.id": "1640744535583677559",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Microsoft Azure\u00c2\u00ae",
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 33,
    "src.process.parent.name": "WaAppAgent.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1679651173876,
    "src.process.image.md5": "e30e7a42a010bf95524514bdf2035695",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "B91AE6E7AB538ED5",
    "src.process.childProcCount": 1,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "REGKEYCREATE",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "B91AE6E7AB538ED5",
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679651168286,
    "timestamp": "2023-03-24T09:46:08.286Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "3f38989e61670025c2585a9e3cc8f1e1c9f229e9",
    "src.process.isStorylineRoot": false,
    "src.process.parent.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 2532,
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679651179,
    "dataSource.category": "security",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.cmdline": "\"wevtutil.exe\" im C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\AzureEvents.man",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "event.id": "01GW9G5WH7M8ZDX974Z857TJT3_959",
    "src.process.parent.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
    "src.process.image.path": "C:\\Windows\\System32\\wevtutil.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679651062627,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "registry.keyPath": "MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\Autologger\\EventLog-Application\\{9e3b8bee-15eb-444b-a692-bab4546644f2}",
    "src.process.displayName": "Eventing Command Line Utility",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "081BE6E7AB538ED5",
    "src.process.parent.image.md5": "ec038f4fd73993de139b889e7bcf2f66",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "081BE6E7AB538ED5",
    "src.process.parent.uid": "B81AE6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "B91AE6E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679651056550,
    "src.process.dnsCount": 0,
    "endpoint.type": "desktop",
    "trace.id": "01GW9G5WH7M8ZDX974Z857TJT3",
    "src.process.name": "wevtutil.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "20db4abf4539d2e054fbadde48078452a5a4adbca9eaeff66aba89f2c9164055",
    "src.process.indicatorGeneralCount": 2,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "338EC859EB214768AD336A240538CC9B",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "event.type": "Registry Key Create",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 2308
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "registry",
    "src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
    "site.id": "1640744535583677559",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Services and Controller app",
    "osSrc.process.image.md5": "60ff40cfd7fb8fe41ee4fe9ae5fe1c51",
    "osSrc.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.crossProcessDupThreadHandleCount": 0,
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 14,
    "osSrc.process.crossProcessOutOfStorylineCount": 0,
    "osSrc.process.image.sha1": "3ea7cc066317ac45f963c2227c4c7c50aa16eb7c",
    "src.process.tgtFileCreationCount": 0,
    "osSrc.process.childProcCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "osSrc.process.indicatorReconnaissanceCount": 0,
    "src.process.moduleCount": 447,
    "src.process.parent.name": "services.exe",
    "i.version": "preprocess-lib-1.0",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1679651246067,
    "src.process.image.md5": "ec038f4fd73993de139b889e7bcf2f66",
    "src.process.indicatorReconnaissanceCount": 119,
    "src.process.storyline.id": "B91AE6E7AB538ED5",
    "src.process.childProcCount": 15,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "osSrc.process.moduleCount": 172,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 0,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "REGKEYSECURITYCHANGED",
    "src.process.parent.integrityLevel": "SYSTEM",
    "osSrc.process.user": "NT AUTHORITY\\NETWORK SERVICE",
    "osSrc.process.image.binaryIsExecutable": true,
    "osSrc.process.tgtFileModificationCount": 0,
    "src.process.indicatorExploitationCount": 1,
    "osSrc.process.registryChangeCount": 0,
    "src.process.parent.storyline.id": "381AE6E7AB538ED5",
    "osSrc.process.netConnInCount": 0,
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "osSrc.process.indicatorInjectionCount": 0,
    "osSrc.process.pid": 2996,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679651207497,
    "timestamp": "2023-03-24T09:46:47.497Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 0,
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "68d7290a70ae3a396a0bd5164919694346047384",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 2308,
    "osSrc.process.uid": "F21AE6E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679651252,
    "dataSource.category": "security",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.cmdline": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.integrityLevel": "SYSTEM",
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 14,
    "osSrc.process.subsystem": "SYS_WIN32",
    "event.id": "01GW9G83044XT7MEFV9Z37STGM_351",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
    "src.process.image.path": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1075_2023-03-16_134252\\WaAppAgent.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "WmiPrvSE.exe",
    "src.process.indicatorEvasionCount": 2,
    "src.process.netConnOutCount": 12,
    "osSrc.process.startTime": 1679651059528,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 0,
    "osSrc.process.image.sha256": "2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679651056550,
    "mgmt.id": "16964",
    "osSrc.process.indicatorRansomwareCount": 0,
    "osSrc.process.netConnCount": 0,
    "os.name": "Windows 10 Pro",
    "osSrc.process.indicatorGeneral.count": 3,
    "registry.keyPath": "MACHINE\\BCD00000000\\Objects\\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\\Elements\\11000001",
    "src.process.displayName": "Microsoft Azure\u00c2\u00ae",
    "osSrc.process.dnsCount": 0,
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "osSrc.process.sessionId": 0,
    "src.process.uid": "B81AE6E7AB538ED5",
    "src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "B81AE6E7AB538ED5",
    "src.process.parent.uid": "371AE6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 12,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "group.id": "B91AE6E7AB538ED5",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679651047714,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 1,
    "osSrc.process.tgtFileDeletionCount": 0,
    "endpoint.type": "desktop",
    "osSrc.process.indicatorEvasionCount": 0,
    "trace.id": "01GW9G83044XT7MEFV9Z37STGM",
    "src.process.name": "WaAppAgent.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.displayName": "WMI Provider Host",
    "src.process.image.sha256": "a8b9b1d63b8340cb1292d8edcd2c70702d17e9a254ec4b215c844d5eefb949c9",
    "src.process.indicatorGeneralCount": 7,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "DE00CD9C6B074221B3EEF81AB421B43F",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.storyline.id": "F31AE6E7AB538ED5",
    "event.type": "Registry Key Security Changed",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 676
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "registry",
    "src.process.parent.image.sha1": "d7a213f3cfee2a8a191769eb33847953be51de54",
    "site.id": "1640744535583677559",
    "registry.valueFullSize": 8,
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Services and Controller app",
    "src.process.user": "NT AUTHORITY\\LOCAL SERVICE",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "registry.oldValueType": "QWORD",
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "src.process.tgtFileCreationCount": 0,
    "src.process.indicatorInjectionCount": 0,
    "src.process.moduleCount": 60,
    "src.process.parent.name": "services.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1679651725979,
    "src.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "src.process.indicatorReconnaissanceCount": 4,
    "src.process.storyline.id": "C21AE6E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "registry.oldValueFullSize": 8,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "REGVALUEMODIFIED",
    "src.process.parent.integrityLevel": "SYSTEM",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "381AE6E7AB538ED5",
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679651714861,
    "timestamp": "2023-03-24T09:55:14.861Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\services.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 2400,
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679651731,
    "dataSource.category": "security",
    "src.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalService",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "event.id": "01GW9GPQS7DA4A1MEAAWC62TV0_17",
    "src.process.parent.cmdline": "C:\\Windows\\system32\\services.exe",
    "registry.value": "0x01D95E36BB59E231",
    "src.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "src.process.tgtFileModificationCount": 0,
    "src.process.indicatorEvasionCount": 0,
    "src.process.netConnOutCount": 0,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679651056705,
    "mgmt.id": "16964",
    "os.name": "Windows 10 Pro",
    "registry.keyPath": "MACHINE\\SYSTEM\\ControlSet001\\Services\\W32Time\\Config\\LastKnownGoodTime",
    "src.process.displayName": "Host Process for Windows Services",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "src.process.uid": "C11AE6E7AB538ED5",
    "src.process.parent.image.md5": "d8e577bf078c45954f4531885478d5a9",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "C11AE6E7AB538ED5",
    "registry.valueType": "QWORD",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "371AE6E7AB538ED5",
    "src.process.parent.image.sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "group.id": "C21AE6E7AB538ED5",
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679651047714,
    "src.process.dnsCount": 1,
    "endpoint.type": "desktop",
    "trace.id": "01GW9GPQS7DA4A1MEAAWC62TV0",
    "src.process.name": "svchost.exe",
    "registry.oldValueIsComplete": true,
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.indicatorGeneralCount": 3,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "138ED27662FD4857B56CA60142FA1C2F",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "registry.oldValue": "0x01D95E36B1CF068C",
    "event.type": "Registry Value Modified",
    "src.process.indicatorPostExploitationCount": 0,
    "registry.valueIsComplete": true,
    "src.process.parent.pid": 676
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "scheduled_task",
    "src.process.parent.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
    "site.id": "1640744535583677559",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Windows Explorer",
    "osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "osSrc.process.crossProcessOpenProcessCount": 219,
    "osSrc.process.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.crossProcessDupThreadHandleCount": 4,
    "src.process.user": "desktop-jdoe\\john.doe",
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.crossProcessOutOfStorylineCount": 232,
    "osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.tgtFileCreationCount": 0,
    "osSrc.process.childProcCount": 73,
    "src.process.indicatorInjectionCount": 2,
    "osSrc.process.indicatorReconnaissanceCount": 15044,
    "src.process.moduleCount": 397,
    "src.process.parent.name": "explorer.exe",
    "i.version": "preprocess-lib-1.0",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1679668709665,
    "src.process.image.md5": "cdbae87d50068565cf2ed20e99246a2e",
    "src.process.indicatorReconnaissanceCount": 3,
    "src.process.storyline.id": "5084E6E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "osSrc.process.moduleCount": 44431,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 53,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "SCHEDTASKREGISTER",
    "src.process.parent.integrityLevel": "HIGH",
    "osSrc.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.image.binaryIsExecutable": true,
    "task.name": "\\Task John",
    "osSrc.process.tgtFileModificationCount": 16,
    "src.process.indicatorExploitationCount": 0,
    "osSrc.process.registryChangeCount": 0,
    "src.process.parent.storyline.id": "FA1CE6E7AB538ED5",
    "osSrc.process.netConnInCount": 0,
    "i.scheme": "edr",
    "src.process.integrityLevel": "HIGH",
    "osSrc.process.indicatorInjectionCount": 1,
    "osSrc.process.pid": 796,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679668702878,
    "timestamp": "2023-03-24T14:38:22.878Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 232,
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "4a8b68a1ad588175d018944aacca6151e2cb4e3c",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\explorer.exe",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 5228,
    "osSrc.process.uid": "4D1AE6E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679668715,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\taskschd.msc\" /s",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "osSrc.process.integrityLevel": "SYSTEM",
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "osSrc.process.subsystem": "SYS_WIN32",
    "event.id": "01GWA0X1G6W27RX89K1YWD3SB8_10",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 9,
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "C:\\Windows\\Explorer.EXE",
    "src.process.image.path": "C:\\Windows\\System32\\mmc.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "svchost.exe",
    "src.process.indicatorEvasionCount": 2,
    "src.process.netConnOutCount": 0,
    "osSrc.process.startTime": 1679651050062,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 86,
    "osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679668633169,
    "mgmt.id": "16964",
    "osSrc.process.indicatorRansomwareCount": 0,
    "osSrc.process.netConnCount": 86,
    "os.name": "Windows 10 Pro",
    "osSrc.process.indicatorGeneral.count": 1041,
    "src.process.displayName": "Microsoft Management Console",
    "osSrc.process.dnsCount": 28,
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 2,
    "osSrc.process.sessionId": 0,
    "src.process.uid": "4F84E6E7AB538ED5",
    "src.process.parent.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "4F84E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "F91CE6E7AB538ED5",
    "src.process.parent.image.sha256": "5ad6cf448d3492310e89ab0ce7f7230f93b359fec8314a3e2b22084fbe24d4d8",
    "src.process.sessionId": 2,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "group.id": "5084E6E7AB538ED5",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679651150108,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 0,
    "osSrc.process.tgtFileDeletionCount": 0,
    "osSrc.process.indicatorEvasionCount": 3,
    "endpoint.type": "desktop",
    "trace.id": "01GWA0X1G6W27RX89K1YWD3SB8",
    "src.process.name": "mmc.exe",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "osSrc.process.displayName": "Host Process for Windows Services",
    "src.process.image.sha256": "3519db09c7d58615c5a5a8ef508e163e63ecb428f113021e0e3cd47fb7f39c9e",
    "src.process.indicatorGeneralCount": 36,
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 0,
    "packet.id": "47785FD0B1924C13905B7665CF4053FA",
    "src.process.indicatorPersistenceCount": 1,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "desktop-jdoe\\john.doe",
    "osSrc.process.storyline.id": "4E1AE6E7AB538ED5",
    "event.type": "Task Register",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 5044
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "scheduled_task",
    "tgt.file.modificationTime": -11644473600000,
    "src.process.parent.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "site.id": "1640744535583677559",
    "tgt.file.location": "Local",
    "osSrc.process.isRedirectCmdProcessor": false,
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Host Process for Windows Services",
    "osSrc.process.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "osSrc.process.crossProcessOpenProcessCount": 157,
    "osSrc.process.publisher": "MICROSOFT WINDOWS",
    "osSrc.process.crossProcessDupThreadHandleCount": 5,
    "src.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.indicatorPersistenceCount": 0,
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 0,
    "osSrc.process.crossProcessOutOfStorylineCount": 172,
    "osSrc.process.image.sha1": "1bc5066ddf693fc034d6514618854e26a84fd0d1",
    "src.process.activeContent.signedStatus": "signed",
    "src.process.tgtFileCreationCount": 1,
    "osSrc.process.childProcCount": 80,
    "src.process.indicatorInjectionCount": 0,
    "osSrc.process.indicatorReconnaissanceCount": 5902,
    "src.process.moduleCount": 53,
    "src.process.parent.name": "svchost.exe",
    "i.version": "preprocess-lib-1.0",
    "src.process.activeContentType": "FILE",
    "osSrc.process.signedStatus": "signed",
    "sca:atlantisIngestTime": 1680188502213,
    "src.process.image.md5": "ef3179d498793bf4234f708d3be28633",
    "src.process.indicatorReconnaissanceCount": 0,
    "src.process.storyline.id": "7322E6E7AB538ED5",
    "src.process.childProcCount": 0,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 0,
    "osSrc.process.crossProcessThreadCreateCount": 0,
    "osSrc.process.moduleCount": 38352,
    "osSrc.process.indicatorPostExploitationCount": 0,
    "osSrc.process.indicatorInfostealerCount": 115,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "SCHEDTASKSTART",
    "src.process.parent.integrityLevel": "SYSTEM",
    "osSrc.process.user": "NT AUTHORITY\\SYSTEM",
    "osSrc.process.image.binaryIsExecutable": true,
    "task.name": "\\Microsoft\\Windows\\Application Experience\\PcaPatchDbTask",
    "osSrc.process.tgtFileModificationCount": 59,
    "src.process.indicatorExploitationCount": 0,
    "osSrc.process.registryChangeCount": 0,
    "src.process.parent.storyline.id": "4E1AE6E7AB538ED5",
    "tgt.file.creationTime": -11644473600000,
    "osSrc.process.netConnInCount": 0,
    "i.scheme": "edr",
    "src.process.integrityLevel": "SYSTEM",
    "osSrc.process.indicatorInjectionCount": 0,
    "osSrc.process.pid": 544,
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1680188461660,
    "timestamp": "2023-03-30T15:01:01.660Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "osSrc.process.crossProcessCount": 172,
    "endpoint.name": "desktop-jdoe",
    "tgt.file.size": 71680,
    "src.process.image.sha1": "dd399ae46303343f9f0da189aee11c67bd868222",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\svchost.exe",
    "tgt.file.sha1": "dd399ae46303343f9f0da189aee11c67bd868222",
    "osSrc.process.isNative64Bit": false,
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 5304,
    "osSrc.process.uid": "1E91E6E7AB538ED5",
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1680188507,
    "dataSource.category": "security",
    "src.process.cmdline": "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\PcaSvc.dll,PcaPatchSdbTask",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "osSrc.process.isStorylineRoot": true,
    "src.process.parent.isRedirectCmdProcessor": false,
    "tgt.file.description": "Windows host process (Rundll32)",
    "osSrc.process.integrityLevel": "SYSTEM",
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 0,
    "osSrc.process.subsystem": "SYS_WIN32",
    "tgt.file.isExecutable": true,
    "event.id": "01GWSGKVAAKE9CKCSVVN8QVWA2_7",
    "osSrc.process.crossProcessDupRemoteProcessHandleCount": 10,
    "osSrc.process.tgtFileCreationCount": 0,
    "src.process.parent.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
    "src.process.image.path": "C:\\Windows\\System32\\rundll32.exe",
    "src.process.tgtFileModificationCount": 0,
    "osSrc.process.name": "svchost.exe",
    "src.process.indicatorEvasionCount": 1,
    "src.process.netConnOutCount": 0,
    "tgt.file.path": "C:\\Windows\\System32\\rundll32.exe",
    "tgt.file.extension": "exe",
    "osSrc.process.startTime": 1680169388191,
    "src.process.crossProcessDupThreadHandleCount": 0,
    "endpoint.os": "windows",
    "osSrc.process.netConnOutCount": 99,
    "osSrc.process.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.tgtFileDeletionCount": 0,
    "src.process.startTime": 1679651234837,
    "mgmt.id": "16964",
    "osSrc.process.indicatorRansomwareCount": 0,
    "osSrc.process.netConnCount": 99,
    "os.name": "Windows 10 Pro",
    "tgt.file.type": "PE",
    "osSrc.process.indicatorGeneral.count": 591,
    "src.process.activeContent.id": "B928E3E7AB538ED5",
    "src.process.displayName": "Windows host process (Rundll32)",
    "osSrc.process.dnsCount": 51,
    "tgt.file.sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
    "src.process.activeContent.path": "C:\\Windows\\System32\\pcasvc.dll",
    "src.process.isNative64Bit": false,
    "src.process.parent.sessionId": 0,
    "osSrc.process.sessionId": 0,
    "src.process.uid": "7222E6E7AB538ED5",
    "src.process.parent.image.md5": "b7f884c1b74a263f746ee12a5f7c9f6a",
    "osSrc.process.verifiedStatus": "verified",
    "osSrc.process.cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
    "src.process.indicatorInfostealerCount": 0,
    "src.process.indicatorBootConfigurationUpdateCount": 0,
    "process.unique.key": "7222E6E7AB538ED5",
    "agent.version": "22.3.2.373",
    "src.process.parent.uid": "4D1AE6E7AB538ED5",
    "src.process.parent.image.sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
    "src.process.sessionId": 0,
    "src.process.netConnCount": 0,
    "mgmt.osRevision": "19044",
    "osSrc.process.image.path": "C:\\Windows\\System32\\svchost.exe",
    "group.id": "7322E6E7AB538ED5",
    "osSrc.process.indicatorBootConfigurationUpdateCount": 0,
    "src.process.isRedirectCmdProcessor": false,
    "src.process.verifiedStatus": "verified",
    "src.process.parent.publisher": "MICROSOFT WINDOWS",
    "src.process.parent.startTime": 1679651050062,
    "osSrc.process.indicatorExploitationCount": 0,
    "src.process.dnsCount": 0,
    "osSrc.process.tgtFileDeletionCount": 0,
    "osSrc.process.indicatorEvasionCount": 3,
    "endpoint.type": "desktop",
    "trace.id": "01GWSGKVAAKE9CKCSVVN8QVWA2",
    "src.process.name": "rundll32.exe",
    "tgt.file.md5": "ef3179d498793bf4234f708d3be28633",
    "agent.uuid": "9a25d24fd1e4418dab8e358865fa1e29",
    "src.process.activeContent.hash": "4baee77d42bd0b2fa2660852eeac7962aa27a2f1",
    "osSrc.process.displayName": "Host Process for Windows Services",
    "src.process.image.sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
    "src.process.indicatorGeneralCount": 3,
    "tgt.file.internalName": "rundll",
    "src.process.crossProcessOutOfStorylineCount": 0,
    "src.process.registryChangeCount": 2,
    "packet.id": "2343644B9C0D4EBFA0956CF728E11DDC",
    "src.process.indicatorPersistenceCount": 0,
    "src.process.parent.signedStatus": "signed",
    "src.process.parent.user": "NT AUTHORITY\\SYSTEM",
    "tgt.file.id": "F58AE3E7AB538ED5",
    "osSrc.process.storyline.id": "1F91E6E7AB538ED5",
    "event.type": "Task Start",
    "task.path": "C:\\Windows\\System32\\rundll32.exe",
    "src.process.indicatorPostExploitationCount": 0,
    "src.process.parent.pid": 796
}
{
    "src.process.parent.isStorylineRoot": true,
    "event.category": "url",
    "src.process.parent.image.sha1": "f2460307d8f0c264df4f101b5adaf6927d4116cf",
    "site.id": "1640744535583677559",
    "src.process.image.binaryIsExecutable": true,
    "src.process.parent.displayName": "Userinit Logon Application",
    "src.process.user": "desktop-jdoe\\john.doe",
    "src.process.parent.subsystem": "SYS_WIN32",
    "src.process.indicatorRansomwareCount": 0,
    "src.process.crossProcessDupRemoteProcessHandleCount": 13,
    "src.process.tgtFileCreationCount": 11,
    "src.process.indicatorInjectionCount": 1,
    "src.process.moduleCount": 1652,
    "src.process.parent.name": "userinit.exe",
    "i.version": "preprocess-lib-1.0",
    "sca:atlantisIngestTime": 1679651786046,
    "src.process.image.md5": "b5da026b38c9e98a6f6d4061b6c3b4f3",
    "src.process.indicatorReconnaissanceCount": 6,
    "src.process.storyline.id": "FA1CE6E7AB538ED5",
    "src.process.childProcCount": 14,
    "mgmt.url": "euce1-105.sentinelone.net",
    "src.process.crossProcessOpenProcessCount": 1,
    "src.process.subsystem": "SYS_WIN32",
    "meta.event.name": "HTTP",
    "src.process.parent.integrityLevel": "HIGH",
    "src.process.indicatorExploitationCount": 0,
    "src.process.parent.storyline.id": "F81CE6E7AB538ED5",
    "i.scheme": "edr",
    "src.process.integrityLevel": "HIGH",
    "url.address": "https://assets.msn.com/weathermapdata/1/static/weather/Icons/taskbar_v3/Condition_Badge/D200PartlySunny.svg",
    "site.name": "Default site",
    "src.process.netConnInCount": 0,
    "event.time": 1679651744782,
    "timestamp": "2023-03-24T09:55:44.782Z",
    "account.id": "1640744534476381289",
    "dataSource.name": "SentinelOne",
    "endpoint.name": "desktop-jdoe",
    "src.process.image.sha1": "08a3589a9016172702c75f16fe3c694b90942514",
    "src.process.isStorylineRoot": true,
    "src.process.parent.image.path": "C:\\Windows\\System32\\userinit.exe",
    "dataSource.vendor": "SentinelOne",
    "src.process.pid": 5044,
    "tgt.file.isSigned": "signed",
    "sca:ingestTime": 1679651791,
    "dataSource.category": "security",
    "src.process.cmdline": "C:\\Windows\\Explorer.EXE",
    "src.process.publisher": "MICROSOFT WINDOWS",
    "src.process.crossProcessThreadCreateCount": 0,
    "src.process.parent.isNative64Bit": false,
    "src.process.parent.isRedirectCmdProcessor": false,
    "src.process.signedStatus": "signed",
    "src.process.crossProcessCount": 18,
    "event.id": "01GW9GRJCPRADP5V80KH7RQMGX_4",
    "src.process.parent.cmdline": "C:\\Windows\\system32\\userinit.exe",
    "src.process.image.path": "C:\\Windows\\explorer.exe",
    "src.process.tgtFileModificationCount": 114,
    "src.process.indicatorEvasionCount": 1,
    "src.process.netConnOutCount": 3,
    "src.process.crossProcessDupThreadHandleCount": 4,
    "endpoint.os": "windows",
    "src.process.tgtFileDeletionCount": 5,
    "src.process.startTime": 1679651150108,