Skip to content

Stormshield SES

Overview

Stormshield SES is a comprehensive cybersecurity solution designed to protect individual devices, such as computers and servers, from various cyber threats and attacks. It encompasses advanced features like antivirus, firewall, intrusion detection and prevention, application control, and data encryption. This solution aims to safeguard endpoints from malware, ransomware, phishing, and other malicious activities, while providing centralized management and real-time threat visibility for enhanced security posture.

  • Vendor: Stormshield
  • Plan: Defend Core & Defend Prime
  • Supported environment: On prem
  • Version Compatibility: 7,0
  • Detection based on: Telemetry

Configure

This section will guide you to forward Stormshield SES logs to SEKOIA.IO

Create the intake

Go to the intake page and create a new intake from the format Stormshield Endpoint Security.

Configure the Agent handler

  1. Log on out Stormshield SES console
  2. Go to Backoffice > Agent handlers
  3. Select an Agent handler group or create a new one
  4. On the Agent handler group, in the Syslog servers, click + Add a server Agent handlers
  5. In the syslog server configuration:

  6. Set the address of the syslog destination to intake.sekoia.io

  7. Select TCP/TLS as the protocol
  8. Define the syslog destination port to 10514
  9. Select Raw Json as message Content
  10. Select Non-Transparent-Framing as transfert-type
  11. In the Structured data input, add [SEKOIA@53288 intake_key="<YOUR_INTAKE_KEY>"] with our intake key as replacement of the placeholder
  12. Save the configuration Configuration

Troubleshooting

The SES Agent handler cannot authenticate the Sekoia.io syslog endpoint

The Sekoia.io syslog endpoint is secured with a Letsencrypt certificate.

According to our SES Agent handler installation, it may be necessary to install ISRG ROOT X1 certificate in our trusted root certification authorities certificate store:

On the SES Agent handler machines:

  1. Download the ISRG ROOT X1 certificate: https://letsencrypt.org/certs/isrgrootx1.pem
  2. Rename the downloaded certificate by suffixing it with the extension.crt
  3. Import the certificate in the trusted root certification authorities certificate store of the machine Certificate store

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "Version": 1,
    "Type": 1000,
    "TypeComputedMap": "LostBuffers",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0E997D-0D6B-40A9-81F1-7C21E9B8AAD3}",
    "Timestamp": "2023-06-15T06:30:00.0000000+01:00",
    "TimestampRaw": 133232454000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "LostBuffersCount": 35
    }
}
{
    "Version": 1,
    "Type": 1001,
    "TypeComputedMap": "RulesEngCriticalError",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD054D09-4231-4A21-8BA1-440AEBAC0CC9}",
    "Timestamp": "2023-06-15T06:40:00.0000000+01:00",
    "TimestampRaw": 133232460000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 1002,
    "TypeComputedMap": "RulesEngIdentifierCollectionError",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD060B75-CD2D-4F29-9E23-8F45C47772BA}",
    "Timestamp": "2023-06-15T06:50:00.0000000+01:00",
    "TimestampRaw": 133232466000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 1003,
    "TypeComputedMap": "RulesEngRulesPackageError",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0969EB-BA6D-481A-B96D-730EC18FE560}",
    "Timestamp": "2023-06-15T07:00:00.0000000+01:00",
    "TimestampRaw": 133232472000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "RulesPackageKeyPath": "HKLM\\TestPath\\Here"
    }
}
{
    "Version": 1,
    "Type": 1004,
    "TypeComputedMap": "RulesEngInvalidParameter",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD075EE1-778C-4E3E-81E5-A565E4A4FF68}",
    "Timestamp": "2023-06-15T07:10:00.0000000+01:00",
    "TimestampRaw": 133232478000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 1006,
    "TypeComputedMap": "TemporaryWebAccessStart",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD07FF6B-417C-4249-B1D6-259FEDD9CFF2}",
    "Timestamp": "2023-06-15T07:20:00.0000000+01:00",
    "TimestampRaw": 133232484000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "Duration": 50000,
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 1007,
    "TypeComputedMap": "TemporaryWebAccessStartFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD04C4F9-0196-441F-A772-F54FC0793D41}",
    "Timestamp": "2023-06-15T07:30:00.0000000+01:00",
    "TimestampRaw": 133232490000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5,
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 1008,
    "TypeComputedMap": "TemporaryWebAccessStop",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0E045B-4A76-4297-9269-D7DDE4C631FD}",
    "Timestamp": "2023-06-15T07:40:00.0000000+01:00",
    "TimestampRaw": 133232496000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UserNameLookup": null,
        "UserDomainLookup": null,
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 1009,
    "TypeComputedMap": "TemporaryWebAccessStopFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD02A68E-3F78-438B-B64B-79112040192E}",
    "Timestamp": "2023-06-15T07:50:00.0000000+01:00",
    "TimestampRaw": 133232502000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5,
        "UserNameLookup": null,
        "UserDomainLookup": null,
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 1010,
    "TypeComputedMap": "AgentInternalLogExceedMaxSize",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F16E5-852C-4686-9979-AA5A859D50F2}",
    "Timestamp": "2023-06-15T08:00:00.0000000+01:00",
    "TimestampRaw": 133232508000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "FaultyLogType": 1010,
        "FaultyLogTypeComputedMap": null
    }
}
{
    "Version": 1,
    "Type": 1011,
    "TypeComputedMap": "TemporaryWebAccessMaxCountReached",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD09731F-F853-4815-9DE3-C4B6991F689E}",
    "Timestamp": "2023-06-15T08:10:00.0000000+01:00",
    "TimestampRaw": 133232514000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 103,
    "TypeComputedMap": "RegistryKeyCreate",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD042F09-DB50-4EDB-8370-DB9A3C37A5EF}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T05:23:57.0238678+02:00",
    "TimestampRaw": 133311362370238678,
    "SpecificData": {
        "SourceProcess": {
            "PID": 1832,
            "ProcessGuid": "{E38CB57F-32F0-4AB4-9581-8CDD6B0E95B1}",
            "ProcessImageName": "C:\\Windows\\System32\\svchost.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\WINDOWS\\system32\\svchost.exe-knetsvcs-p-swlidsvc",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-16384",
            "IntegrityLevelNameLookup": "Niveauobligatoiresyst\u00e8me",
            "IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
            "SessionID": 0,
            "HashMd5": "B7F884C1B74A263F746EE12A5F7C9F6A",
            "HashSha1": "1BC5066DDF693FC034D6514618854E26A84FD0D1",
            "HashSha256": "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindowsPublisher",
                    "SigningTime": "2022-06-18T08:21:06.9540000+02:00",
                    "ValidityStart": "2022-01-27T21:31:19.0000000+02:00",
                    "ValidityEnd": "2023-01-26T21:31:19.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2023-06-13T15:17:42.8190445+02:00",
            "ProcessStartTimeRaw": 133311358628190445
        },
        "Action": {
            "PolicyGuid": "{621F7A4B-040E-42C2-9B4F-173BA48E067B}",
            "PolicyVersion": 2,
            "RuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAAA}",
            "BaseRuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAA9}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": false,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Details": {
            "Options": 1,
            "OptionsComputedBitMap": [
                "REG_OPTION_VOLATILE"
            ],
            "DesiredAccess": 131103,
            "DesiredAccessComputedBitMap": [
                "KEY_QUERY_VALUE",
                "KEY_SET_VALUE",
                "KEY_CREATE_SUB_KEY",
                "KEY_ENUMERATE_SUB_KEYS",
                "KEY_NOTIFY",
                "READ_CONTROL"
            ]
        },
        "DetailsType": 0,
        "DetailsTypeComputedMap": "REGISTRY_KEY_CREATE",
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IdentityCRL\\ThrottleCache\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}"
    }
}
{
    "Version": 1,
    "Type": 104,
    "TypeComputedMap": "RegistryKeyRead",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0B285F-2E43-4390-823C-73CB7736D0AA}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T05:34:00.8441322+02:00",
    "TimestampRaw": 133311368408441322,
    "SpecificData": {
        "SourceProcess": {
            "PID": 6704,
            "ProcessGuid": "{0E6042A8-0DC3-47A6-9FB4-8936B396C1AC}",
            "ProcessImageName": "C:\\Windows\\explorer.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\WINDOWS\\Explorer.EXE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Niveauobligatoiremoyen",
            "IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
            "SessionID": 2,
            "HashMd5": "790E65F13ECEB64FE297DF08EB1C953A",
            "HashSha1": "5F04BC4911EEBA35EC294B111C57D90808A4C4BD",
            "HashSha256": "B6F176E86DED71B8494FAD53791367C870318B1E7D9C3E1AEE1B0DAC6CFAC237",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-05-09T10:18:43.9710000+02:00",
                    "ValidityStart": "2023-02-03T02:05:42.0000000+02:00",
                    "ValidityEnd": "2024-02-01T02:05:42.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2023-06-13T15:32:52.0646809+02:00",
            "ProcessStartTimeRaw": 133311367720646809
        },
        "Action": {
            "PolicyGuid": "{621F7A4B-040E-42C2-9B4F-173BA48E067B}",
            "PolicyVersion": 4,
            "RuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAAA}",
            "BaseRuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAA9}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": false,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\TimeZones",
        "InformationClass": 0,
        "InformationClassComputedMap": "KeyBasicInformation"
    }
}
{
    "Version": 1,
    "Type": 104,
    "TypeComputedMap": "RegistryKeyRead",
    "Severity": 2,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{4C8EFA24-0021-49CA-B9F7-CF5A7BF57173}",
    "GenerateIncident": true,
    "Timestamp": "2024-07-09T12:08:54.9660242+02:00",
    "TimestampRaw": 133649933349660242,
    "SpecificData": {
        "SourceProcess": {
            "PID": 3948,
            "ProcessGuid": "{93158E40-E93F-46CE-BCE0-3FC359B07B75}",
            "ProcessImageName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-16384",
            "IntegrityLevelNameLookup": "Niveau obligatoire syst\u00e8me",
            "IntegrityLevelDomainLookup": "\u00c9tiquette obligatoire",
            "SessionID": 0,
            "HashMd5": "4A4D6E95B693256BCD6E90FDC077194A",
            "HashSha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E",
            "HashSha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED",
            "IsProtectedOrCritical": true,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Microsoft Windows Production PCA 2011",
                    "SubjectCN": "Microsoft Windows Publisher",
                    "SigningTime": "2024-05-11T03:15:15.5120000+02:00",
                    "ValidityStart": "2024-02-08T21:22:45.0000000+02:00",
                    "ValidityEnd": "2025-02-07T21:22:45.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2024-07-09T10:03:54.4154623+02:00",
            "ProcessStartTimeRaw": 133649858344154623
        },
        "Action": {
            "PolicyGuid": "{2042076D-A879-4913-A2C7-E94A9ECE8D79}",
            "PolicyVersion": 14,
            "RuleGuid": "{F676C8C4-D8FD-4ED2-89FB-C949EA33951C}",
            "BaseRuleGuid": "{508448D3-1872-416D-99D9-A3F64AE24C48}",
            "IdentifierGuid": "{6F1EAB4E-60E5-4DA2-8509-768988375E47}",
            "Blocked": false,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false,
            "RuleTags": [
                "T1562.001"
            ]
        },
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths",
        "InformationClass": 4,
        "InformationClassComputedMap": "KeyCachedInformation"
    },
    "AdditionalData": {
        "AgentAddresses": [
            "1.2.3.4"
        ],
        "AgentGroupGuid": "{1B24AC36-5218-4F44-A374-80D86475E325}",
        "AgentGroupName": "Demo",
        "AgentGuid": "{6CA7D1BE-7359-426D-B5B1-D9E742DF69A6}",
        "AgentName": "WIN10-A",
        "AttackCVEId": null,
        "AttackMitreTacticId": [
            "TA0005"
        ],
        "AttackMitreTacticName": [
            "Defense Evasion"
        ],
        "AttackMitreTechnicId": [
            "T1562",
            "T1562.001"
        ],
        "AttackMitreTechnicName": [
            "Impair Defenses",
            "Disable or Modify Tools"
        ],
        "AttackSESId": null,
        "AttackTriggerCondition": "An untrusted process attempts to add bypass into Windows Defender.",
        "CategoryName": "Registry",
        "IncidentGuid": "{CE926A32-4461-47C0-BDE8-43C1493E7DF0}",
        "Message": "The 'MsMpEng.exe' process read the registry key 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths'",
        "PolicyName": "Demo - Protect policy",
        "SeverityName": "Critical"
    }
}
{
    "Version": 1,
    "Type": 109,
    "TypeComputedMap": "RegistryKeyWrite",
    "Category": 1,
    "CategoryComputedMap": "Registry",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0D1A3F-D034-4FE6-BE01-10DB9C0F6C4E}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:07:58.8191262+01:00",
    "TimestampRaw": 133225888788191262,
    "SpecificData": {
        "SourceProcess": {
            "PID": 1196,
            "ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
            "ProcessImageName": "C:\\Windows\\regedit.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "999A30979F6195BF562068639FFC4426",
            "HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
            "HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-18T02:58:33.2360000+01:00",
                    "ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
                    "ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
            "ProcessStartTimeRaw": 133225886618793902
        },
        "Action": {
            "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
            "PolicyVersion": 3,
            "RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
            "BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Details": {
            "Options": 0,
            "OptionsComputedBitMap": [],
            "DesiredAccess": 33554432,
            "DesiredAccessComputedBitMap": [
                "MAXIMUM_ALLOWED"
            ],
            "SubkeyName": "NewKey#1"
        },
        "DetailsType": 0,
        "DetailsTypeComputedMap": "REGISTRY_KEY_CREATE_SUBKEY",
        "Path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE"
    }
}
{
    "Version": 1,
    "Type": 11,
    "TypeComputedMap": "ProcessExecution",
    "Category": 4,
    "CategoryComputedMap": "Other",
    "Severity": 2,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD066513-E7B5-4F79-AE62-0885C51EA629}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:08:53.7673622+01:00",
    "TimestampRaw": 133209473337673622,
    "SpecificData": {
        "SourceProcess": {
            "PID": 5496,
            "ProcessGuid": "{71D28FEC-F11C-4F18-AE90-441C0C7EDBE3}",
            "ProcessImageName": "C:\\Windows\\explorer.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "DEEEE5E9267B65A9A82BE24BE2693365",
            "HashSha1": "FC924E1BBEC021CB5685B05728618EB421AD3FBE",
            "HashSha256": "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-06T12:01:50.2850000+01:00",
                    "ValidityStart": "2022-05-05T20:23:15.0000000+01:00",
                    "ValidityEnd": "2023-05-04T20:23:15.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-02-15T11:35:02.4495876+01:00",
            "ProcessStartTimeRaw": 133209309024495876
        },
        "Action": {
            "PolicyGuid": "{C28F5498-FDC3-4E59-A13C-6139CE1FD00C}",
            "PolicyVersion": 3,
            "RuleGuid": "{4DE7AEC5-BACF-46F8-9B78-2203A14D1562}",
            "BaseRuleGuid": "{4DE7AEC5-BACF-46F8-9B78-2203A14D1561}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "CreatedProcess": {
            "PID": 5280,
            "ProcessGuid": "{2E91C661-4ACA-4CDB-84D1-CCD98308B120}",
            "ProcessImageName": "C:\\Windows\\System32\\notepad.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\Windows\\system32\\notepad.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "Test",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "27F71B12CB585541885A31BE22F61C83",
            "HashSha1": "D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5",
            "HashSha256": "F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2022-07-21T02:36:42.3560000+01:00",
                    "ValidityStart": "2021-09-02T19:23:41.0000000+01:00",
                    "ValidityEnd": "2022-09-01T19:23:41.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-02-15T16:08:53.7602140+01:00",
            "ProcessStartTimeRaw": 133209473337602140
        },
        "ParentProcess": {
            "PID": 5496,
            "ProcessGuid": "{71D28FEC-F11C-4F18-AE90-441C0C7EDBE3}",
            "ProcessImageName": "C:\\Windows\\explorer.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "Test",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "DEEEE5E9267B65A9A82BE24BE2693365",
            "HashSha1": "FC924E1BBEC021CB5685B05728618EB421AD3FBE",
            "HashSha256": "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-06T12:01:50.2850000+01:00",
                    "ValidityStart": "2022-05-05T20:23:15.0000000+01:00",
                    "ValidityEnd": "2023-05-04T20:23:15.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-02-15T11:35:02.4495876+01:00",
            "ProcessStartTimeRaw": 133209309024495876
        }
    }
}
{
    "Version": 1,
    "Type": 112,
    "TypeComputedMap": "RegistryKeyDelete",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0DBC09-BED9-4335-B645-643B9CAB885C}",
    "Timestamp": "2023-06-15T02:50:00.0000000+01:00",
    "TimestampRaw": 133232322000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "Details": null,
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Test",
        "SourceProcess": {
            "PID": 8,
            "ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE",
            "UserSID": null,
            "SessionID": 0,
            "ProcessGuid": "f0fbb584-bc08-41d1-93a2-a04f8fc65c32",
            "ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"",
            "HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB111",
            "HashSha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6",
            "HashSha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 5,
            "Certificates": null,
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateUntrusted"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": true
        }
    }
}
{
    "Version": 1,
    "Type": 113,
    "TypeComputedMap": "RegistryValueCreate",
    "Category": 1,
    "CategoryComputedMap": "Registry",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD003007-3EE1-478E-9D07-A3772739A5E6}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:13:20.2600711+01:00",
    "TimestampRaw": 133225892002600711,
    "SpecificData": {
        "SourceProcess": {
            "PID": 1196,
            "ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
            "ProcessImageName": "C:\\Windows\\regedit.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "999A30979F6195BF562068639FFC4426",
            "HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
            "HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-18T02:58:33.2360000+01:00",
                    "ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
                    "ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
            "ProcessStartTimeRaw": 133225886618793902
        },
        "Action": {
            "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
            "PolicyVersion": 4,
            "RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
            "BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE",
        "ValueName": "Valeur_String",
        "ValueDataType": 1,
        "ValueDataTypeComputedMap": "REG_SZ",
        "ValueData": ""
    }
}
{
    "Version": 1,
    "Type": 113,
    "TypeComputedMap": "RegistryValueCreate",
    "Severity": 5,
    "ServerReserved": 9,
    "Attributes": 8,
    "AttributesComputedBitMap": [
        "Audit"
    ],
    "EventGuid": "{E8B35E85-838F-44E5-B7AB-7635E9C81ECB}",
    "GenerateIncident": false,
    "Timestamp": "2024-03-22T12:39:27.6422102+01:00",
    "TimestampRaw": 133555811676422102,
    "SpecificData": {
        "SourceProcess": {
            "PID": 1196,
            "ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
            "ProcessImageName": "C:\\Windows\\regedit.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operatingsystem"
            ],
            "ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "999A30979F6195BF562068639FFC4426",
            "HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
            "HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-18T02:58:33.2360000+01:00",
                    "ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
                    "ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
            "ProcessStartTimeRaw": 133225886618793902
        },
        "Action": {
            "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
            "PolicyVersion": 4,
            "RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
            "BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Path": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements\\25000004",
        "ValueName": "Element",
        "ValueDataType": 3,
        "ValueDataTypeComputedMap": "REG_BINARY",
        "ValueData": [
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0
        ]
    },
    "AdditionalData": {
        "AgentAddresses": [],
        "AgentGroupGuid": "{61B578F4-289D-4B97-A331-DDDCB80C6427}",
        "AgentGroupName": "Desktop",
        "AgentGuid": "{6EF8564D-941A-4377-80FD-78CD3DFEB269}",
        "AgentName": "DST-001",
        "CategoryName": "Registry",
        "IncidentGuid": null,
        "Message": "The'svchost.exe'processcreatedtheregistryvalue'Element'",
        "PolicyName": "Stormshield-Mediumpolicy-External",
        "SeverityName": "Notice"
    }
}
{
    "Version": 1,
    "Type": 114,
    "TypeComputedMap": "RegistryValueRead",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F267B-2FBB-4457-99C1-AC4663C7FC93}",
    "Timestamp": "2023-06-15T03:10:00.0000000+01:00",
    "TimestampRaw": 133232334000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ValueName": "Value2",
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
        "SourceProcess": {
            "PID": 1,
            "ProcessImageName": "C:\\Windows\\explorer.exe",
            "UserSID": null,
            "SessionID": 2,
            "ProcessGuid": "92c246ec-0acd-11ea-a38a-00155d099004",
            "ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
            "HashMd5": "4E196CEA0C9C46A7D656C67E52E8C7C7",
            "HashSha1": "726C9D759C5F02080FA003B50466A3BE0C959865",
            "HashSha256": "ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 1,
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Microsoft Windows Production PCA 2011",
                    "SigningTime": "2019-10-20T14:09:02.8886192+01:00",
                    "ValidityEnd": "2020-05-02T22:24:36.0705280+01:00",
                    "ValidityStart": "2019-05-02T22:24:36.7807872+01:00",
                    "SubjectCN": "Microsoft Windows"
                }
            ],
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        }
    }
}
{
    "Version": 1,
    "Type": 114,
    "TypeComputedMap": "RegistryValueRead",
    "Severity": 2,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{002A9967-5EF2-40CF-911D-7DBA518843A9}",
    "GenerateIncident": true,
    "Timestamp": "2024-07-09T12:33:11.2491955+02:00",
    "TimestampRaw": 133649947912491955,
    "SpecificData": {
        "SourceProcess": {
            "PID": 3948,
            "ProcessGuid": "{9BC994D7-904B-4C9C-8DC0-A03A36F36276}",
            "ProcessImageName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-16384",
            "IntegrityLevelNameLookup": "Niveau obligatoire syst\u00e8me",
            "IntegrityLevelDomainLookup": "\u00c9tiquette obligatoire",
            "SessionID": 0,
            "HashMd5": "4A4D6E95B693256BCD6E90FDC077194A",
            "HashSha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E",
            "HashSha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED",
            "IsProtectedOrCritical": true,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Microsoft Windows Production PCA 2011",
                    "SubjectCN": "Microsoft Windows Publisher",
                    "SigningTime": "2024-05-11T03:15:15.5120000+02:00",
                    "ValidityStart": "2024-02-08T21:22:45.0000000+02:00",
                    "ValidityEnd": "2025-02-07T21:22:45.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2024-07-09T10:03:54.4154623+02:00",
            "ProcessStartTimeRaw": 133649858344154623
        },
        "Action": {
            "PolicyGuid": "{DDAB1006-337F-4B8C-8486-E5A9619144BB}",
            "PolicyVersion": 14,
            "RuleGuid": "{4FAC2120-288B-4B3C-9F77-2E5B6ECBB85E}",
            "BaseRuleGuid": "{49A8528E-E749-4A9D-8736-2CF9380DE241}",
            "IdentifierGuid": "{0B7EF8C7-FAE0-4890-981A-22FE12F22173}",
            "Blocked": false,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false,
            "RuleTags": [
                "T1562.001"
            ]
        },
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes",
        "ValueName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe"
    },
    "AdditionalData": {
        "AgentAddresses": [
            "1.2.3.4"
        ],
        "AgentGroupGuid": "{8AD24A5D-0B19-45E2-9B28-F584F8A54CBC}",
        "AgentGroupName": "Demo",
        "AgentGuid": "{CC0772D7-8EBC-4EE6-9FC0-A8B26F5FA7FF}",
        "AgentName": "WIN10-A",
        "AttackCVEId": null,
        "AttackMitreTacticId": [
            "TA0005"
        ],
        "AttackMitreTacticName": [
            "Defense Evasion"
        ],
        "AttackMitreTechnicId": [
            "T1562",
            "T1562.001"
        ],
        "AttackMitreTechnicName": [
            "Impair Defenses",
            "Disable or Modify Tools"
        ],
        "AttackSESId": null,
        "AttackTriggerCondition": "An untrusted process attempts to add bypass into Windows Defender.",
        "CategoryName": "Registry",
        "IncidentGuid": "{DA0FA4D3-76B8-4EE0-A8B7-5AFDF9F80071}",
        "Message": "The 'MsMpEng.exe' process read the registry value 'C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe'",
        "PolicyName": "Demo - Protect policy",
        "SeverityName": "Critical"
    }
}
{
    "Version": 1,
    "Type": 115,
    "TypeComputedMap": "RegistryValueWrite",
    "Category": 1,
    "CategoryComputedMap": "Registry",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD09D00C-D632-4FB1-9606-AD80E2AB9AF5}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:13:26.1106189+01:00",
    "TimestampRaw": 133225892061106189,
    "SpecificData": {
        "SourceProcess": {
            "PID": 1196,
            "ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
            "ProcessImageName": "C:\\Windows\\regedit.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "999A30979F6195BF562068639FFC4426",
            "HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
            "HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-18T02:58:33.2360000+01:00",
                    "ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
                    "ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
                }
            ],
            "ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
            "ProcessStartTimeRaw": 133225886618793902
        },
        "Action": {
            "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
            "PolicyVersion": 4,
            "RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
            "BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
            "IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE",
        "ValueName": "Valeur_String",
        "ValueDataType": 1,
        "ValueDataTypeComputedMap": "REG_SZ",
        "ValueData": "lala"
    }
}
{
    "Version": 1,
    "Type": 116,
    "TypeComputedMap": "RegistryValueDelete",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0503D8-60D7-4B07-B649-6F70DE5A1125}",
    "Timestamp": "2023-06-15T03:30:00.0000000+01:00",
    "TimestampRaw": 133232346000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ValueName": "Value2",
        "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
        "SourceProcess": {
            "PID": 6,
            "ProcessImageName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe",
            "UserSID": null,
            "SessionID": 0,
            "ProcessGuid": "bed63e83-0f85-11ea-a38e-00155d099004",
            "ProcessCommandLine": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe\"",
            "HashMd5": "0470A1A62B3FAA0AF44D9AFD9FAFB111",
            "HashSha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6",
            "HashSha256": "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 8,
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Stormshield",
                    "SigningTime": "2019-11-25T14:15:45.4765488+01:00",
                    "ValidityEnd": "2040-01-01T00:59:59.1248256+01:00",
                    "ValidityStart": "2017-04-25T15:21:15.7216000+01:00",
                    "SubjectCN": "Stormshield"
                }
            ],
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateBadSignature"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": true
        }
    }
}
{
    "Version": 1,
    "Type": 11,
    "TypeComputedMap": "ProcessExecution",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{5024762E-73B4-40DC-823A-7B080C82C542}",
    "GenerateIncident": true,
    "Timestamp": "2024-02-01T08:10:33.7922326-08:00",
    "TimestampRaw": 133512774337922326,
    "SpecificData": {
        "SourceProcess": {
            "PID": 7248,
            "ProcessGuid": "{90FC03BE-4FBF-4184-A304-6D4B00AA152B}",
            "ProcessImageName": "C:\\ragnarlocker.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\ragnarlocker.exe\" ",
            "User": "S-1-5-21-1111111111-22222222-3333333333-000",
            "UserNameLookup": "Administrator",
            "UserDomainLookup": "EXAMPLE",
            "IntegrityLevel": "S-1-16-11111",
            "IntegrityLevelNameLookup": "High Mandatory Level",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "SessionID": 1,
            "HashMd5": "68B329DA9893E34099C7D8AD5CB9C940",
            "HashSha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC",
            "HashSha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 2,
            "CertificateSignatureStateComputedMap": "SignatureStateNoSignature",
            "Certificates": [],
            "ProcessStartTime": "2024-02-01T08:10:33.5801449-08:00",
            "ProcessStartTimeRaw": 133512774335801449
        },
        "Action": {
            "PolicyGuid": "{64AA4553-15FC-4188-B4AD-A0BDCFB11ED9}",
            "PolicyVersion": 14,
            "RuleGuid": "{B88B8874-E8E3-4F42-92B8-61D364DB65B9}",
            "BaseRuleGuid": "{0C4D019E-B7D5-4456-909A-C5F4152461AE}",
            "IdentifierGuid": "{BC74B5FB-8880-4A74-8316-FE865F9EA75C}",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": true
        },
        "CreatedProcess": {
            "PID": 11308,
            "ProcessGuid": "{24F0AA75-BC26-4245-829E-97087BB07A47}",
            "ProcessImageName": "C:\\Windows\\System32\\cmd.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "cmd.exe /c vssadmin delete shadows /all /quiet",
            "User": "S-1-5-21-1111111111-22222222-3333333333-000",
            "UserNameLookup": "Administrator",
            "UserDomainLookup": "EXAMPLE",
            "IntegrityLevel": "S-1-16-11111",
            "IntegrityLevelNameLookup": "High Mandatory Level",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "SessionID": 1,
            "HashMd5": "68B329DA9893E34099C7D8AD5CB9C940",
            "HashSha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC",
            "HashSha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Microsoft Windows Production PCA 2011",
                    "SubjectCN": "Microsoft Windows",
                    "SigningTime": "2013-08-22T05:07:49.2400000-08:00",
                    "ValidityStart": "2013-06-17T13:43:38.0000000-08:00",
                    "ValidityEnd": "2014-09-17T13:43:38.0000000-08:00"
                }
            ],
            "ProcessStartTime": "2024-02-01T08:10:33.7833468-08:00",
            "ProcessStartTimeRaw": 133512774337833468
        },
        "ParentProcess": {
            "PID": 7248,
            "ProcessGuid": "{D057290C-D86A-441B-B3CB-C6E54D42EBA5}",
            "ProcessImageName": "C:\\ragnarlocker.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "\"C:\\ragnarlocker.exe\" ",
            "User": "S-1-5-21-1111111111-22222222-3333333333-000",
            "UserNameLookup": "Administrator",
            "UserDomainLookup": "EXAMPLE",
            "IntegrityLevel": "S-1-16-11111",
            "IntegrityLevelNameLookup": "High Mandatory Level",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "SessionID": 1,
            "HashMd5": "68B329DA9893E34099C7D8AD5CB9C940",
            "HashSha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC",
            "HashSha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 2,
            "CertificateSignatureStateComputedMap": "SignatureStateNoSignature",
            "Certificates": [],
            "ProcessStartTime": "2024-02-01T08:10:33.5801449-08:00",
            "ProcessStartTimeRaw": 133512774335801449
        }
    },
    "AdditionalData": {
        "AgentAddresses": [
            "172.24.0.14"
        ],
        "AgentGroupGuid": "{00000000-0000-0000-0000-000000000000}",
        "AgentGroupName": "Default group",
        "AgentGuid": "{074C7CCE-ACF4-4674-9650-4B63B569892F}",
        "AgentName": "WINSERVER2012",
        "CategoryName": "Process",
        "IncidentGuid": "{12CA4135-575E-49DE-89AD-4CD35EE2EB3B}",
        "Message": "The 'ragnarlocker.exe' process attempted to run the 'cmd.exe' process",
        "PolicyName": "Stormshield - Incredible policy (1)",
        "SeverityName": "Emergency"
    }
}
{
    "Version": 1,
    "Type": 173,
    "TypeComputedMap": "FileCreate",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0791A3-DF3A-49CB-922A-38C054779CBC}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:19:30.8012653+02:00",
    "TimestampRaw": 133311395708012653,
    "SpecificData": {
        "SourceProcess": {
            "PID": 4816,
            "ProcessGuid": "{1A83B343-5C5C-4B0E-977A-B20CF86B43A8}",
            "ProcessImageName": "C:\\Windows\\explorer.exe",
            "VolumeZone": 3,
            "VolumeZoneComputedBitMap": [
                "Operating system",
                "Computer Boot"
            ],
            "ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 1,
            "HashMd5": "81886624735B4F8F019E731A8A2E6E69",
            "HashSha1": "A30E4111E183514DEF89D2BC31071231DEABC4DF",
            "HashSha256": "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-04-15T11:56:31.9920000+02:00",
                    "ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
                    "ValidityEnd": "2024-02-01T02:05:41.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2023-06-13T14:28:06.6858009+02:00",
            "ProcessStartTimeRaw": 133311328866858009
        },
        "Action": {
            "PolicyGuid": "{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}",
            "PolicyVersion": 6,
            "RuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F9}",
            "BaseRuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F8}",
            "IdentifierGuid": "{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "UsbDeviceInfo": {
            "VendorId": 5118,
            "ProductId": 25344,
            "Class": 0,
            "ClassComputedMap": "UseclassinformationintheInterfaceDescriptors",
            "SubClass": 0,
            "Protocol": 0,
            "SerialNumber": "072117691198E329",
            "VendorName": "",
            "ProductName": "USBDISK3.0",
            "Interfaces": [
                {
                    "Class": 8,
                    "ClassComputedMap": "MassStorage",
                    "Subclass": 6,
                    "Protocol": 80
                }
            ]
        },
        "UsbVolumeTrackingData": {
            "EnrollFileState": 0,
            "EnrollFileStateComputedMap": "Noenrollfile",
            "FootprintFileState": 0,
            "FootprintFileStateComputedMap": "Nofootprintfile",
            "VendorId": 0,
            "ProductId": 0,
            "SerialNumberHashSha256": "0000000000000000000000000000000000000000000000000000000000000000",
            "EnrollGuid": "{00000000-0000-0000-0000-000000000000}"
        },
        "AccessFromNetwork": {},
        "Details": {
            "SourcePath": "F:\\NewTextDocument.txt",
            "Flags": 0,
            "FlagsComputedBitMap": []
        },
        "DetailsType": 2,
        "DetailsTypeComputedMap": "FILE_RENAME_DESTINATION",
        "Path": "F:\\cxvbcxvbcxv.txt",
        "MatchingPath": "",
        "VolumeZone": 3,
        "VolumeZoneComputedBitMap": [
            "Operating system",
            "Computer Boot"
        ],
        "FileObjectType": 0,
        "FileObjectTypeComputedMap": "FILE",
        "FileOwner": "",
        "FileOwnerNameLookup": "",
        "FileOwnerDomainLookup": ""
    }
}
{
    "Version": 1,
    "Type": 174,
    "TypeComputedMap": "FileExecute",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F62D1-43CA-41DE-838D-B80498CB7369}",
    "Timestamp": "2023-06-15T03:50:00.0000000+01:00",
    "TimestampRaw": 133232358000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "AccessFromNetwork": {
            "ShareName": "\\\\Something",
            "AddressFamily": 2,
            "AddressFamilyComputedMap": "IPv4",
            "Address": "127.0.0.1",
            "Port": 80
        },
        "UsbDeviceInfo": {
            "VendorName": "SanDisk",
            "VendorId": 1921,
            "ProductName": "Ultra",
            "ProductId": 21889,
            "SerialNumber": "4C530001211017121370",
            "Class": 1,
            "SubClass": 220,
            "Interfaces": [
                {
                    "Class": 254,
                    "SubClass": 254
                },
                {
                    "Class": 88,
                    "SubClass": 13
                },
                {
                    "Class": 224,
                    "SubClass": 16
                }
            ]
        },
        "UsbVolumeTrackingData": {
            "EnrollFileState": 5,
            "EnrollGuid": "6b8a636d-a508-442e-835f-0538392c904e",
            "FootprintFileState": 0
        },
        "FileOwner": "S-1-5-21-2222222-33333333-44444444-555",
        "FileObjectType": 1,
        "FileObjectTypeComputedMap": "DIRECTORY",
        "MatchingPath": "c:\\tmp\\file2.txt",
        "VolumeZone": 1024,
        "VolumeZoneComputedBitMap": [
            "Remote Webdav"
        ],
        "Details": null,
        "FileOwnerNameLookup": "User1",
        "FileOwnerDomainLookup": "sshield1",
        "Path": "c:\\test\\toto.txt",
        "SourceProcess": {
            "PID": 9,
            "ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE",
            "UserSID": null,
            "SessionID": 0,
            "ProcessGuid": "9d367a6c-04e4-491b-baa8-25b674db96d9",
            "ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"",
            "HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB221",
            "HashSha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6",
            "HashSha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 1,
            "Certificates": null,
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": true
        }
    }
}
{
    "Version": 1,
    "Type": 175,
    "TypeComputedMap": "FileRead",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0AA946-7DCE-4AB0-BA45-706B84C1F3FC}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T03:45:11.6239189+02:00",
    "TimestampRaw": 133312167116239189,
    "SpecificData": {
        "SourceProcess": {
            "PID": 196,
            "ProcessGuid": "{FE730151-438E-4EEC-A433-47C5D4E3B8F0}",
            "ProcessImageName": "C:\\Windows\\System32\\SearchIndexer.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\Windows\\system32\\SearchIndexer.exe/Embedding",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-16384",
            "IntegrityLevelNameLookup": "SystemMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 0,
            "HashMd5": "38E354B0E48633125C5AE4DF7A86AA27",
            "HashSha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD",
            "HashSha256": "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-03-29T01:48:03.5290000+02:00",
                    "ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
                    "ValidityEnd": "2024-02-01T02:05:41.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2023-06-14T11:12:07.0737445+02:00",
            "ProcessStartTimeRaw": 133312075270737445
        },
        "Action": {
            "PolicyGuid": "{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}",
            "PolicyVersion": 9,
            "RuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F9}",
            "BaseRuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F8}",
            "IdentifierGuid": "{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "UsbDeviceInfo": {
            "VendorId": 1921,
            "ProductId": 21889,
            "Class": 0,
            "ClassComputedMap": "UseclassinformationintheInterfaceDescriptors",
            "SubClass": 0,
            "Protocol": 0,
            "SerialNumber": "04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117",
            "VendorName": "USB",
            "ProductName": "SanDisk3.2Gen1",
            "Interfaces": [
                {
                    "Class": 8,
                    "ClassComputedMap": "MassStorage",
                    "Subclass": 6,
                    "Protocol": 80
                }
            ]
        },
        "UsbVolumeTrackingData": {
            "EnrollFileState": 5,
            "EnrollFileStateComputedMap": "Enrollfileisvalidanditscontentmatches.",
            "FootprintFileState": 5,
            "FootprintFileStateComputedMap": "Footprintfileisvalidanditscontentmatches",
            "VendorId": 1921,
            "ProductId": 21889,
            "SerialNumberHashSha256": "00A0D7D13C20905778EC71AFA1050B1E14E26C5AAF016496C37EE2E7D0120E98",
            "EnrollGuid": "{2474130E-C1AA-4E37-A63E-88AA950FE3CA}"
        },
        "AccessFromNetwork": {},
        "Details": {},
        "DetailsType": 1,
        "DetailsTypeComputedMap": "FILE_READ_DATA",
        "Path": "E:\\SystemVolumeInformation\\IndexerVolumeGuid",
        "MatchingPath": "",
        "VolumeZone": 32768,
        "VolumeZoneComputedBitMap": [
            "Removableunknown"
        ],
        "FileObjectType": 0,
        "FileObjectTypeComputedMap": "FILE",
        "FileOwner": "",
        "FileOwnerNameLookup": "",
        "FileOwnerDomainLookup": ""
    }
}
{
    "Version": 1,
    "Type": 176,
    "TypeComputedMap": "FileWrite",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0C1ABD-CE40-4411-AFCB-FB4B8B330BF1}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T03:45:11.6219776+02:00",
    "TimestampRaw": 133312167116219776,
    "SpecificData": {
        "SourceProcess": {
            "PID": 196,
            "ProcessGuid": "{FE730151-438E-4EEC-A433-47C5D4E3B8F0}",
            "ProcessImageName": "C:\\Windows\\System32\\SearchIndexer.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\Windows\\system32\\SearchIndexer.exe/Embedding",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-16384",
            "IntegrityLevelNameLookup": "SystemMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 0,
            "HashMd5": "38E354B0E48633125C5AE4DF7A86AA27",
            "HashSha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD",
            "HashSha256": "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-03-29T01:48:03.5290000+02:00",
                    "ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
                    "ValidityEnd": "2024-02-01T02:05:41.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2023-06-14T11:12:07.0737445+02:00",
            "ProcessStartTimeRaw": 133312075270737445
        },
        "Action": {
            "PolicyGuid": "{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}",
            "PolicyVersion": 9,
            "RuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F9}",
            "BaseRuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F8}",
            "IdentifierGuid": "{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "UsbDeviceInfo": {
            "VendorId": 1921,
            "ProductId": 21889,
            "Class": 0,
            "ClassComputedMap": "UseclassinformationintheInterfaceDescriptors",
            "SubClass": 0,
            "Protocol": 0,
            "SerialNumber": "04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117",
            "VendorName": "USB",
            "ProductName": "SanDisk3.2Gen1",
            "Interfaces": [
                {
                    "Class": 8,
                    "ClassComputedMap": "MassStorage",
                    "Subclass": 6,
                    "Protocol": 80
                }
            ]
        },
        "UsbVolumeTrackingData": {
            "EnrollFileState": 5,
            "EnrollFileStateComputedMap": "Enrollfileisvalidanditscontentmatches.",
            "FootprintFileState": 5,
            "FootprintFileStateComputedMap": "Footprintfileisvalidanditscontentmatches",
            "VendorId": 1921,
            "ProductId": 21889,
            "SerialNumberHashSha256": "00A0D7D13C20905778EC71AFA1050B1E14E26C5AAF016496C37EE2E7D0120E98",
            "EnrollGuid": "{2474130E-C1AA-4E37-A63E-88AA950FE3CA}"
        },
        "AccessFromNetwork": {},
        "Details": {
            "SecurityInformation": 5,
            "SecurityInformationComputedBitMap": [
                "OWNER_SECURITY_INFORMATION",
                "DACL_SECURITY_INFORMATION"
            ]
        },
        "DetailsType": 10,
        "DetailsTypeComputedMap": "FILE_SET_SECURITY",
        "Path": "E:\\SystemVolumeInformation",
        "MatchingPath": "",
        "VolumeZone": 32768,
        "VolumeZoneComputedBitMap": [
            "Removableunknown"
        ],
        "FileObjectType": 0,
        "FileObjectTypeComputedMap": "FILE",
        "FileOwner": "",
        "FileOwnerNameLookup": "",
        "FileOwnerDomainLookup": ""
    }
}
{
    "Version": 1,
    "Type": 177,
    "TypeComputedMap": "FileDelete",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD06EECF-C8D3-4BBE-B98F-A0DC5EDDE0C8}",
    "Timestamp": "2023-06-15T04:20:00.0000000+01:00",
    "TimestampRaw": 133232376000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "DetailsType": 2,
        "DetailsTypeComputedMap": "FILE_RENAME_SOURCE",
        "AccessFromNetwork": {
            "ShareName": "\\\\Something",
            "AddressFamily": 23,
            "AddressFamilyComputedMap": "IPv6",
            "Address": "192.168.128.211",
            "Port": 22
        },
        "UsbDeviceInfo": {
            "VendorName": "SanDisk",
            "VendorId": 1921,
            "ProductName": "Ultra",
            "ProductId": 21889,
            "SerialNumber": "4C530001211017121370",
            "Class": 1,
            "SubClass": 3,
            "Interfaces": [
                {
                    "Class": 8,
                    "SubClass": 11
                },
                {
                    "Class": 18,
                    "SubClass": 9
                },
                {
                    "Class": 11,
                    "SubClass": 254
                }
            ]
        },
        "UsbVolumeTrackingData": {
            "EnrollFileState": 1,
            "EnrollGuid": "bf93de07-e0e0-45c9-bfc1-3dfd4fb68ef2",
            "FootprintFileState": 5
        },
        "FileOwner": "S-1-5-21-2222222-33333333-44444444-555",
        "FileObjectType": 0,
        "FileObjectTypeComputedMap": "FILE",
        "MatchingPath": "c:\\tmp\\file2.txt",
        "VolumeZone": 64,
        "VolumeZoneComputedBitMap": [
            "Floppy"
        ],
        "Details": {
            "DesiredAccess": null,
            "Attributes": null,
            "FileName": null,
            "SourcePath": null,
            "DestinationPath": "c:\\test\\file1.txt",
            "Operation": null,
            "NewFileOwner": null,
            "OldFileOwner": null,
            "InformationClass": null,
            "SecurityInformation": null,
            "PageProtection": null,
            "Address": null,
            "Port": null
        },
        "FileOwnerNameLookup": "User1",
        "FileOwnerDomainLookup": "sshield1",
        "Path": "c:\\tmp\\file2.txt",
        "SourceProcess": {
            "PID": 8,
            "ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE",
            "UserSID": null,
            "SessionID": 0,
            "ProcessGuid": "f0fbb584-bc08-41d1-93a2-a04f8fc65c32",
            "ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"",
            "HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB111",
            "HashSha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6",
            "HashSha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 5,
            "Certificates": null,
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateUntrusted"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": true
        }
    }
}
{
    "Version": 1,
    "Type": 20002,
    "TypeComputedMap": "LostBuffers",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD084103-F26D-49EA-8890-70C7DB7A63A6}",
    "Timestamp": "2023-06-15T08:20:00.0000000+01:00",
    "TimestampRaw": 133232520000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "LostBuffersCount": 30
    }
}
{
    "Version": 1,
    "Type": 20003,
    "TypeComputedMap": "NewPolicyNotification",
    "Category": 4,
    "CategoryComputedMap": "Other",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 4,
    "AttributesComputedBitMap": [
        "Internal"
    ],
    "EventGuid": "{AD093377-53C4-4595-860F-6CD64A4153FB}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:07:54.2839637+01:00",
    "TimestampRaw": 133225888742839637,
    "SpecificData": {
        "PolicyName": "POL_TEST_ADE",
        "PolicyVersion": 3,
        "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
        "PolicyVersionInternal": 4
    }
}
{
    "Version": 1,
    "Type": 20004,
    "TypeComputedMap": "ServiceDidNotEndCorrectly",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD021EAE-7C29-4B3F-852E-553B95D26471}",
    "Timestamp": "2023-06-15T08:40:00.0000000+01:00",
    "TimestampRaw": 133232532000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ServiceName": "EsaAppIdSvc"
    }
}
{
    "Version": 1,
    "Type": 20006,
    "TypeComputedMap": "EndUpgradeAgentSucceeded",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0CD620-F5A8-430B-8FA3-BEC8E204DC74}",
    "Timestamp": "2023-06-15T08:50:00.0000000+01:00",
    "TimestampRaw": 133232538000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20007,
    "TypeComputedMap": "EndUpgradeAgentFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD091E59-399B-4A0B-BB1F-7326C55502ED}",
    "Timestamp": "2023-06-15T09:00:00.0000000+01:00",
    "TimestampRaw": 133232544000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5
    }
}
{
    "Version": 1,
    "Type": 20008,
    "TypeComputedMap": "NewPolicyErrorNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD025B90-CBE6-4DF3-8F4B-BFD11E38270C}",
    "Timestamp": "2023-06-15T09:10:00.0000000+01:00",
    "TimestampRaw": 133232550000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "PolicyName": null
    }
}
{
    "Version": 1,
    "Type": 20009,
    "TypeComputedMap": "InvalidHivePackage",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0951E4-DF4A-4D4A-A636-ABEB310BB6E0}",
    "Timestamp": "2023-06-15T09:20:00.0000000+01:00",
    "TimestampRaw": 133232556000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "HivePackageFullPath": "C:\\Users\\User1\\Desktop\\maliviousHive.hive",
        "LoadingOperationStatus": 5
    }
}
{
    "Version": 1,
    "Type": 20010,
    "TypeComputedMap": "StartUninstallAgent",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD042AB6-2DDF-4B8A-A805-9619857ECDFF}",
    "Timestamp": "2023-06-15T09:30:00.0000000+01:00",
    "TimestampRaw": 133232562000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20011,
    "TypeComputedMap": "EndUninstallAgentSucceeded",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0DB33A-2194-4800-AB4E-C2BBCCFDE65D}",
    "Timestamp": "2023-06-15T09:40:00.0000000+01:00",
    "TimestampRaw": 133232568000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20012,
    "TypeComputedMap": "EndUninstallAgentFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD075976-1881-4C1C-AB5F-ABE0E0430C9A}",
    "Timestamp": "2023-06-15T09:50:00.0000000+01:00",
    "TimestampRaw": 133232574000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20013,
    "TypeComputedMap": "InvalidPolicyPackageCab",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0B6BB8-6422-478E-93D7-1D9DD7A61EC3}",
    "Timestamp": "2023-06-15T00:00:00.0000000+01:00",
    "TimestampRaw": 133232580000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "PolicyPackageCabFullPath": "C:\\Users\\User1\\Desktop\\EsPolicy.hive",
        "LoadingOperationStatus": 5
    }
}
{
    "Version": 1,
    "Type": 20014,
    "TypeComputedMap": "EsScriptHostCreateFailure",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0C4A06-F13C-47F1-BF3C-FD7136C519A4}",
    "Timestamp": "2023-06-15T00:10:00.0000000+01:00",
    "TimestampRaw": 133232586000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ImplementationType": 0,
        "StatusCode": 5
    }
}
{
    "Version": 1,
    "Type": 20015,
    "TypeComputedMap": "KernelCorruptionBugcheck",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0AA66F-5A03-4CE9-ABCD-86988444224C}",
    "Timestamp": "2023-06-15T00:20:00.0000000+01:00",
    "TimestampRaw": 133232592000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "Bugcheck": "0x00000109 (0x00000000, 0x00000000, 0x00000000, 0x00000000)"
    }
}
{
    "Version": 1,
    "Type": 20016,
    "TypeComputedMap": "InvalidPolicyPackageSignature",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0CDBE2-1FD9-43B4-80A3-219638B5C585}",
    "Timestamp": "2023-06-15T00:30:00.0000000+01:00",
    "TimestampRaw": 133232598000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "StatusCode": 5,
        "PolicyPackageFile": "C:\\Users\\User1\\Desktop\\EsPolicy.hive"
    }
}
{
    "Version": 1,
    "Type": 20017,
    "TypeComputedMap": "StartAgentUpgrade",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD09E443-8DC7-4315-98A7-1C48312B835E}",
    "Timestamp": "2023-06-15T00:40:00.0000000+01:00",
    "TimestampRaw": 133232604000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "VersionFrom": "1.0.0.0",
        "VersionTo": "2.0.0.0"
    }
}
{
    "Version": 1,
    "Type": 20018,
    "TypeComputedMap": "PolicyPackageSignerExpired",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0FE5D0-593B-41FA-B642-98F1CC214FB8}",
    "Timestamp": "2023-06-15T00:50:00.0000000+01:00",
    "TimestampRaw": 133232610000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "PolicyPackageFile": "C:\\Users\\User1\\Desktop\\EsPolicy.hive"
    }
}
{
    "Version": 1,
    "Type": 20019,
    "TypeComputedMap": "SelfProtectionLrpcFailure",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0A7F5A-905E-4E0B-AE2C-F1DA2D610788}",
    "Timestamp": "2023-06-15T01:00:00.0000000+01:00",
    "TimestampRaw": 133232616000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ServerServiceName": "EsaAppIdSvc",
        "SelfProtectionModuleName": "EsaGuardSvc",
        "StatusCode": 5
    }
}
{
    "Version": 1,
    "Type": 20020,
    "TypeComputedMap": "NewPolicyFromUpdateErrorNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0167A2-3042-453F-8E0C-F0B8BC76C13B}",
    "Timestamp": "2023-06-15T01:10:00.0000000+01:00",
    "TimestampRaw": 133232622000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "PolicyName": null
    }
}
{
    "Version": 1,
    "Type": 20021,
    "TypeComputedMap": "NewPolicyFromUpdateNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0AEC3D-BAB1-4680-827B-FAB47FF00C8E}",
    "Timestamp": "2023-06-15T01:20:00.0000000+01:00",
    "TimestampRaw": 133232628000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "PolicyGuid": "00000000-0000-0000-0000-000000000000",
        "PolicyVersion": 0,
        "PolicyName": null
    }
}
{
    "Version": 1,
    "Type": 20022,
    "TypeComputedMap": "NewConfigurationNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0533A5-A3D3-4F7E-A7B9-000FF784F592}",
    "Timestamp": "2023-06-15T01:30:00.0000000+01:00",
    "TimestampRaw": 133232634000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20023,
    "TypeComputedMap": "NewConfigurationErrorNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0369FB-ED19-4402-A1E7-900E95350EB8}",
    "Timestamp": "2023-06-15T01:40:00.0000000+01:00",
    "TimestampRaw": 133232640000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "StatusCode": 5
    }
}
{
    "Version": 1,
    "Type": 20024,
    "TypeComputedMap": "NewConfigurationFromUpdateErrorNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0C916A-4D69-416B-8014-BB8C8E461CFB}",
    "Timestamp": "2023-06-15T01:50:00.0000000+01:00",
    "TimestampRaw": 133232646000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20025,
    "TypeComputedMap": "NewConfigurationFromUpdateNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0A125B-DF69-440B-B388-B1A9477E7D92}",
    "Timestamp": "2023-06-15T02:00:00.0000000+01:00",
    "TimestampRaw": 133232652000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20026,
    "TypeComputedMap": "InvalidConfigurationPackageCab",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F5A8B-5487-4B22-981A-885363295252}",
    "Timestamp": "2023-06-15T02:10:00.0000000+01:00",
    "TimestampRaw": 133232658000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "PackageCabFullPath": "C:\\Users\\User1\\Desktop\\EsConfig.hive",
        "LoadingOperationStatus": 5
    }
}
{
    "Version": 1,
    "Type": 20027,
    "TypeComputedMap": "DowngradeIsNotAuthorized",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD010390-5326-4D21-9673-CD1B80EF7562}",
    "Timestamp": "2023-06-15T02:20:00.0000000+01:00",
    "TimestampRaw": 133232664000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20028,
    "TypeComputedMap": "SafeModeSessionNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0EF160-1AE3-47C3-8F2C-BA626C3D04C7}",
    "Timestamp": "2023-06-15T02:30:00.0000000+01:00",
    "TimestampRaw": 133232670000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "LoginName": "User1",
        "Timestamp": "2023-03-13T10:54:24.6100962+01:00"
    }
}
{
    "Version": 1,
    "Type": 20030,
    "TypeComputedMap": "MaintenanceModeStart",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0B53D9-A9FF-4257-8A47-BA73FD9798EE}",
    "Timestamp": "2023-06-15T02:40:00.0000000+01:00",
    "TimestampRaw": 133232676000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 20031,
    "TypeComputedMap": "MaintenanceModeStop",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD067EED-CA85-4D98-8C35-8DC58D0943C3}",
    "Timestamp": "2023-06-15T02:50:00.0000000+01:00",
    "TimestampRaw": 133232682000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20032,
    "TypeComputedMap": "MaintenanceModeAgentUpgradePostponed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0871CA-224C-4600-A48A-B562DB058C09}",
    "Timestamp": "2023-06-15T03:00:00.0000000+01:00",
    "TimestampRaw": 133232688000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20033,
    "TypeComputedMap": "BfeIsStoppedNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0E7607-D279-4188-BE30-E2A887B80D32}",
    "Timestamp": "2023-06-15T03:10:00.0000000+01:00",
    "TimestampRaw": 133232694000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20034,
    "TypeComputedMap": "RepairFailureNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0D4655-336D-4DD9-9532-78433F39364A}",
    "Timestamp": "2023-06-15T03:20:00.0000000+01:00",
    "TimestampRaw": 133232700000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555",
        "Result": 5
    }
}
{
    "Version": 1,
    "Type": 20035,
    "TypeComputedMap": "RepairSuccessNotification",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0BBCE5-0299-4F04-9858-756036BCBFBC}",
    "Timestamp": "2023-06-15T03:30:00.0000000+01:00",
    "TimestampRaw": 133232706000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 20036,
    "TypeComputedMap": "EndAgentModularityFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD071DC0-58B6-4166-93AC-5E53F025C724}",
    "Timestamp": "2023-06-15T03:40:00.0000000+01:00",
    "TimestampRaw": 133232712000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5
    }
}
{
    "Version": 1,
    "Type": 20037,
    "TypeComputedMap": "EndAgentModularitySucceeded",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD016C2D-6BA8-4348-BA6D-92FB1CE190A8}",
    "Timestamp": "2023-06-15T03:50:00.0000000+01:00",
    "TimestampRaw": 133232718000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20038,
    "TypeComputedMap": "CommFinishFailedState",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD05A0F2-7163-4A09-9F2D-AB6EA6171047}",
    "Timestamp": "2023-06-15T04:00:00.0000000+01:00",
    "TimestampRaw": 133232724000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5,
        "State": 8,
        "StateName": "PreviousStateName"
    }
}
{
    "Version": 1,
    "Type": 20039,
    "TypeComputedMap": "ForcedPatchApplication",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD09E4CF-09F4-4E78-A3E9-C4CB48471D46}",
    "Timestamp": "2023-06-15T04:10:00.0000000+01:00",
    "TimestampRaw": 133232730000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20040,
    "TypeComputedMap": "ChallengeStart",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD04C00F-2052-440A-9E43-E685F60E2ACF}",
    "Timestamp": "2023-06-15T04:20:00.0000000+01:00",
    "TimestampRaw": 133232736000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "Duration": 0,
        "ChallengeAction": 3
    }
}
{
    "Version": 1,
    "Type": 20041,
    "TypeComputedMap": "ChallengeStop",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F233B-3CCE-470B-9312-A760E05C5065}",
    "Timestamp": "2023-06-15T04:30:00.0000000+01:00",
    "TimestampRaw": 133232742000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "Manual": true,
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555",
        "ChallengeAction": 0
    }
}
{
    "Version": 1,
    "Type": 20042,
    "TypeComputedMap": "ChallengeStopFailure",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD01D6E5-6517-4E2C-B029-8A4668B9A2BE}",
    "Timestamp": "2023-06-15T04:40:00.0000000+01:00",
    "TimestampRaw": 133232748000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5
    }
}
{
    "Version": 1,
    "Type": 20043,
    "TypeComputedMap": "WrongCabinetVersion",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD052689-74F5-4E19-A0CE-13246249763C}",
    "Timestamp": "2023-06-15T04:50:00.0000000+01:00",
    "TimestampRaw": 133232754000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20044,
    "TypeComputedMap": "MultipleNetworkInterfacesMatchingTest",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD07AF61-2014-44FF-83D1-FAFDEBA00A20}",
    "Timestamp": "2023-06-15T05:00:00.0000000+01:00",
    "TimestampRaw": 133232760000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "InterfaceName": "DEV",
        "InterfaceDescription": "Lorem Iterfacum"
    }
}
{
    "Version": 1,
    "Type": 20045,
    "TypeComputedMap": "ChallengeStartFailure",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD04CFB2-80E8-4237-9345-B73E76623445}",
    "Timestamp": "2023-06-15T05:10:00.0000000+01:00",
    "TimestampRaw": 133232766000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 5
    }
}
{
    "Version": 1,
    "Type": 20048,
    "TypeComputedMap": "External",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0A2E72-1187-4BF6-8773-235285060E82}",
    "Timestamp": "2023-06-15T05:20:00.0000000+01:00",
    "TimestampRaw": 133232772000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "Description": "localized:EventForwarding_WinDefender_MalwareProtectionRealTimeProtectionFeatureConfigured",
        "OriginType": 2,
        "ExtraData": {
            "Message": "This is a message",
            "_OriginalText": "2021 Mar 24 17:54:54 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(5007): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: W102004X64: Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\ServiceStartStates = 0x1\r\n \tNew value: Default\\ServiceStartStates = 0x0"
        },
        "Fields": {
            "BaseRuleGuid": "64a298f2-c9e8-451f-9637-84254d2d8332"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        }
    }
}
{
    "Version": 1,
    "Type": 20048,
    "TypeComputedMap": "External",
    "Severity": 4,
    "ServerReserved": 0,
    "Attributes": 32,
    "AttributesComputedBitMap": [
        "External"
    ],
    "EventGuid": "{5838A063-4210-4268-ADB0-39FC5B55A212}",
    "GenerateIncident": false,
    "Timestamp": "2024-03-22T14:01:26.6589969+00:00",
    "TimestampRaw": 133555896866589969,
    "SpecificData": {
        "Action": {
            "PolicyGuid": "{DFDA0F76-10AF-4615-B093-7AA46CC2E7A3}",
            "PolicyVersion": 5,
            "RuleGuid": "{63B63F11-7C06-4555-9542-3F7E795B98EE}",
            "BaseRuleGuid": "{9B076C45-6373-4A4E-9310-F139A66794B4}",
            "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
            "Blocked": false,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Description": "localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken",
        "OriginType": 2,
        "ExtraData": {
            "_SourceCategory": 0,
            "_HideFromUsers": 1,
            "_OriginalText": "2024 Mar 22 14:01:25 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(1117): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: DESKTOP-001: Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.   For more information please see the following:  https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0   \tName: Trojan:Win32/BatTamper.A   \tID: 2147818424   \tSeverity: Severe   \tCategory: Trojan   \tPath: file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048   \tDetection Origin: Internet   \tDetection Type: Concrete   \tDetection Source: Downloads and attachments   \tUser: NT AUTHORITY\\SYSTEM   \tProcess Name: Unknown   \tAction: Quarantine   \tAction Status:  No additional actions required   \tError Code: 0x00000000   \tError description: The operation completed successfully.    \tSecurity intelligence Version: AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0   \tEngine Version: AM: 1.1.24020.9, NIS: 1.1.24020.9",
            "program_name": "WinEvtLog",
            "_NormalizerNames": "syslog-1-date-fmt-4, syslog-1-solaris-progname-1",
            "_NormalizerIds": "4, 6",
            "_FileType": "windows",
            "_ExtractorIds": "1",
            "_ExtractorNames": "windows",
            "_RuleDescription": "localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken",
            "_RuleId": 13,
            "_RuleImportedId": 24,
            "_RuleKeywords": "windows-defender",
            "_RuleLevel": 6,
            "__EvtXml": {
                "Event": {
                    "System": {
                        "Provider": {
                            "Name": "Microsoft-Windows-Windows Defender",
                            "Guid": "{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}"
                        },
                        "EventID": "1117",
                        "Version": "0",
                        "Level": "4",
                        "Task": "0",
                        "Opcode": "0",
                        "Keywords": "0x8000000000000000",
                        "TimeCreated": {
                            "SystemTime": "2024-03-22T14:01:25.6359716Z"
                        },
                        "EventRecordID": "613",
                        "Correlation": {},
                        "Execution": {
                            "ProcessID": "5384",
                            "ThreadID": "4576"
                        },
                        "Channel": "Microsoft-Windows-Windows Defender/Operational",
                        "Computer": "DESKTOP-001",
                        "Security": {
                            "UserID": "S-1-5-18"
                        }
                    },
                    "EventData": {
                        "Product Name": "Microsoft Defender Antivirus",
                        "Product Version": "4.18.23110.3",
                        "Detection ID": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}",
                        "Detection Time": "2024-03-22T14:01:20.550Z",
                        "Threat ID": "2147818424",
                        "Threat Name": "Trojan:Win32/BatTamper.A",
                        "Severity ID": "5",
                        "Severity Name": "Severe",
                        "Category ID": "8",
                        "Category Name": "Trojan",
                        "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0",
                        "Status Code": "4",
                        "State": "2",
                        "Source ID": "4",
                        "Source Name": "Downloads and attachments",
                        "Process Name": "Unknown",
                        "Detection User": "DESKTOP-001\\Lab",
                        "Path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048",
                        "Origin ID": "4",
                        "Origin Name": "Internet",
                        "Execution ID": "0",
                        "Execution Name": "Unknown",
                        "Type ID": "0",
                        "Type Name": "Concrete",
                        "Pre Execution Status": "0",
                        "Action ID": "2",
                        "Action Name": "Quarantine",
                        "Error Code": "0x00000000",
                        "Error Description": "The operation completed successfully. ",
                        "Post Clean Status": "0",
                        "Additional Actions ID": "0",
                        "Additional Actions String": "No additional actions required",
                        "Remediation User": "NT AUTHORITY\\SYSTEM",
                        "Security intelligence Version": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0",
                        "Engine Version": "AM: 1.1.24020.9, NIS: 1.1.24020.9"
                    }
                }
            }
        },
        "Fields": {
            "_RuleGuid": "{63B63F11-7C06-4555-9542-3F7E795B98EE}",
            "_BaseRuleGuid": "{9B076C45-6373-4A4E-9310-F139A66794B4}"
        }
    },
    "AdditionalData": {
        "AgentAddresses": [
            "192.168.0.1"
        ],
        "AgentGroupGuid": "{8C2850C0-1A73-4CBC-9831-5AA5D1438AF2}",
        "AgentGroupName": "Desktop",
        "AgentGuid": "{0E6DAED4-3505-4F96-9F8D-55FBC85CA4C7}",
        "AgentName": "DESKTOP-001",
        "CategoryName": "External",
        "IncidentGuid": null,
        "Message": "Windows Defender: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.",
        "PolicyName": "Lab Policy",
        "SeverityName": "Warning"
    }
}
{
    "Version": 1,
    "Type": 20049,
    "TypeComputedMap": "ChallengeTooManyFailedAttempts",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0C6027-57C5-40B8-9A45-34C3259FD352}",
    "Timestamp": "2023-06-15T05:30:00.0000000+01:00",
    "TimestampRaw": 133232778000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 20050,
    "TypeComputedMap": "MaintenanceModeAgentModularityPostponed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0BF97F-A000-4C5E-B2FD-A9673DB49C79}",
    "Timestamp": "2023-06-15T05:40:00.0000000+01:00",
    "TimestampRaw": 133232784000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20051,
    "TypeComputedMap": "EndUpgradeAgentNothingToDo",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD077BE1-8717-4796-AA97-4E4684223298}",
    "Timestamp": "2023-06-15T05:50:00.0000000+01:00",
    "TimestampRaw": 133232790000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20052,
    "TypeComputedMap": "EndUpgradeAgentGuidUpdated",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD02DCFD-B400-42C2-BE32-B96BB54D4C10}",
    "Timestamp": "2023-06-15T06:00:00.0000000+01:00",
    "TimestampRaw": 133232796000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20053,
    "TypeComputedMap": "MaintenanceModeStopFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD07C559-BEF6-40F8-9624-C716A0F37F67}",
    "Timestamp": "2023-06-15T06:10:00.0000000+01:00",
    "TimestampRaw": 133232802000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ErrorCode": 0
    }
}
{
    "Version": 1,
    "Type": 20054,
    "TypeComputedMap": "KerberosPassTheTicket",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F24A3-2C61-4822-89C7-25C274043270}",
    "Timestamp": "2023-06-15T06:20:00.0000000+01:00",
    "TimestampRaw": 133232808000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "KirbiFileFullPath": "C:\\mimikatz_trunk\\Win32\\MyTicket.kirbi",
        "Correlation": {
            "PackageGuid": "a0ba8928-f715-4d6f-b43e-5d020e67c030",
            "PackageVersion": 42
        },
        "SourceProcess": {
            "PID": 9,
            "ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE",
            "UserSID": null,
            "SessionID": 0,
            "ProcessGuid": "9d367a6c-04e4-491b-baa8-25b674db96d9",
            "ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"",
            "HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB221",
            "HashSha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6",
            "HashSha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 1,
            "Certificates": null,
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": false
        }
    }
}
{
    "Version": 1,
    "Type": 20055,
    "TypeComputedMap": "ArpSpoofing",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD089472-11D1-45E7-859C-2185C0BC56EB}",
    "Timestamp": "2023-06-15T06:30:00.0000000+01:00",
    "TimestampRaw": 133232814000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "IPInterface": "172.30.225.122",
        "SpoofedIP": "172.30.225.121",
        "OldMacAddress": "00-ff-b7-1f-9d-10",
        "SpoofedMacAddress": "00-ff-b7-1f-9d-11",
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": true
        }
    }
}
{
    "Version": 1,
    "Type": 20056,
    "TypeComputedMap": "AgentOperationCertutilDecodeMaliciousUsage",
    "Severity": 2,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD06E6EA-AC58-4B9F-96F2-1B4518003441}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T06:23:39.9571804+02:00",
    "TimestampRaw": 133311398199571804,
    "SpecificData": {
        "Action": {
            "PolicyGuid": "{FEFD7270-4013-94B9-0209-DEB987F40E89}",
            "PolicyVersion": 14,
            "RuleGuid": "{BEA2239E-7249-40A8-90BC-CD2981295600}",
            "BaseRuleGuid": "{BEA2239E-7249-40A8-90BC-CD2981295600}",
            "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
            "Blocked": false,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Correlation": {
            "PackageGuid": "{06F508DA-1AB4-4A01-977D-2FD6E51C7F97}",
            "PackageVersion": 6
        },
        "SourceProcess": {
            "ProcessImageName": "C:\\Windows\\System32\\certutil.exe",
            "VolumeZone": 1,
            "HashSha1": "8564027153DCA487ECA613345AB3B2DE0ADD4F26",
            "ProcessStartTime": "2023-06-13T16:23:39.2631277+02:00",
            "SessionID": 2,
            "UserNameLookup": "JOHNDOE",
            "IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
            "HashMd5": "018796D4670AC12865BE2F00382BBC8E",
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "PID": 4904,
            "CertificateSignatureState": 1,
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "ProcessGuid": "{10C09418-9E9C-40E2-B7F7-20D70068CB34}",
            "ProcessCommandLine": "certutil-decode\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"C:\\Users\\Arkoon\\AppData\\Local\\Temp\\pwned.exe\"",
            "IntegrityLevelNameLookup": "Niveauobligatoiremoyen",
            "ProcessStartTimeRaw": 133311398192631277,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "SigningTime": "2023-05-18T00:55:31.4620000+02:00",
                    "SubjectCN": "MicrosoftWindows",
                    "ValidityEnd": "2024-02-01T02:05:42.0000000+02:00",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "ValidityStart": "2023-02-03T02:05:42.0000000+02:00",
                    "Algorithm": "SHA256"
                }
            ],
            "IsProtectedOrCritical": false,
            "HashSha256": "22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847"
        },
        "ParentProcess": {
            "ProcessImageName": "C:\\Windows\\System32\\cmd.exe",
            "VolumeZone": 1,
            "HashSha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D",
            "ProcessStartTime": "2023-06-13T16:23:39.0311777+02:00",
            "SessionID": 2,
            "UserNameLookup": "JOHNDOE",
            "IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
            "HashMd5": "8A2122E8162DBEF04694B9C3E0B6CDEE",
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "PID": 6808,
            "CertificateSignatureState": 1,
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "ProcessGuid": "{387F337F-56ED-4924-B1CC-96357B1E27B3}",
            "ProcessCommandLine": "C:\\WINDOWS\\system32\\cmd.exe/c\"\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"",
            "IntegrityLevelNameLookup": "Niveauobligatoiremoyen",
            "ProcessStartTimeRaw": 133311398190311777,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "SigningTime": "2023-04-28T03:05:05.3450000+02:00",
                    "SubjectCN": "MicrosoftWindows",
                    "ValidityEnd": "2024-02-01T02:05:41.0000000+02:00",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
                    "Algorithm": "SHA256"
                }
            ],
            "IsProtectedOrCritical": false,
            "HashSha256": "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450"
        },
        "SourceFilePath": "C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd",
        "DestinationFilePath": "C:\\Users\\Arkoon\\AppData\\Local\\Temp\\pwned.exe",
        "FileContentType": 0,
        "FileContentTypeComputedMap": "Unknown",
        "FileContent": "406563686F206F66660D0A0D0A0D0A6563686F2E4465636F64696E6720656D6265646465642070726F6772616D2E2E2E0D0A7365742022544D505F46494C455F4E414D453D2554454D50255C70776E65"
    }
}
{
    "Version": 1,
    "Type": 20057,
    "TypeComputedMap": "AgentOperationCertutilDownloadMaliciousUsage",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0CE797-8230-47F1-A98E-2F273D1AF92A}",
    "Timestamp": "2023-06-15T06:50:00.0000000+01:00",
    "TimestampRaw": 133232826000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "DownloadUrl": "http://sample.xyz/malicious.encoded",
        "DestinationFilePath": "c:\\malicious\\malicious.encoded",
        "ParentProcess": {
            "PID": 2,
            "ProcessImageName": "C:\\Windows\\System32\\notepad.exe",
            "UserSID": null,
            "SessionID": 2,
            "ProcessGuid": "92c248f1-0acd-11ea-a38a-00155d099004",
            "ProcessCommandLine": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\arkoon\\Desktop\\_test\\test.totot",
            "HashMd5": "F1139811BBF61362915958806AD30211",
            "HashSha1": "D487580502354C61808C7180D1A336BEB7AD4624",
            "HashSha256": "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 0,
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Microsoft Windows Production PCA 2011",
                    "SigningTime": "2019-11-07T04:32:51.5641056+01:00",
                    "ValidityEnd": "2020-05-02T22:24:36.0705280+01:00",
                    "ValidityStart": "2019-05-02T22:24:36.7807872+01:00",
                    "SubjectCN": "Microsoft Windows"
                }
            ],
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateUnavailable"
        },
        "Correlation": {
            "PackageGuid": "c0d2b0ff-b222-43bb-b134-50e8f4589806",
            "PackageVersion": 42
        },
        "SourceProcess": {
            "PID": 5,
            "ProcessImageName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe",
            "UserSID": null,
            "SessionID": 0,
            "ProcessGuid": "bed63e79-0f85-11ea-a38e-00155d099004",
            "ProcessCommandLine": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe\"",
            "HashMd5": "E6224FC8CF2A26B386934DAC0A3495D0",
            "HashSha1": "CF970FA39BA72CC531133EC327203EAD801DA846",
            "HashSha256": "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737",
            "UserNameLookup": "JOHNDOE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserDomainLookup": "TEST",
            "CertificateSignatureState": 4,
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "Stormshield",
                    "SigningTime": "2019-11-25T14:15:45.4965475+01:00",
                    "ValidityEnd": "2040-01-01T00:59:59.1248256+01:00",
                    "ValidityStart": "2017-04-25T15:21:15.7216000+01:00",
                    "SubjectCN": "Stormshield"
                }
            ],
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "Medium",
            "IntegrityLevelDomainLookup": "Mandatory Label",
            "IsProtectedOrCritical": false,
            "ProcessStartTimeRaw": 133204190354018719,
            "ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
            "CertificateSignatureStateComputedMap": "SignatureStateRevoked"
        },
        "Action": {
            "PolicyGuid": "00000000-0000-0000-0000-000000000000",
            "PolicyVersion": 0,
            "RuleGuid": "00000000-0000-0000-0000-000000000000",
            "BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
            "IdentifierGuid": "00000000-0000-0000-0000-000000000000",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": true
        }
    }
}
{
    "Version": 1,
    "Type": 20059,
    "TypeComputedMap": "AgentInternalScriptRuntimeError",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD09A421-A13C-49BF-AB67-B48A5884C559}",
    "Timestamp": "2023-06-15T07:00:00.0000000+01:00",
    "TimestampRaw": 133232832000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "ExecutionStatus": 0,
        "ScriptGuid": "00000000-0000-0000-0000-000000000000"
    }
}
{
    "Version": 1,
    "Type": 20060,
    "TypeComputedMap": "WmiPersistence",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0903E9-4EEC-4EE0-9CBF-50E00F367470}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T07:02:14.4361240+02:00",
    "TimestampRaw": 133311421344361240,
    "SpecificData": {
        "Action": {
            "PolicyGuid": "{FEFD7270-4013-94B9-0209-DEB987F40E89}",
            "PolicyVersion": 14,
            "RuleGuid": "{D9AC047B-591C-42EA-86AD-0997EE000BEF}",
            "BaseRuleGuid": "{D9AC047B-591C-42EA-86AD-0997EE000BEF}",
            "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
            "Blocked": true,
            "RequestMoveToQuarantine": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "Correlation": {
            "PackageGuid": "{B757A1F5-8658-4567-A380-73F189F507E6}",
            "PackageVersion": 2
        },
        "ConsumerType": 0,
        "ConsumerTypeComputedMap": "CommandLineEventConsumer",
        "ExecutedAction": "cmd.exe/cecho%ProcessId%>>c:\\\\\\\\tmp\\\\\\\\log.txt",
        "ActionName": "Log01",
        "Trigger": "Query=\"SELECT*FROMWin32_ProcessStartTraceWHEREProcessName='powershell.exe'\"",
        "Namespace": "root/subscription",
        "ESS": "Log01",
        "Consumer": "CommandLineEventConsumer=\"Log01\"",
        "PossibleCause": "BindingEventFilter:\ninstanceof__EventFilter\n{\n\tCreatorSID={1,5,0,0,0,0,0,5,21,0,0,0,182,250,126,125,203,125,194,67,199,210,196,157,233,3,0,0};\n\tEventNamespace=\"root/cimv2\";\n\tName=\"Log01\";\n\tQuery=\"SELECT*FROMWin32_ProcessStartTraceWHEREProcessName='powershell.exe'\";\n\tQueryLanguage=\"WQL\";\n};\nPerm.Consumer:\ninstanceofCommandLineEventConsumer\n{\n\tCommandLineTemplate=\"cmd.exe/cecho%ProcessId%>>c:\\\\\\\\tmp\\\\\\\\log.txt\";\n\tCreatorSID={1,5,0,0,0,0,0,5,21,0,0,0,182,250,126,125,203,125,194,67,199,210,196,157,233,3,0,0};\n\tName=\"Log01\";\n};\n",
        "TimeCreated": "2023-06-13T15:02:08.6658788Z"
    }
}
{
    "Version": 1,
    "Type": 20061,
    "TypeComputedMap": "Discovery",
    "Category": 4,
    "CategoryComputedMap": "Other",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0B6953-1407-4F68-B7BB-0540BD9F32B3}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T08:00:22.3680507+01:00",
    "TimestampRaw": 133203492223680517,
    "SpecificData": {
        "Action": {
            "PolicyGuid": "{C28F5498-FDC3-4E59-A13C-6139CE1FD00C}",
            "PolicyVersion": 1,
            "RuleGuid": "{468C2651-0EC0-42C5-A1D1-CA89F057DC0A}",
            "BaseRuleGuid": "{468C2651-0EC0-42C5-A1D1-CA89F057DC0A}",
            "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": true
        },
        "Correlation": {
            "PackageGuid": "{9D0A8212-4B3F-4ABA-9548-D5AAB6095E19}",
            "PackageVersion": 4
        },
        "SourceProcess": {
            "VolumeZone": 1,
            "IntegrityLevel": "S-1-16-8192",
            "UserNameLookup": "JOHNDOE",
            "HashSha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D",
            "CertificateSignatureState": 1,
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "ProcessGuid": "{9AC2D00F-F8B3-4917-B750-B3DAC7E6DC81}",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "SigningTime": "2022-06-09T00:22:44.7850000+01:00",
                    "ValidityStart": "2021-09-02T19:23:40.0000000+01:00",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "ValidityEnd": "2022-09-01T19:23:40.0000000+01:00"
                }
            ],
            "HashSha256": "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "ProcessImageName": "C:\\Windows\\System32\\cmd.exe",
            "ProcessStartTimeRaw": 133203492157056139,
            "UserDomainLookup": "TEST",
            "ProcessStartTime": "2023-02-08T18:00:15.7056139+01:00",
            "PID": 5204,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "ProcessCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
            "IsProtectedOrCritical": false,
            "HashMd5": "8A2122E8162DBEF04694B9C3E0B6CDEE",
            "SessionID": 2
        },
        "DiscoveryProcess": {
            "VolumeZone": 1,
            "IntegrityLevel": "S-1-16-8192",
            "UserNameLookup": "JOHNDOE",
            "HashSha1": "D9BBB4E4900FF03B0486FAC32768170249DAD82D",
            "CertificateSignatureState": 1,
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "ProcessGuid": "{D7235320-A1CF-4151-9451-1DFE77BC0F89}",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "SigningTime": "2022-06-09T01:51:05.6030000+01:00",
                    "ValidityStart": "2021-09-02T19:23:40.0000000+01:00",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "ValidityEnd": "2022-09-01T19:23:40.0000000+01:00"
                }
            ],
            "HashSha256": "53E000F5AA9B3A00934319DB8080BB99CB323BF48FC628A64F75D7847C265606",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "ProcessImageName": "C:\\Windows\\System32\\ipconfig.exe",
            "ProcessStartTimeRaw": 133203492215762286,
            "UserDomainLookup": "TEST",
            "ProcessStartTime": "2023-02-08T18:00:21.5762286+01:00",
            "PID": 5364,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "ProcessCommandLine": "ipconfig",
            "IsProtectedOrCritical": false,
            "HashMd5": "62F170FB07FDBB79CEB7147101406EB8",
            "SessionID": 2
        },
        "BeginningTime": "2023-02-08T18:00:15.7184398+01:00",
        "TriggerTime": "2023-02-08T18:00:21.5797212+01:00"
    }
}
{
    "Version": 1,
    "Type": 20062,
    "TypeComputedMap": "AgentInternalUninstallForbidden",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD04A57F-EE9F-4D86-AAD5-E7FC20313376}",
    "Timestamp": "2023-06-15T07:30:00.0000000+01:00",
    "TimestampRaw": 133232850000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "UninstallAttemptDateTime": "2020-07-07T09:29:06.066110400Z",
        "UserNameLookup": "JOHNDOE",
        "UserDomainLookup": "TEST",
        "User": "S-1-5-21-2222222-33333333-44444444-555"
    }
}
{
    "Version": 1,
    "Type": 20063,
    "TypeComputedMap": "AgentInternalLogExceedMaxSize",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD062E12-865A-4B16-B57B-37205E59277B}",
    "Timestamp": "2023-06-15T07:40:00.0000000+01:00",
    "TimestampRaw": 133232856000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "FaultyLogType": 1010,
        "FaultyLogTypeComputedMap": null
    }
}
{
    "Version": 1,
    "Type": 20064,
    "TypeComputedMap": "StartModularityAgent",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0F3A16-4E4E-4790-B3EB-5558D437C77E}",
    "Timestamp": "2023-06-15T07:50:00.0000000+01:00",
    "TimestampRaw": 133232862000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20065,
    "TypeComputedMap": "StartRepairAgent",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD000F33-953C-49B2-9E91-A9D0D16FABFB}",
    "Timestamp": "2023-06-15T08:00:00.0000000+01:00",
    "TimestampRaw": 133232868000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 1,
    "Type": 20066,
    "TypeComputedMap": "AgentInternalVolumeWithoutShadowStorage",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD07B4CE-114A-42D1-8080-3E10EAAF1F3A}",
    "Timestamp": "2023-06-15T08:10:00.0000000+01:00",
    "TimestampRaw": 133232874000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "VolumePath": "\\\\?\\Volume{3799cd4d-464b-4908-9537-3984827f7c29}\\",
        "DriveLetter": "C:\\",
        "VolumeLabel": "some label"
    }
}
{
    "Version": 1,
    "Type": 20067,
    "TypeComputedMap": "AgentInternalShadowCopyCreationFailure",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD04DBA1-AC27-47D4-ABBF-588CD950C127}",
    "Timestamp": "2023-06-15T08:20:00.0000000+01:00",
    "TimestampRaw": 133232880000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "VolumePath": "\\\\?\\Volume{a14d9f90-5db7-4b3c-8cf1-d9bd2f9f1a64}\\",
        "DriveLetter": "C:\\",
        "VolumeLabel": "some label",
        "ErrorCode": 5
    }
}
{
    "Version": 1,
    "Type": 20068,
    "TypeComputedMap": "Ransomware",
    "Category": 4,
    "CategoryComputedMap": "Other",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0C67CC-83EF-4966-8001-10A3B8B13EAC}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T05:23:07.3454198+01:00",
    "TimestampRaw": 133225861873454198,
    "SpecificData": {
        "Action": {
            "PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
            "PolicyVersion": 2,
            "RuleGuid": "{158E5AB3-C2D2-4707-A8B0-9CD58950B8E2}",
            "BaseRuleGuid": "{158E5AB3-C2D2-4707-A8B0-9CD58950B8E2}",
            "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
            "Blocked": true,
            "UserDecision": false,
            "SourceProcessKilled": true
        },
        "Correlation": {
            "PackageGuid": "{C4E948CC-1082-47B9-BE66-10A1B88A3202}",
            "PackageVersion": 4
        },
        "SourceProcess": {
            "ProcessImageName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
            "PID": 5816,
            "VolumeZone": 1,
            "HashMd5": "04029E121A0CFA5991749937DD22A1D9",
            "ProcessStartTimeRaw": 133225860434012095,
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-12288",
            "IntegrityLevelNameLookup": "HighMandatoryLevel",
            "ProcessCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"",
            "ProcessStartTime": "2023-03-06T15:20:43.4012095+01:00",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "CertificateSignatureState": 1,
            "IsProtectedOrCritical": false,
            "SessionID": 2,
            "Certificates": [
                {
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2022-12-02T00:08:48.1500000+01:00",
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "ValidityEnd": "2023-05-04T20:23:14.0000000+01:00",
                    "ValidityStart": "2022-05-05T20:23:14.0000000+01:00"
                }
            ],
            "HashSha1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054",
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "HashSha256": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "ProcessGuid": "{70FCCA79-9933-4734-8CD6-28AE2E501771}",
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "UserNameLookup": "JOHNDOE"
        },
        "AlteredFileListFilePath": "C:\\ProgramData\\Stormshield\\SESEvolution\\Agent\\Diagnostics\\RansomwareProtection\\encrypted_files2023-03-0615-23-07.txt",
        "OverallAlteredFilesCount": 10,
        "AlteredFiles": [
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(1).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(1).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(10).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(10).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(11).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(11).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(12).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(12).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(13).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(13).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(14).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(14).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(15).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(15).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(16).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(16).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(17).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(17).txt.jmBrN"
            },
            {
                "SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(18).txt",
                "DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(18).txt.jmBrN"
            }
        ]
    }
}
{
    "Version": 1,
    "Type": 20069,
    "TypeComputedMap": "AgentInternalResourcePackageDownloadFailed",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD09591B-3AF8-4605-96DE-64B269B9173E}",
    "Timestamp": "2023-06-15T08:40:00.0000000+01:00",
    "TimestampRaw": 133232892000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "StatusCode": 5,
        "ResourceGuid": "28110024-5807-45eb-9b7b-3aed55cb3f04"
    }
}
{
    "Version": 1,
    "Type": 20070,
    "TypeComputedMap": "AgentInternalInvalidResourcePackageSignature",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD018FE1-B276-4EB6-9E00-9A1CE516E02E}",
    "Timestamp": "2023-06-15T08:50:00.0000000+01:00",
    "TimestampRaw": 133232898000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "StatusCode": 5,
        "ResourceGuid": "ce78187e-1062-4075-9bce-d8c92ee2b99e",
        "ResourcePackageFile": "C:\\Users\\User1\\Desktop\\EsResource.cab"
    }
}
{
    "Version": 1,
    "Type": 20071,
    "TypeComputedMap": "AgentInternalSecOpsInvalidPackageSignature",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0B84DD-18EA-4C30-8D5B-91D288F9368A}",
    "Timestamp": "2023-06-15T09:00:00.0000000+01:00",
    "TimestampRaw": 133232904000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "StatusCode": 5,
        "SecOpsGuid": "b9092244-2249-44bb-ae2d-f9e50a2b0b10",
        "SecOpsPackageFile": "C:\\Users\\User1\\Desktop\\SecOpsTask.cab"
    }
}
{
    "Version": 1,
    "Type": 20072,
    "TypeComputedMap": "AgentInternalSecOpsInvalidJsonSize",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0E2013-BED1-4DC5-95FB-A881DB5F386A}",
    "Timestamp": "2023-06-15T09:10:00.0000000+01:00",
    "TimestampRaw": 133232910000000000,
    "GenerateIncident": false,
    "SpecificData": {
        "StatusCode": -1609564141,
        "SecOpsGuid": "fbba1fb1-efda-4bba-9929-2d5eae03344e",
        "SecOpsPackageFile": "C:\\Users\\User1\\Desktop\\SecOpsTask.cab",
        "JsonSize": 10241
    }
}
{
    "Version": 1,
    "Type": 20073,
    "TypeComputedMap": "AgentInternalDowngradeWithPivotVersion223IsRequired",
    "Severity": 0,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD02148D-0FE6-4428-805C-3B1A58BB1E1D}",
    "Timestamp": "2023-06-15T09:20:00.0000000+01:00",
    "TimestampRaw": 133232916000000000,
    "GenerateIncident": false,
    "SpecificData": {}
}
{
    "Version": 2,
    "Type": 20079,
    "TypeComputedMap": "AgentOperationYaraProcessAnalysisMatch",
    "Severity": 1,
    "ServerReserved": 0,
    "Attributes": 2,
    "AttributesComputedBitMap": [
        "Protection"
    ],
    "EventGuid": "{AD0FD776-0C61-4946-BA0C-185518A0361C}",
    "GenerateIncident": false,
    "Timestamp": "2023-06-15T01:58:14.4201973+02:00",
    "TimestampRaw": 133300870944201973,
    "SpecificData": {
        "SourceProcess": {
            "PID": 5848,
            "ProcessGuid": "{36C8E9F1-41B8-44FF-B482-FD11D323D5C7}",
            "ProcessImageName": "C:\\Windows\\explorer.exe",
            "VolumeZone": 1,
            "VolumeZoneComputedBitMap": [
                "Operating system"
            ],
            "ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
            "User": "S-1-5-21-2222222-33333333-44444444-555",
            "UserNameLookup": "JOHNDOE",
            "UserDomainLookup": "TEST",
            "IntegrityLevel": "S-1-16-8192",
            "IntegrityLevelNameLookup": "MediumMandatoryLevel",
            "IntegrityLevelDomainLookup": "MandatoryLabel",
            "SessionID": 2,
            "HashMd5": "C6CD12BF63E9B9B4478E6F975E7C293D",
            "HashSha1": "FE02128E2A9AF073DB5D6B3843469CA87391C22A",
            "HashSha256": "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C",
            "IsProtectedOrCritical": false,
            "CertificateSignatureState": 1,
            "CertificateSignatureStateComputedMap": "SignatureStateTrusted",
            "Certificates": [
                {
                    "Algorithm": "SHA256",
                    "IssuerCN": "MicrosoftWindowsProductionPCA2011",
                    "SubjectCN": "MicrosoftWindows",
                    "SigningTime": "2023-01-06T12:27:04.6400000+02:00",
                    "ValidityStart": "2022-05-05T21:23:15.0000000+02:00",
                    "ValidityEnd": "2023-05-04T21:23:15.0000000+02:00"
                }
            ],
            "ProcessStartTime": "2023-05-31T13:05:25.0959518+02:00",
            "ProcessStartTimeRaw": 133300047250959518
        },
        "Action": {
            "PolicyGuid": "{AD3E9A72-739A-4AEF-B62C-DB6A82EB6053}",
            "PolicyVersion": 4,
            "RuleGuid": "{6D01E214-075E-472C-A56D-3C6042DEA832}",
            "BaseRuleGuid": "{CF2EB1A3-0A18-4406-B284-F72A4E21D34F}",
            "IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
            "Blocked": false,
            "UserDecision": false,
            "SourceProcessKilled": false
        },
        "AnalysisProperties": {
            "AnalysisUnitGuid": "{919C4A6A-F381-4D01-A159-34C85152B5DF}",
            "Triggers": 8,
            "TriggersComputedBitMap": [
                "TRIGGER_RULE_EVENT"
            ],
            "AssociatedEventGuid": "{41FD7022-DCDA-4ECE-983D-C780EC4315CA}",
            "AssociatedScheduledTaskGuid": "{00000000-0000-0000-0000-000000000000}",
            "AssociatedSecOpsGuid": "{00000000-0000-0000-0000-000000000000}",
            "AssociatedSecOpsRequestGuid": "{00000000-0000-0000-0000-000000000000}",
            "AssociatedBaseRuleGuid": "{BD00BBE6-3264-46D6-A010-AF9419FD7243}",
            "AssociatedRuleGuid": "{BD00BBE6-3264-46D6-A010-AF9419FD7245}"
        },
        "SourceProcessImageFileDetails": {
            "FileFullPath": "C:\\Windows\\explorer.exe",
            "FileCreateTime": "2023-01-12T10:52:38.2994281+02:00",
            "LastModified": "2023-01-12T10:52:38.4088025+02:00",
            "Owner": "S-1-5-21-2222222-33333333-44444444-555-2271478464",
            "OwnerNameLookup": "TrustedInstaller",
            "OwnerDomainLookup": "NTSERVICE",
            "HashMd5": "C6CD12BF63E9B9B4478E6F975E7C293D",
            "HashSha1": "FE02128E2A9AF073DB5D6B3843469CA87391C22A",
            "HashSha256": "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C",
            "HashSSDeep": "49152:JFV7+LB3mKxTLHWBwPvfb0xer5TaNFLGO3LL6Y6IEF98C21rf2JGno/n7w8A7/eE:obULwVw8a0cDl"
        },
        "MatchedYaraRules": [
            {
                "MatchedRule": "test_yaralib_pe_module_is_pe_rule",
                "Tags": [],
                "Metadatas": [
                    {
                        "MetadataKey": "description",
                        "MetadataValue": "module_is_pe_rule"
                    },
                    {
                        "MetadataKey": "author",
                        "MetadataValue": "SESQAManuel"
                    }
                ],
                "MatchedStrings": []
            },
            {
                "MatchedRule": "test_yaralib_pe_module_is_x64_rule",
                "Tags"