diff --git a/.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_OAT_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_OAT_CL.json index a4ecb50e770..46c2cf19420 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_OAT_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/TrendMicro_XDR_OAT_CL.json @@ -5,6 +5,10 @@ "Name": "_ResourceId", "Type": "string" }, + { + "Name": "_ItemId", + "Type": "string" + }, { "Name": "authId_s", "Type": "string" @@ -459,7 +463,7 @@ }, { "Name": "TimeGenerated", - "Type": "string" + "Type": "datetime" }, { "Name": "timezone_s", @@ -484,7 +488,1886 @@ { "Name": "xdrCustomerId_g", "Type": "string" + }, + { + "Name": "detailuid_s_s", + "Type": "string" + }, + { + "Name": "detail_fileCreation_t_UTC_s", + "Type": "string" + }, + { + "Name": "detaileviceGUID_s", + "Type": "string" + }, + { + "Name": "detail_rt_t_UTC_s", + "Type": "string" + }, + { + "Name": "detail_rt_utc_t_UTC_s", + "Type": "string" + }, + { + "Name": "detailenderGUID_s", + "Type": "string" + }, + { + "Name": "detectionTime_t_UTC_s", + "Type": "string" + }, + { + "Name": "detail_eventTimeDT_t_UTC_s", + "Type": "string" + }, + { + "Name": "detail_firstSeen_t_UTC_s", + "Type": "string" + }, + { + "Name": "detail_lastSeen_t_UTC_s", + "Type": "string" + }, + { + "Name": "detailessionId_s", + "Type": "string" + }, + { + "Name": "detail_score_s", + "Type": "string" + }, + { + "Name": "detail_providerGUID_s", + "Type": "string" + }, + { + "Name": "detail_instanceId_s", + "Type": "string" + }, + { + "Name": "detail_deviceGUID_s", + "Type": "string" + }, + { + "Name": "detail_endpointGUID_s", + "Type": "string" + }, + { + "Name": "detail_mDeviceGUID_s", + "Type": "string" + }, + { + "Name": "detail_senderGUID_s", + "Type": "string" + }, + { + "Name": "detail_severity_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashMd5_s", + "Type": "string" + }, + { + "Name": "detail_objectRunAsLocalAccount_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashMd5_s", + "Type": "string" + }, + { + "Name": "detail_fileCreation_UTC__s", + "Type": "string" + }, + { + "Name": "detail_rt_UTC__s", + "Type": "string" + }, + { + "Name": "detail_rt_utc_UTC__s", + "Type": "string" + }, + { + "Name": "detectionTime_UTC__s", + "Type": "string" + }, + { + "Name": "detail_eventTimeDT_UTC__s", + "Type": "string" + }, + { + "Name": "detail_firstSeen_UTC__s", + "Type": "string" + }, + { + "Name": "detail_lastSeen_UTC__s", + "Type": "string" + }, + { + "Name": "TimeGenerated_UTC_s", + "Type": "string" + }, + { + "Name": "detail_cccaRiskLevel_s", + "Type": "string" + }, + { + "Name": "detailirection_s", + "Type": "string" + }, + { + "Name": "detailcore_s", + "Type": "string" + }, + { + "Name": "detailuid_s", + "Type": "string" + }, + { + "Name": "detail_rawDataSize_s", + "Type": "string" + }, + { + "Name": "detail_rt_s", + "Type": "string" + }, + { + "Name": "detail_winEventId_s", + "Type": "string" + }, + { + "Name": "detail_confidence_s", + "Type": "string" + }, + { + "Name": "detailetectionName_s", + "Type": "string" + }, + { + "Name": "detailetectionType_s", + "Type": "string" + }, + { + "Name": "detail_fileCreation_t_UTC__s", + "Type": "string" + }, + { + "Name": "detail_fileSize_s", + "Type": "string" + }, + { + "Name": "detail_aggregatedCount_s", + "Type": "string" + }, + { + "Name": "detail_ruleId_s", + "Type": "string" + }, + { + "Name": "detaileviceGUID_g_s", + "Type": "string" + }, + { + "Name": "detailomainName_s", + "Type": "string" + }, + { + "Name": "detailvchost_s", + "Type": "string" + }, + { + "Name": "detail_rt_t_UTC__s", + "Type": "string" + }, + { + "Name": "detail_rtHour_s", + "Type": "string" + }, + { + "Name": "detail_rt_utc_t_UTC__s", + "Type": "string" + }, + { + "Name": "detailcanType_s", + "Type": "string" + }, + { + "Name": "detailecondAct_s", + "Type": "string" + }, + { + "Name": "detailecondActResult_s", + "Type": "string" + }, + { + "Name": "detailenderGUID_g_s", + "Type": "string" + }, + { + "Name": "detailenderIp_s", + "Type": "string" + }, + { + "Name": "detaileverity_s", + "Type": "string" + }, + { + "Name": "detaileviceType_s", + "Type": "string" + }, + { + "Name": "detail_nativeDeviceCharacteristics_s", + "Type": "string" + }, + { + "Name": "detail_nativeDeviceType_s", + "Type": "string" + }, + { + "Name": "detail_nativeStorageDeviceBusType_s", + "Type": "string" + }, + { + "Name": "detail_objectSubTrueType_s", + "Type": "string" + }, + { + "Name": "xdrCustomerId_g_g_g", + "Type": "string" + }, + { + "Name": "detectionTime_t_UTC__s", + "Type": "string" + }, + { + "Name": "endpoint_guid_g_g_g", + "Type": "string" + }, + { + "Name": "detail_endpointGuid_g_g_g", + "Type": "string" + }, + { + "Name": "detail_eventHashId_s", + "Type": "string" + }, + { + "Name": "detail_eventTimeDT_t_UTC__s", + "Type": "string" + }, + { + "Name": "detail_firstSeen_t_UTC__s", + "Type": "string" + }, + { + "Name": "detail_lastSeen_t_UTC__s", + "Type": "string" + }, + { + "Name": "detail_objectAuthId_s", + "Type": "string" + }, + { + "Name": "detail_objectFileCreation_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashId_s", + "Type": "string" + }, + { + "Name": "detail_objectFileModifiedTime_s", + "Type": "string" + }, + { + "Name": "detail_objectFileSize_s", + "Type": "string" + }, + { + "Name": "detail_objectHashId_s", + "Type": "string" + }, + { + "Name": "detail_objectIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "detail_objectLaunchTime_s", + "Type": "string" + }, + { + "Name": "detail_objectPid_s", + "Type": "string" + }, + { + "Name": "detail_objectSessionId_s", + "Type": "string" + }, + { + "Name": "detail_objectTrueType_s", + "Type": "string" + }, + { + "Name": "detail_osType_d", + "Type": "real" + }, + { + "Name": "detail_parentAuthId_s", + "Type": "string" + }, + { + "Name": "detail_parentFileCreation_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashId_s", + "Type": "string" + }, + { + "Name": "detail_parentFileModifiedTime_s", + "Type": "string" + }, + { + "Name": "detail_parentFileSize_s", + "Type": "string" + }, + { + "Name": "detail_parentHashId_s", + "Type": "string" + }, + { + "Name": "detail_parentIntegrityLevel_s", + "Type": "string" + }, + { + "Name": "detail_parentLaunchTime_s", + "Type": "string" + }, + { + "Name": "detail_parentPid_s", + "Type": "string" + }, + { + "Name": "detail_parentSessionId_s", + "Type": "string" + }, + { + "Name": "detail_parentTrueType_s", + "Type": "string" + }, + { + "Name": "detail_pname_d", + "Type": "real" + }, + { + "Name": "detail_processFileHashId_s", + "Type": "string" + }, + { + "Name": "detail_processFileHashMd5_g_g_g", + "Type": "string" + }, + { + "Name": "detail_processHashId_s", + "Type": "string" + }, + { + "Name": "detailessionId_d", + "Type": "real" + }, + { + "Name": "detail_uuid_g_g_g", + "Type": "string" + }, + { + "Name": "MG_s", + "Type": "string" + }, + { + "Name": "TimeGenerated_UTC__s", + "Type": "string" + }, + { + "Name": "detail_app_s_s", + "Type": "string" + }, + { + "Name": "detail_blocking_s_s", + "Type": "string" + }, + { + "Name": "detail_cccaDetectionSource_s_s", + "Type": "string" + }, + { + "Name": "detail_cccaRiskLevel_d_s", + "Type": "string" + }, + { + "Name": "detail_direction_s_s", + "Type": "string" + }, + { + "Name": "detail_interestedHost_s_s", + "Type": "string" + }, + { + "Name": "detail_policyName_s_s", + "Type": "string" + }, + { + "Name": "detail_rating_s_s", + "Type": "string" + }, + { + "Name": "detail_request_s_s", + "Type": "string" + }, + { + "Name": "detail_score_d_s", + "Type": "string" + }, + { + "Name": "detail_urlCat_s_s", + "Type": "string" + }, + { + "Name": "detail_patType_s_s", + "Type": "string" + }, + { + "Name": "detail_suid_s_s", + "Type": "string" + }, + { + "Name": "detail_compressedFileName_s_s", + "Type": "string" + }, + { + "Name": "detail_malFamily_s_s", + "Type": "string" + }, + { + "Name": "detail_correlationData_s_s", + "Type": "string" + }, + { + "Name": "detail_eventDataProviderName_s_s", + "Type": "string" + }, + { + "Name": "detail_eventDataProviderPath_s_s", + "Type": "string" + }, + { + "Name": "detail_providerGUID_g_s", + "Type": "string" + }, + { + "Name": "detail_providerName_s_s", + "Type": "string" + }, + { + "Name": "detail_rawDataSize_d_s", + "Type": "string" + }, + { + "Name": "detail_rawDataStr_s_s", + "Type": "string" + }, + { + "Name": "detail_rt_d_s", + "Type": "string" + }, + { + "Name": "detail_winEventId_d_s", + "Type": "string" + }, + { + "Name": "detail_confidence_d_s", + "Type": "string" + }, + { + "Name": "detail_detectionName_s_s", + "Type": "string" + }, + { + "Name": "detail_detectionType_s_s", + "Type": "string" + }, + { + "Name": "detail_fileSize_d_s", + "Type": "string" + }, + { + "Name": "detail_threatType_s_s", + "Type": "string" + }, + { + "Name": "detail_act_s_s", + "Type": "string" + }, + { + "Name": "detail_aggregatedCount_d_s", + "Type": "string" + }, + { + "Name": "detail_behaviorCat_s_s", + "Type": "string" + }, + { + "Name": "detail_bmGroup_s_s", + "Type": "string" + }, + { + "Name": "detail_engineOperation_s_s", + "Type": "string" + }, + { + "Name": "detail_instanceId_g_s", + "Type": "string" + }, + { + "Name": "detail_policyId_s_s", + "Type": "string" + }, + { + "Name": "detail_riskLevel_s_s", + "Type": "string" + }, + { + "Name": "detail_ruleId_d_s", + "Type": "string" + }, + { + "Name": "detail_actResult_s_s", + "Type": "string" + }, + { + "Name": "detail_channel_s_s", + "Type": "string" + }, + { + "Name": "detail_deviceGUID_g_s", + "Type": "string" + }, + { + "Name": "detail_domainName_s_s", + "Type": "string" + }, + { + "Name": "detail_dvchost_s_s", + "Type": "string" + }, + { + "Name": "detail_endpointGUID_g_s", + "Type": "string" + }, + { + "Name": "detail_engType_s_s", + "Type": "string" + }, + { + "Name": "detail_engVer_s_s", + "Type": "string" + }, + { + "Name": "detail_eventId_d_s", + "Type": "string" + }, + { + "Name": "detail_eventName_s_s", + "Type": "string" + }, + { + "Name": "detail_eventSubName_s_s", + "Type": "string" + }, + { + "Name": "detail_fileHash_s_s", + "Type": "string" + }, + { + "Name": "detail_fileName_s_s", + "Type": "string" + }, + { + "Name": "detail_filePath_s_s", + "Type": "string" + }, + { + "Name": "detail_firstAct_s_s", + "Type": "string" + }, + { + "Name": "detail_firstActResult_s_s", + "Type": "string" + }, + { + "Name": "detail_fullPath_s_s", + "Type": "string" + }, + { + "Name": "detail_interestedIp_s_s", + "Type": "string" + }, + { + "Name": "detail_logKey_s_s", + "Type": "string" + }, + { + "Name": "detail_mDevice_s_s", + "Type": "string" + }, + { + "Name": "detail_mDeviceGUID_g_s", + "Type": "string" + }, + { + "Name": "detail_malDst_s_s", + "Type": "string" + }, + { + "Name": "detail_malName_s_s", + "Type": "string" + }, + { + "Name": "detail_malSubType_s_s", + "Type": "string" + }, + { + "Name": "detail_malType_s_s", + "Type": "string" + }, + { + "Name": "detail_mpname_s_s", + "Type": "string" + }, + { + "Name": "detail_mpver_s_s", + "Type": "string" + }, + { + "Name": "detail_pComp_s_s", + "Type": "string" + }, + { + "Name": "detail_patVer_s_s", + "Type": "string" + }, + { + "Name": "detail_rtDate_s_s", + "Type": "string" + }, + { + "Name": "detail_rtHour_d_s", + "Type": "string" + }, + { + "Name": "detail_rtWeekDay_s_s", + "Type": "string" + }, + { + "Name": "detail_ruleName_s_s", + "Type": "string" + }, + { + "Name": "detail_scanType_s_s", + "Type": "string" + }, + { + "Name": "detail_secondAct_s_s", + "Type": "string" + }, + { + "Name": "detail_secondActResult_s_s", + "Type": "string" + }, + { + "Name": "detail_senderGUID_g_s", + "Type": "string" + }, + { + "Name": "detail_senderIp_s_s", + "Type": "string" + }, + { + "Name": "detail_severity_d_s", + "Type": "string" + }, + { + "Name": "detail_deviceType_s_s", + "Type": "string" + }, + { + "Name": "detail_nativeDeviceCharacteristics_d_s", + "Type": "string" + }, + { + "Name": "detail_nativeDeviceType_d_s", + "Type": "string" + }, + { + "Name": "detail_nativeStorageDeviceBusType_d_s", + "Type": "string" + }, + { + "Name": "detail_objectSubTrueType_d_s", + "Type": "string" + }, + { + "Name": "detail_objectFirstSeen_d_d", + "Type": "real" + }, + { + "Name": "detail_objectLastSeen_d_d", + "Type": "real" + }, + { + "Name": "detail_objectRegType_d_d", + "Type": "real" + }, + { + "Name": "detail_objectRegistryData_s_s", + "Type": "string" + }, + { + "Name": "detail_objectRegistryKeyHandle_s_s", + "Type": "string" + }, + { + "Name": "detail_objectRegistryRoot_d_d", + "Type": "real" + }, + { + "Name": "detail_objectRegistryValue_s_s", + "Type": "string" + }, + { + "Name": "detail_eventSourceType_s_s", + "Type": "string" + }, + { + "Name": "xdrCustomerId_g_g", + "Type": "string" + }, + { + "Name": "endpoint_name_s_s", + "Type": "string" + }, + { + "Name": "endpoint_guid_g_g", + "Type": "string" + }, + { + "Name": "endpoint_ips_s_s", + "Type": "string" + }, + { + "Name": "filters_s_s", + "Type": "string" + }, + { + "Name": "entityType_s_s", + "Type": "string" + }, + { + "Name": "entityName_s_s", + "Type": "string" + }, + { + "Name": "detail_endpointHostName_s_s", + "Type": "string" + }, + { + "Name": "detail_endpointIp_s_s", + "Type": "string" + }, + { + "Name": "detail_logonUser_s_s", + "Type": "string" + }, + { + "Name": "detail_processFilePath_s_s", + "Type": "string" + }, + { + "Name": "detail_processCmd_s_s", + "Type": "string" + }, + { + "Name": "detail_eventSubId_s_s", + "Type": "string" + }, + { + "Name": "detail_objectFilePath_s_s", + "Type": "string" + }, + { + "Name": "detail_objectCmd_s_s", + "Type": "string" + }, + { + "Name": "detail_tags_s_s", + "Type": "string" + }, + { + "Name": "detail_endpointGuid_g_g", + "Type": "string" + }, + { + "Name": "detail_authId_d_d", + "Type": "real" + }, + { + "Name": "detail_endpointMacAddress_s_s", + "Type": "string" + }, + { + "Name": "detail_eventHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_eventId_s_s", + "Type": "string" + }, + { + "Name": "detail_eventTime_d_d", + "Type": "real" + }, + { + "Name": "detail_filterRiskLevel_s_s", + "Type": "string" + }, + { + "Name": "detail_integrityLevel_d_d", + "Type": "real" + }, + { + "Name": "detail_objectAuthId_d_s", + "Type": "string" + }, + { + "Name": "detail_objectFileCreation_d_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashMd5_g_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashSha1_s_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashSha256_s_s", + "Type": "string" + }, + { + "Name": "detail_objectFileModifiedTime_d_s", + "Type": "string" + }, + { + "Name": "detail_objectFileSize_d_s", + "Type": "string" + }, + { + "Name": "detail_objectHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_objectIntegrityLevel_d_s", + "Type": "string" + }, + { + "Name": "detail_objectLaunchTime_d_s", + "Type": "string" + }, + { + "Name": "detail_objectName_s_s", + "Type": "string" + }, + { + "Name": "detail_objectPid_d_s", + "Type": "string" + }, + { + "Name": "detail_objectRunAsLocalAccount_b_s", + "Type": "string" + }, + { + "Name": "detail_objectSessionId_d_s", + "Type": "string" + }, + { + "Name": "detail_objectSigner_s_s", + "Type": "string" + }, + { + "Name": "detail_objectSignerValid_s_s", + "Type": "string" + }, + { + "Name": "detail_objectTrueType_d_s", + "Type": "string" + }, + { + "Name": "detail_objectUser_s_s", + "Type": "string" + }, + { + "Name": "detail_objectUserDomain_s_s", + "Type": "string" + }, + { + "Name": "detail_osDescription_s_s", + "Type": "string" + }, + { + "Name": "detail_osName_s_s", + "Type": "string" + }, + { + "Name": "detail_osType_s_d", + "Type": "real" + }, + { + "Name": "detail_osVer_s_s", + "Type": "string" + }, + { + "Name": "detail_parentAuthId_d_s", + "Type": "string" + }, + { + "Name": "detail_parentCmd_s_s", + "Type": "string" + }, + { + "Name": "detail_parentFileCreation_d_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashMd5_g_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashSha1_s_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashSha256_s_s", + "Type": "string" + }, + { + "Name": "detail_parentFileModifiedTime_d_s", + "Type": "string" + }, + { + "Name": "detail_parentFilePath_s_s", + "Type": "string" + }, + { + "Name": "detail_parentFileSize_d_s", + "Type": "string" + }, + { + "Name": "detail_parentHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_parentIntegrityLevel_d_s", + "Type": "string" + }, + { + "Name": "detail_parentLaunchTime_d_s", + "Type": "string" + }, + { + "Name": "detail_parentName_s_s", + "Type": "string" + }, + { + "Name": "detail_parentPid_d_s", + "Type": "string" + }, + { + "Name": "detail_parentSessionId_d_s", + "Type": "string" + }, + { + "Name": "detail_parentSigner_s_s", + "Type": "string" + }, + { + "Name": "detail_parentSignerValid_s_s", + "Type": "string" + }, + { + "Name": "detail_parentTrueType_d_s", + "Type": "string" + }, + { + "Name": "detail_parentUser_s_s", + "Type": "string" + }, + { + "Name": "detail_parentUserDomain_s_s", + "Type": "string" + }, + { + "Name": "detail_plang_d_d", + "Type": "real" + }, + { + "Name": "detail_pname_s_d", + "Type": "real" + }, + { + "Name": "detail_pplat_d_d", + "Type": "real" + }, + { + "Name": "detail_processFileCreation_d_d", + "Type": "real" + }, + { + "Name": "detail_processFileHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_processFileHashMd5_g_g", + "Type": "string" + }, + { + "Name": "detail_processFileHashSha1_s_s", + "Type": "string" + }, + { + "Name": "detail_processFileHashSha256_s_s", + "Type": "string" + }, + { + "Name": "detail_processFileModifiedTime_d_d", + "Type": "real" + }, + { + "Name": "detail_processFileSize_d_d", + "Type": "real" + }, + { + "Name": "detail_processHashId_d_s", + "Type": "string" + }, + { + "Name": "detail_processLaunchTime_d_d", + "Type": "real" + }, + { + "Name": "detail_processName_s_s", + "Type": "string" + }, + { + "Name": "detail_processPid_d_d", + "Type": "real" + }, + { + "Name": "detail_processSigner_s_s", + "Type": "string" + }, + { + "Name": "detail_processSignerValid_s_s", + "Type": "string" + }, + { + "Name": "detail_processTrueType_d_d", + "Type": "real" + }, + { + "Name": "detail_processUser_s_s", + "Type": "string" + }, + { + "Name": "detail_processUserDomain_s_s", + "Type": "string" + }, + { + "Name": "detail_productCode_s_s", + "Type": "string" + }, + { + "Name": "detail_pver_s_s", + "Type": "string" + }, + { + "Name": "detail_sessionId_d_d", + "Type": "real" + }, + { + "Name": "detail_timezone_s_s", + "Type": "string" + }, + { + "Name": "detail_userDomain_s_s", + "Type": "string" + }, + { + "Name": "detail_uuid_g_g", + "Type": "string" + }, + { + "Name": "Type_s", + "Type": "string" + }, + { + "Name": "_ResourceId_s", + "Type": "string" + }, + { + "Name": "detail_app_s", + "Type": "string" + }, + { + "Name": "detail_blocking_s", + "Type": "string" + }, + { + "Name": "detail_cccaDetectionSource_s", + "Type": "string" + }, + { + "Name": "detail_cccaRiskLevel_d", + "Type": "real" + }, + { + "Name": "detail_direction_s", + "Type": "string" + }, + { + "Name": "detail_interestedHost_s", + "Type": "string" + }, + { + "Name": "detail_policyName_s", + "Type": "string" + }, + { + "Name": "detail_rating_s", + "Type": "string" + }, + { + "Name": "detail_request_s", + "Type": "string" + }, + { + "Name": "detail_score_d", + "Type": "real" + }, + { + "Name": "detail_urlCat_s", + "Type": "string" + }, + { + "Name": "detail_patType_s", + "Type": "string" + }, + { + "Name": "detail_suid_s", + "Type": "string" + }, + { + "Name": "detail_compressedFileName_s", + "Type": "string" + }, + { + "Name": "detail_malFamily_s", + "Type": "string" + }, + { + "Name": "detail_correlationData_s", + "Type": "string" + }, + { + "Name": "detail_eventDataProviderName_s", + "Type": "string" + }, + { + "Name": "detail_eventDataProviderPath_s", + "Type": "string" + }, + { + "Name": "detail_providerGUID_g", + "Type": "string" + }, + { + "Name": "detail_providerName_s", + "Type": "string" + }, + { + "Name": "detail_rawDataSize_d", + "Type": "real" + }, + { + "Name": "detail_rawDataStr_s", + "Type": "string" + }, + { + "Name": "detail_rt_d", + "Type": "real" + }, + { + "Name": "detail_winEventId_d", + "Type": "real" + }, + { + "Name": "detail_confidence_d", + "Type": "real" + }, + { + "Name": "detail_detectionName_s", + "Type": "string" + }, + { + "Name": "detail_detectionType_s", + "Type": "string" + }, + { + "Name": "detail_fileCreation_t", + "Type": "datetime" + }, + { + "Name": "detail_fileSize_d", + "Type": "real" + }, + { + "Name": "detail_threatType_s", + "Type": "string" + }, + { + "Name": "detail_act_s", + "Type": "string" + }, + { + "Name": "detail_aggregatedCount_d", + "Type": "real" + }, + { + "Name": "detail_behaviorCat_s", + "Type": "string" + }, + { + "Name": "detail_bmGroup_s", + "Type": "string" + }, + { + "Name": "detail_engineOperation_s", + "Type": "string" + }, + { + "Name": "detail_instanceId_g", + "Type": "string" + }, + { + "Name": "detail_policyId_s", + "Type": "string" + }, + { + "Name": "detail_riskLevel_s", + "Type": "string" + }, + { + "Name": "detail_ruleId_d", + "Type": "real" + }, + { + "Name": "detail_actResult_s", + "Type": "string" + }, + { + "Name": "detail_channel_s", + "Type": "string" + }, + { + "Name": "detail_deviceGUID_g", + "Type": "string" + }, + { + "Name": "detail_domainName_s", + "Type": "string" + }, + { + "Name": "detail_dvchost_s", + "Type": "string" + }, + { + "Name": "detail_endpointGUID_g", + "Type": "string" + }, + { + "Name": "detail_engType_s", + "Type": "string" + }, + { + "Name": "detail_engVer_s", + "Type": "string" + }, + { + "Name": "detail_eventId_d", + "Type": "real" + }, + { + "Name": "detail_eventName_s", + "Type": "string" + }, + { + "Name": "detail_eventSubName_s", + "Type": "string" + }, + { + "Name": "detail_fileHash_s", + "Type": "string" + }, + { + "Name": "detail_fileName_s", + "Type": "string" + }, + { + "Name": "detail_filePath_s", + "Type": "string" + }, + { + "Name": "detail_firstAct_s", + "Type": "string" + }, + { + "Name": "detail_firstActResult_s", + "Type": "string" + }, + { + "Name": "detail_fullPath_s", + "Type": "string" + }, + { + "Name": "detail_interestedIp_s", + "Type": "string" + }, + { + "Name": "detail_logKey_s", + "Type": "string" + }, + { + "Name": "detail_mDevice_s", + "Type": "string" + }, + { + "Name": "detail_mDeviceGUID_g", + "Type": "string" + }, + { + "Name": "detail_malDst_s", + "Type": "string" + }, + { + "Name": "detail_malName_s", + "Type": "string" + }, + { + "Name": "detail_malSubType_s", + "Type": "string" + }, + { + "Name": "detail_malType_s", + "Type": "string" + }, + { + "Name": "detail_mpname_s", + "Type": "string" + }, + { + "Name": "detail_mpver_s", + "Type": "string" + }, + { + "Name": "detail_pComp_s", + "Type": "string" + }, + { + "Name": "detail_patVer_s", + "Type": "string" + }, + { + "Name": "detail_rt_t", + "Type": "datetime" + }, + { + "Name": "detail_rtDate_s", + "Type": "string" + }, + { + "Name": "detail_rtHour_d", + "Type": "real" + }, + { + "Name": "detail_rtWeekDay_s", + "Type": "string" + }, + { + "Name": "detail_rt_utc_t", + "Type": "datetime" + }, + { + "Name": "detail_ruleName_s", + "Type": "string" + }, + { + "Name": "detail_scanType_s", + "Type": "string" + }, + { + "Name": "detail_secondAct_s", + "Type": "string" + }, + { + "Name": "detail_secondActResult_s", + "Type": "string" + }, + { + "Name": "detail_senderGUID_g", + "Type": "string" + }, + { + "Name": "detail_senderIp_s", + "Type": "string" + }, + { + "Name": "detail_severity_d", + "Type": "real" + }, + { + "Name": "detail_deviceType_s", + "Type": "string" + }, + { + "Name": "detail_nativeDeviceCharacteristics_d", + "Type": "real" + }, + { + "Name": "detail_nativeDeviceType_d", + "Type": "real" + }, + { + "Name": "detail_nativeStorageDeviceBusType_d", + "Type": "real" + }, + { + "Name": "detail_objectSubTrueType_d", + "Type": "real" + }, + { + "Name": "detail_objectFirstSeen_d", + "Type": "real" + }, + { + "Name": "detail_objectLastSeen_d", + "Type": "real" + }, + { + "Name": "detail_objectRegType_d", + "Type": "real" + }, + { + "Name": "detail_objectRegistryData_s", + "Type": "string" + }, + { + "Name": "detail_objectRegistryKeyHandle_s", + "Type": "string" + }, + { + "Name": "detail_objectRegistryRoot_d", + "Type": "real" + }, + { + "Name": "detail_objectRegistryValue_s", + "Type": "string" + }, + { + "Name": "detail_eventSourceType_s", + "Type": "string" + }, + { + "Name": "endpoint_ips_s", + "Type": "string" + }, + { + "Name": "detail_endpointHostName_s", + "Type": "string" + }, + { + "Name": "detail_endpointIp_s", + "Type": "string" + }, + { + "Name": "detail_logonUser_s", + "Type": "string" + }, + { + "Name": "detail_processFilePath_s", + "Type": "string" + }, + { + "Name": "detail_processCmd_s", + "Type": "string" + }, + { + "Name": "detail_eventSubId_s", + "Type": "string" + }, + { + "Name": "detail_objectFilePath_s", + "Type": "string" + }, + { + "Name": "detail_objectCmd_s", + "Type": "string" + }, + { + "Name": "detail_tags_s", + "Type": "string" + }, + { + "Name": "detail_endpointGuid_g", + "Type": "string" + }, + { + "Name": "detail_authId_d", + "Type": "real" + }, + { + "Name": "detail_endpointMacAddress_s", + "Type": "string" + }, + { + "Name": "detail_eventHashId_d", + "Type": "real" + }, + { + "Name": "detail_eventId_s", + "Type": "string" + }, + { + "Name": "detail_eventTime_d", + "Type": "real" + }, + { + "Name": "detail_eventTimeDT_t", + "Type": "datetime" + }, + { + "Name": "detail_filterRiskLevel_s", + "Type": "string" + }, + { + "Name": "detail_firstSeen_t", + "Type": "datetime" + }, + { + "Name": "detail_integrityLevel_d", + "Type": "real" + }, + { + "Name": "detail_lastSeen_t", + "Type": "datetime" + }, + { + "Name": "detail_objectAuthId_d", + "Type": "real" + }, + { + "Name": "detail_objectFileCreation_d", + "Type": "real" + }, + { + "Name": "detail_objectFileHashId_d", + "Type": "real" + }, + { + "Name": "detail_objectFileHashMd5_g", + "Type": "string" + }, + { + "Name": "detail_objectFileHashSha1_s", + "Type": "string" + }, + { + "Name": "detail_objectFileHashSha256_s", + "Type": "string" + }, + { + "Name": "detail_objectFileModifiedTime_d", + "Type": "real" + }, + { + "Name": "detail_objectFileSize_d", + "Type": "real" + }, + { + "Name": "detail_objectHashId_d", + "Type": "real" + }, + { + "Name": "detail_objectIntegrityLevel_d", + "Type": "real" + }, + { + "Name": "detail_objectLaunchTime_d", + "Type": "real" + }, + { + "Name": "detail_objectName_s", + "Type": "string" + }, + { + "Name": "detail_objectPid_d", + "Type": "real" + }, + { + "Name": "detail_objectRunAsLocalAccount_b", + "Type": "bool" + }, + { + "Name": "detail_objectSessionId_d", + "Type": "real" + }, + { + "Name": "detail_objectSigner_s", + "Type": "string" + }, + { + "Name": "detail_objectSignerValid_s", + "Type": "string" + }, + { + "Name": "detail_objectTrueType_d", + "Type": "real" + }, + { + "Name": "detail_objectUser_s", + "Type": "string" + }, + { + "Name": "detail_objectUserDomain_s", + "Type": "string" + }, + { + "Name": "detail_osDescription_s", + "Type": "string" + }, + { + "Name": "detail_osName_s", + "Type": "string" + }, + { + "Name": "detail_osType_s", + "Type": "string" + }, + { + "Name": "detail_osVer_s", + "Type": "string" + }, + { + "Name": "detail_parentAuthId_d", + "Type": "real" + }, + { + "Name": "detail_parentCmd_s", + "Type": "string" + }, + { + "Name": "detail_parentFileCreation_d", + "Type": "real" + }, + { + "Name": "detail_parentFileHashId_d", + "Type": "real" + }, + { + "Name": "detail_parentFileHashMd5_g", + "Type": "string" + }, + { + "Name": "detail_parentFileHashSha1_s", + "Type": "string" + }, + { + "Name": "detail_parentFileHashSha256_s", + "Type": "string" + }, + { + "Name": "detail_parentFileModifiedTime_d", + "Type": "real" + }, + { + "Name": "detail_parentFilePath_s", + "Type": "string" + }, + { + "Name": "detail_parentFileSize_d", + "Type": "real" + }, + { + "Name": "detail_parentHashId_d", + "Type": "real" + }, + { + "Name": "detail_parentIntegrityLevel_d", + "Type": "real" + }, + { + "Name": "detail_parentLaunchTime_d", + "Type": "real" + }, + { + "Name": "detail_parentName_s", + "Type": "string" + }, + { + "Name": "detail_parentPid_d", + "Type": "real" + }, + { + "Name": "detail_parentSessionId_d", + "Type": "real" + }, + { + "Name": "detail_parentSigner_s", + "Type": "string" + }, + { + "Name": "detail_parentSignerValid_s", + "Type": "string" + }, + { + "Name": "detail_parentTrueType_d", + "Type": "real" + }, + { + "Name": "detail_parentUser_s", + "Type": "string" + }, + { + "Name": "detail_parentUserDomain_s", + "Type": "string" + }, + { + "Name": "detail_plang_d", + "Type": "real" + }, + { + "Name": "detail_pname_s", + "Type": "string" + }, + { + "Name": "detail_pplat_d", + "Type": "real" + }, + { + "Name": "detail_processFileCreation_d", + "Type": "real" + }, + { + "Name": "detail_processFileHashId_d", + "Type": "real" + }, + { + "Name": "detail_processFileHashMd5_g", + "Type": "string" + }, + { + "Name": "detail_processFileHashSha1_s", + "Type": "string" + }, + { + "Name": "detail_processFileHashSha256_s", + "Type": "string" + }, + { + "Name": "detail_processFileModifiedTime_d", + "Type": "real" + }, + { + "Name": "detail_processFileSize_d", + "Type": "real" + }, + { + "Name": "detail_processHashId_d", + "Type": "real" + }, + { + "Name": "detail_processLaunchTime_d", + "Type": "real" + }, + { + "Name": "detail_processName_s", + "Type": "string" + }, + { + "Name": "detail_processPid_d", + "Type": "real" + }, + { + "Name": "detail_processSigner_s", + "Type": "string" + }, + { + "Name": "detail_processSignerValid_s", + "Type": "string" + }, + { + "Name": "detail_processTrueType_d", + "Type": "real" + }, + { + "Name": "detail_processUser_s", + "Type": "string" + }, + { + "Name": "detail_processUserDomain_s", + "Type": "string" + }, + { + "Name": "detail_productCode_s", + "Type": "string" + }, + { + "Name": "detail_pver_s", + "Type": "string" + }, + { + "Name": "detail_sessionId_d", + "Type": "real" + }, + { + "Name": "detail_timezone_s", + "Type": "string" + }, + { + "Name": "detail_userDomain_s", + "Type": "string" + }, + { + "Name": "detail_uuid_g", + "Type": "string" } - -] + ] } \ No newline at end of file diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index fed09b7e476..01b01cbf88e 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -488,6 +488,7 @@ EventOriginalSeverity,string,Optional,Dns,,, EventOriginalSeverity,string,Optional,FileEvent,,, EventOriginalSeverity,string,Optional,NetworkSession,,, EventOriginalSeverity,string,Optional,ProcessEvent,,, +EventOriginalSeverity,string,Optional,RegistryEvent,,, EventOriginalSeverity,string,Optional,UserManagement,,, EventOriginalSeverity,string,Optional,WebSession,,, EventOriginalSubType,string,Optional,AuditEvent,,, @@ -544,6 +545,9 @@ EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Ve EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne, EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|Carbon Black Cloud, EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne, +EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Vision One, +EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One, +EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud, EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF|ASM, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne, @@ -603,6 +607,7 @@ EventSchema,string,Mandatory,NetworkSession,Enumerated,NetworkSession, EventSchema,string,Mandatory,UserManagement,Enumerated,UserManagement, EventSchema,string,Mandatory,WebSession,Enumerated,WebSession, EventSchema,string,Recommended,ProcessEvent,,ProcessEvent, +EventSchema,string,Mandatory,RegistryEvent,,RegistryEvent, EventSchemaVersion,string,Mandatory,AuditEvent,SchemaVersion,, EventSchemaVersion,string,Mandatory,Authentication,SchemaVersion,, EventSchemaVersion,string,Mandatory,Common,SchemaVersion,, @@ -619,6 +624,7 @@ EventSeverity,string,Mandatory,UserManagement,Enumerated,Informational|Low|Mediu EventSeverity,string,Mandatory,WebSession,Enumerated,Informational|Low|Medium|High, EventSeverity,string,Optional,Dns,Enumerated,Informational|Low|Medium|High, EventSeverity,string,Optional,ProcessEvent,Enumerated,Informational|Low|Medium|High, +EventSeverity,string,Recommended,RegistryEvent,Enumerated,Informational|Low|Medium|High, EventSeverity,string,Recommended,AuditEvent,Enumerated,Informational|Low|Medium|High, EventSeverity,string,Recommended,Authentication,Enumerated,Informational|Low|Medium|High, EventSeverity,string,Recommended,Dhcp,Enumerated,Informational|Low|Medium|High, @@ -787,7 +793,7 @@ ParentProcessFileVersion,string,Optional,ProcessEvent,,, ParentProcessGuid,string,Optional,ProcessEvent,,, ParentProcessGuid,string,Optional,RegistryEvent,,, ParentProcessId,string,Recommended,ProcessEvent,,, -ParentProcessId,string,Recommended,RegistryEvent,,, +ParentProcessId,string,Mandatory,RegistryEvent,,, ParentProcessIMPHASH,string,Optional,ProcessEvent,,, ParentProcessInjectedAddress,string,Optional,ProcessEvent,,, ParentProcessIntegrityLevel,string,Optional,ProcessEvent,,, diff --git a/Parsers/ASimRegistryEvent/Parsers/ASimRegistry.yaml b/Parsers/ASimRegistryEvent/Parsers/ASimRegistry.yaml index 183bc05564a..adbd6d4c860 100644 --- a/Parsers/ASimRegistryEvent/Parsers/ASimRegistry.yaml +++ b/Parsers/ASimRegistryEvent/Parsers/ASimRegistry.yaml @@ -26,6 +26,7 @@ Parsers: - _ASim_RegistryEvent_MicrosoftSysmon - _ASim_RegistryEvent_MicrosoftWindowsEvent - _ASim_RegistryEvent_SentinelOne + - _ASim_RegistryEvent_TrendMicroVisionOne - _ASim_RegistryEvent_VMwareCarbonBlackCloud ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser)); @@ -37,6 +38,7 @@ ParserQuery: | ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))), ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))), ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))), - ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))) + ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))), + ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) ))) }; parser (pack=pack) diff --git a/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventTrendMicroVisionOne.yaml b/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventTrendMicroVisionOne.yaml new file mode 100644 index 00000000000..80eec6fd290 --- /dev/null +++ b/Parsers/ASimRegistryEvent/Parsers/ASimRegistryEventTrendMicroVisionOne.yaml @@ -0,0 +1,137 @@ +Parser: + Title: Registry Event ASIM Parser for Trend Micro Vision One + Version: '0.1.0' + LastUpdated: Oct 12, 2023 +Product: + Name: Trend Micro Vision One +Normalization: + Schema: RegistryEvent + Version: '0.1.2' +References: +- Title: ASIM Registry Schema + Link: https://aka.ms/ASimRegistryEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Trend Micro Vision One documentation + Link: + https://docs.trendmicro.com/en-us/enterprise/trend-vision-one/xdr-part/search-app/data-mapping-intro/data-mapping-detecti.aspx + https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques-Pipeline/paths/~1v3.0~1oat~1dataPipelines~1%7Bid%7D~1packages~1%7BpackageId%7D/get + https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques/paths/~1v3.0~1oat~1detections/get +Description: | + This ASIM parser supports normalizing Trend Micro Vision One logs to the ASIM Registry Event normalized schema. Trend Micro Vision One events are captured through Trend Vision One data connector which ingests XDR logs into Microsoft Sentinel through the Trend Vision One API. +ParserName: ASimRegistryEventTrendMicroVisionOne +EquivalentBuiltInParser: _ASim_RegistryEvent_TrendMicroVisionOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[ + "TELEMETRY_REGISTRY_CREATE", "RegistryKeyCreated", + "TELEMETRY_REGISTRY_SET", "RegistryValueSet", + "TELEMETRY_REGISTRY_DELETE", "RegistryKeyDeleted", + "TELEMETRY_REGISTRY_RENAME", "RegistryKeyRenamed" + ]; + let RegistryKeyPrefixLookup = datatable( + RegistryKeyPrefix: string, + RegistryKeyNormalizedPrefix: string + )[ + "HKLM", "HKEY_LOCAL_MACHINE", + "HKU", "HKEY_USERS", + "HKCU", "HKEY_CURRENT_USER", + "HKCR", "HKEY_CLASSES_ROOT", + "HKCC", "HKEY_CURRENT_CONFIG" + ]; + let RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[ + 0, "Reg_None", + 1, "Reg_Sz", + 2, "Reg_Expand_Sz", + 3, "Reg_Binary", + 4, "Reg_DWord", + 5, "Reg_DWord", + 7, "Reg_Multi_Sz", + 11, "Reg_QWord" + ]; + let EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[ + "low", "Low", + "medium", "Medium", + "high", "High", + "info", "Informational", + "critical", "High" + ]; + let parser = (disabled: bool=false) { + TrendMicro_XDR_OAT_CL + | where not(disabled) + | where detail_eventId_s == "TELEMETRY_REGISTRY" + | parse filters_s with * "[" filters: string "]" + | parse-kv filters as (description: string, name: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | lookup EventTypeLookup on detail_eventSubId_s + | lookup RegistryValueTypeLookup on detail_objectRegType_d + | lookup EventSeverityLookup on detail_filterRiskLevel_s + | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s') + | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\')[0]) + | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix + | extend + RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix), + ActingProcessId = tostring(toint(detail_processPid_d)), + ParentProcessId = tostring(toint(detail_parentPid_d)), + ActorSessionId = tostring(toint(detail_authId_d)), + AdditionalFields = bag_pack( + "name", name, + "tags", detail_tags_s, + "objectRegType", detail_objectRegType_d + ) + | extend + EventCount = int(1), + EventProduct = "Vision One", + EventVendor = "Trend Micro", + EventSchema = "RegistryEvent", + EventSchemaVersion = "0.1.2", + EventResult = "Success", + DvcAction = "Allowed" + | project-rename + ActorUsername = detail_processUser_s, + EventStartTime = detail_eventTimeDT_t, + RegistryValue = detail_objectRegistryValue_s, + RegistryValueData = detail_objectRegistryData_s, + ActingProcessName = detail_processName_s, + DvcId = detail_endpointGuid_g, + DvcOs = detail_osName_s, + DvcOsVersion = detail_osVer_s, + EventUid = _ItemId, + EventOriginalSubType = detail_eventSubId_s, + EventOriginalType = detail_eventId_s, + EventOriginalUid = detail_uuid_g, + EventOriginalSeverity = detail_filterRiskLevel_s, + EventProductVersion = detail_pver_s, + EventMessage = description + | extend + User = ActorUsername, + ActorUsernameType = iff(isnotempty(ActorUsername), "Simple", ""), + ActorUserType = _ASIM_GetUserType(ActorUsername,""), + Dvc = coalesce(DvcFQDN, DvcId, DvcHostname), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + Process = ActingProcessName, + EventEndTime = EventStartTime, + RegistryPreviousKey = RegistryKey, + RegistryPreviousValue = RegistryValue, + RegistryPreviousValueData = RegistryValueData, + RegistryPreviousValueType = RegistryValueType + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + _ResourceId, + Computer, + MG, + ManagementGroupName, + RawData, + SourceSystem, + TenantId, + name, + filters, + *Prefix + }; + parser(disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/Parsers/imRegistry.yaml b/Parsers/ASimRegistryEvent/Parsers/imRegistry.yaml index 9d31f1ef4aa..2f1ddf0107f 100644 --- a/Parsers/ASimRegistryEvent/Parsers/imRegistry.yaml +++ b/Parsers/ASimRegistryEvent/Parsers/imRegistry.yaml @@ -54,6 +54,7 @@ Parsers: - _Im_RegistryEvent_MicrosoftWindowsEvent - _Im_RegistryEvent_SentinelOne - _Im_RegistryEvent_VMwareCarbonBlackCloud + - _Im_RegistryEvent_TrendMicroVisionOne ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); let vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -75,6 +76,7 @@ ParserQuery: | vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))), vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))), vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))), - vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))) + vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))), + vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) ))) }; parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack) \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventTrendMicroVisionOne.yaml b/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventTrendMicroVisionOne.yaml new file mode 100644 index 00000000000..cdfaea140ad --- /dev/null +++ b/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventTrendMicroVisionOne.yaml @@ -0,0 +1,169 @@ +Parser: + Title: Registry Event ASIM Parser for Trend Micro Vision One + Version: '0.1.0' + LastUpdated: Oct 12, 2023 +Product: + Name: Trend Micro Vision One +Normalization: + Schema: RegistryEvent + Version: '0.1.2' +References: +- Title: ASIM Registry Schema + Link: https://aka.ms/ASimRegistryEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Trend Micro Vision One documentation + Link: + https://docs.trendmicro.com/en-us/enterprise/trend-vision-one/xdr-part/search-app/data-mapping-intro/data-mapping-detecti.aspx + https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques-Pipeline/paths/~1v3.0~1oat~1dataPipelines~1%7Bid%7D~1packages~1%7BpackageId%7D/get + https://automation.trendmicro.com/xdr/api-v3#tag/Observed-Attack-Techniques/paths/~1v3.0~1oat~1detections/get +Description: | + This ASIM parser supports normalizing Trend Micro Vision One logs to the ASIM Registry Event normalized schema. Trend Micro Vision One events are captured through Trend Vision One data connector which ingests XDR logs into Microsoft Sentinel through the Trend Vision One API. +ParserName: vimRegistryEventTrendMicroVisionOne +EquivalentBuiltInParser: _Im_RegistryEvent_TrendMicroVisionOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: actorusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: registrykey_has_any + Type: dynamic + Default: dynamic([]) + - Name: registryvalue_has_any + Type: dynamic + Default: dynamic([]) + - Name: registryvaluedata_has_any + Type: dynamic + Default: dynamic([]) + - Name: dvchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[ + "TELEMETRY_REGISTRY_CREATE", "RegistryKeyCreated", + "TELEMETRY_REGISTRY_SET", "RegistryValueSet", + "TELEMETRY_REGISTRY_DELETE", "RegistryKeyDeleted", + "TELEMETRY_REGISTRY_RENAME", "RegistryKeyRenamed" + ]; + let RegistryKeyPrefixLookup = datatable( + RegistryKeyPrefix: string, + RegistryKeyNormalizedPrefix: string + )[ + "HKLM", "HKEY_LOCAL_MACHINE", + "HKU", "HKEY_USERS", + "HKCU", "HKEY_CURRENT_USER", + "HKCR", "HKEY_CLASSES_ROOT", + "HKCC", "HKEY_CURRENT_CONFIG" + ]; + let RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[ + 0, "Reg_None", + 1, "Reg_Sz", + 2, "Reg_Expand_Sz", + 3, "Reg_Binary", + 4, "Reg_DWord", + 5, "Reg_DWord", + 7, "Reg_Multi_Sz", + 11, "Reg_QWord" + ]; + let EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[ + "low", "Low", + "medium", "Medium", + "high", "High", + "info", "Informational", + "critical", "High" + ]; + let parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) { + TrendMicro_XDR_OAT_CL + | where not(disabled) + | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) + | where detail_eventId_s == "TELEMETRY_REGISTRY" + | where (array_length(actorusername_has_any) == 0 or detail_processUser_s has_any (actorusername_has_any)) + and (array_length(registryvalue_has_any) == 0 or detail_objectRegistryValue_s has_any (registryvalue_has_any)) + and (array_length(registryvaluedata_has_any) == 0 or detail_objectRegistryData_s has_any (registryvaluedata_has_any)) + and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any)) + | parse filters_s with * "[" filters: string "]" + | parse-kv filters as (description: string, name: string) with (pair_delimiter=",", kv_delimiter=":", quote='"') + | lookup EventTypeLookup on detail_eventSubId_s + | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in)) + | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s') + | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\')[0]) + | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix + | extend + RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix) + | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any)) + | lookup EventSeverityLookup on detail_filterRiskLevel_s + | lookup RegistryValueTypeLookup on detail_objectRegType_d + | extend + ActingProcessId = tostring(toint(detail_processPid_d)), + ParentProcessId = tostring(toint(detail_parentPid_d)), + ActorSessionId = tostring(toint(detail_authId_d)), + AdditionalFields = bag_pack( + "name", name, + "tags", detail_tags_s, + "objectRegType", detail_objectRegType_d + ) + | extend + EventCount = int(1), + EventProduct = "Vision One", + EventVendor = "Trend Micro", + EventSchema = "RegistryEvent", + EventSchemaVersion = "0.1.2", + EventResult = "Success", + DvcAction = "Allowed" + | project-rename + ActorUsername = detail_processUser_s, + EventStartTime = detail_eventTimeDT_t, + RegistryValue = detail_objectRegistryValue_s, + RegistryValueData = detail_objectRegistryData_s, + ActingProcessName = detail_processName_s, + DvcId = detail_endpointGuid_g, + DvcOs = detail_osName_s, + DvcOsVersion = detail_osVer_s, + EventUid = _ItemId, + EventOriginalSubType = detail_eventSubId_s, + EventOriginalType = detail_eventId_s, + EventOriginalUid = detail_uuid_g, + EventOriginalSeverity = detail_filterRiskLevel_s, + EventProductVersion = detail_pver_s, + EventMessage = description + | extend + User = ActorUsername, + ActorUsernameType = iff(isnotempty(ActorUsername), "Simple", ""), + ActorUserType = _ASIM_GetUserType(ActorUsername, ""), + Dvc = coalesce(DvcFQDN, DvcId, DvcHostname), + DvcIdType = iff(isnotempty(DvcId), "Other", ""), + Process = ActingProcessName, + EventEndTime = EventStartTime, + RegistryPreviousKey = RegistryKey, + RegistryPreviousValue = RegistryValue, + RegistryPreviousValueData = RegistryValueData, + RegistryPreviousValueType = RegistryValueType + | project-away + *_d, + *_s, + *_g, + *_t, + *_b, + _ResourceId, + Computer, + MG, + ManagementGroupName, + RawData, + SourceSystem, + TenantId, + name, + filters, + *Prefix + }; + parser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registryvaluedata_has_any, dvchostname_has_any=dvchostname_has_any, disabled = disabled) \ No newline at end of file diff --git a/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_ASimRegistryEvent_DataTest.csv b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_ASimRegistryEvent_DataTest.csv new file mode 100644 index 00000000000..2b45ee5f3a5 --- /dev/null +++ b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_ASimRegistryEvent_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.44%) for field [DvcHostname] of type [Hostname]: [""QA_test""] (Schema:RegistryEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Vision One""] (Schema:RegistryEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventType] of type [Enumerated]: [""RegistryValueSet""] (Schema:RegistryEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Trend Micro""] (Schema:RegistryEvent)" +"(2) Info: Empty value in 129 records (56.33%) in recommended field [ParentProcessId] (Schema:RegistryEvent)" +"(2) Info: Empty value in 94 records (41.05%) in recommended field [RegistryPreviousValue] (Schema:RegistryEvent)" +"(2) Info: Empty value in 94 records (41.05%) in recommended field [RegistryValue] (Schema:RegistryEvent)" diff --git a/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_ASimRegistryEvent_SchemaTest.csv b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_ASimRegistryEvent_SchemaTest.csv new file mode 100644 index 00000000000..67d436e5e15 --- /dev/null +++ b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_ASimRegistryEvent_SchemaTest.csv @@ -0,0 +1,37 @@ +Result +"(1) Warning: Missing recommended field [ActorUserId]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" +"(2) Info: Missing optional field [ActingProcessGuid]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [ParentProcessGuid]" +"(2) Info: Missing optional field [ParentProcessName]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: extra unnormalized column [ActorUserType]" +"(2) Info: extra unnormalized column [DvcAction]" +"(2) Info: extra unnormalized column [DvcDomainType]" +"(2) Info: extra unnormalized column [DvcDomain]" +"(2) Info: extra unnormalized column [DvcFQDN]" +"(2) Info: extra unnormalized column [DvcIdType]" +"(2) Info: extra unnormalized column [EventOriginalSeverity]" +"(2) Info: extra unnormalized column [EventSchema]" +"(2) Info: extra unnormalized column [EventSeverity]" diff --git a/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_DataTest.csv b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_DataTest.csv new file mode 100644 index 00000000000..2b45ee5f3a5 --- /dev/null +++ b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_DataTest.csv @@ -0,0 +1,8 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.44%) for field [DvcHostname] of type [Hostname]: [""QA_test""] (Schema:RegistryEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Vision One""] (Schema:RegistryEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventType] of type [Enumerated]: [""RegistryValueSet""] (Schema:RegistryEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 229 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Trend Micro""] (Schema:RegistryEvent)" +"(2) Info: Empty value in 129 records (56.33%) in recommended field [ParentProcessId] (Schema:RegistryEvent)" +"(2) Info: Empty value in 94 records (41.05%) in recommended field [RegistryPreviousValue] (Schema:RegistryEvent)" +"(2) Info: Empty value in 94 records (41.05%) in recommended field [RegistryValue] (Schema:RegistryEvent)" diff --git a/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_SchemaTest.csv b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_SchemaTest.csv new file mode 100644 index 00000000000..67d436e5e15 --- /dev/null +++ b/Parsers/ASimRegistryEvent/test/TrendMicro_VisionOne_vimRegistryEvent_SchemaTest.csv @@ -0,0 +1,37 @@ +Result +"(1) Warning: Missing recommended field [ActorUserId]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" +"(2) Info: Missing optional field [ActingProcessGuid]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [ParentProcessGuid]" +"(2) Info: Missing optional field [ParentProcessName]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: extra unnormalized column [ActorUserType]" +"(2) Info: extra unnormalized column [DvcAction]" +"(2) Info: extra unnormalized column [DvcDomainType]" +"(2) Info: extra unnormalized column [DvcDomain]" +"(2) Info: extra unnormalized column [DvcFQDN]" +"(2) Info: extra unnormalized column [DvcIdType]" +"(2) Info: extra unnormalized column [EventOriginalSeverity]" +"(2) Info: extra unnormalized column [EventSchema]" +"(2) Info: extra unnormalized column [EventSeverity]" diff --git a/Sample Data/ASIM/TrendMicroVisionOne_ASimProcessEvent_IngestedLogs.csv b/Sample Data/ASIM/TrendMicroVisionOne_ASimProcessEvent_IngestedLogs.csv new file mode 100644 index 00000000000..9f74f65e96f --- /dev/null +++ b/Sample Data/ASIM/TrendMicroVisionOne_ASimProcessEvent_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,detailuid_s_s,detail_fileCreation_t_UTC_s,detaileviceGUID_s,detail_rt_t_UTC_s,detail_rt_utc_t_UTC_s,detailenderGUID_s,detectionTime_t_UTC_s,detail_eventTimeDT_t_UTC_s,detail_firstSeen_t_UTC_s,detail_lastSeen_t_UTC_s,detailessionId_s,detail_score_s,detail_providerGUID_s,detail_instanceId_s,detail_deviceGUID_s,detail_endpointGUID_s,detail_mDeviceGUID_s,detail_senderGUID_s,detail_severity_s,detail_objectFileHashMd5_s,detail_objectRunAsLocalAccount_s,detail_parentFileHashMd5_s,detail_fileCreation_UTC__s,detail_rt_UTC__s,detail_rt_utc_UTC__s,detectionTime_UTC__s,detail_eventTimeDT_UTC__s,detail_firstSeen_UTC__s,detail_lastSeen_UTC__s,TimeGenerated_UTC_s,detail_cccaRiskLevel_s,detailirection_s,detailcore_s,detailuid_s,detail_rawDataSize_s,detail_rt_s,detail_winEventId_s,detail_confidence_s,detailetectionName_s,detailetectionType_s,detail_fileCreation_t_UTC__s,detail_fileSize_s,detail_aggregatedCount_s,detail_ruleId_s,detaileviceGUID_g_s,detailomainName_s,detailvchost_s,detail_rt_t_UTC__s,detail_rtHour_s,detail_rt_utc_t_UTC__s,detailcanType_s,detailecondAct_s,detailecondActResult_s,detailenderGUID_g_s,detailenderIp_s,detaileverity_s,detaileviceType_s,detail_nativeDeviceCharacteristics_s,detail_nativeDeviceType_s,detail_nativeStorageDeviceBusType_s,detail_objectSubTrueType_s,xdrCustomerId_g_g_g,detectionTime_t_UTC__s,endpoint_guid_g_g_g,detail_endpointGuid_g_g_g,detail_eventHashId_s,detail_eventTimeDT_t_UTC__s,detail_firstSeen_t_UTC__s,detail_lastSeen_t_UTC__s,detail_objectAuthId_s,detail_objectFileCreation_s,detail_objectFileHashId_s,detail_objectFileModifiedTime_s,detail_objectFileSize_s,detail_objectHashId_s,detail_objectIntegrityLevel_s,detail_objectLaunchTime_s,detail_objectPid_s,detail_objectSessionId_s,detail_objectTrueType_s,detail_osType_d,detail_parentAuthId_s,detail_parentFileCreation_s,detail_parentFileHashId_s,detail_parentFileModifiedTime_s,detail_parentFileSize_s,detail_parentHashId_s,detail_parentIntegrityLevel_s,detail_parentLaunchTime_s,detail_parentPid_s,detail_parentSessionId_s,detail_parentTrueType_s,detail_pname_d,detail_processFileHashId_s,detail_processFileHashMd5_g_g_g,detail_processHashId_s,detailessionId_d,detail_uuid_g_g_g,MG_s,TimeGenerated_UTC__s,detail_app_s_s,detail_blocking_s_s,detail_cccaDetectionSource_s_s,detail_cccaRiskLevel_d_s,detail_direction_s_s,detail_interestedHost_s_s,detail_policyName_s_s,detail_rating_s_s,detail_request_s_s,detail_score_d_s,detail_urlCat_s_s,detail_patType_s_s,detail_suid_s_s,detail_compressedFileName_s_s,detail_malFamily_s_s,detail_correlationData_s_s,detail_eventDataProviderName_s_s,detail_eventDataProviderPath_s_s,detail_providerGUID_g_s,detail_providerName_s_s,detail_rawDataSize_d_s,detail_rawDataStr_s_s,detail_rt_d_s,detail_winEventId_d_s,detail_confidence_d_s,detail_detectionName_s_s,detail_detectionType_s_s,detail_fileSize_d_s,detail_threatType_s_s,detail_act_s_s,detail_aggregatedCount_d_s,detail_behaviorCat_s_s,detail_bmGroup_s_s,detail_engineOperation_s_s,detail_instanceId_g_s,detail_policyId_s_s,detail_riskLevel_s_s,detail_ruleId_d_s,detail_actResult_s_s,detail_channel_s_s,detail_deviceGUID_g_s,detail_domainName_s_s,detail_dvchost_s_s,detail_endpointGUID_g_s,detail_engType_s_s,detail_engVer_s_s,detail_eventId_d_s,detail_eventName_s_s,detail_eventSubName_s_s,detail_fileHash_s_s,detail_fileName_s_s,detail_filePath_s_s,detail_firstAct_s_s,detail_firstActResult_s_s,detail_fullPath_s_s,detail_interestedIp_s_s,detail_logKey_s_s,detail_mDevice_s_s,detail_mDeviceGUID_g_s,detail_malDst_s_s,detail_malName_s_s,detail_malSubType_s_s,detail_malType_s_s,detail_mpname_s_s,detail_mpver_s_s,detail_pComp_s_s,detail_patVer_s_s,detail_rtDate_s_s,detail_rtHour_d_s,detail_rtWeekDay_s_s,detail_ruleName_s_s,detail_scanType_s_s,detail_secondAct_s_s,detail_secondActResult_s_s,detail_senderGUID_g_s,detail_senderIp_s_s,detail_severity_d_s,detail_deviceType_s_s,detail_nativeDeviceCharacteristics_d_s,detail_nativeDeviceType_d_s,detail_nativeStorageDeviceBusType_d_s,detail_objectSubTrueType_d_s,detail_objectFirstSeen_d_d,detail_objectLastSeen_d_d,detail_objectRegType_d_d,detail_objectRegistryData_s_s,detail_objectRegistryKeyHandle_s_s,detail_objectRegistryRoot_d_d,detail_objectRegistryValue_s_s,detail_eventSourceType_s_s,xdrCustomerId_g_g,endpoint_name_s_s,endpoint_guid_g_g,endpoint_ips_s_s,filters_s_s,entityType_s_s,entityName_s_s,detail_endpointHostName_s_s,detail_endpointIp_s_s,detail_logonUser_s_s,detail_processFilePath_s_s,detail_processCmd_s_s,detail_eventSubId_s_s,detail_objectFilePath_s_s,detail_objectCmd_s_s,detail_tags_s_s,detail_endpointGuid_g_g,detail_authId_d_d,detail_endpointMacAddress_s_s,detail_eventHashId_d_s,detail_eventId_s_s,detail_eventTime_d_d,detail_filterRiskLevel_s_s,detail_integrityLevel_d_d,detail_objectAuthId_d_s,detail_objectFileCreation_d_s,detail_objectFileHashId_d_s,detail_objectFileHashMd5_g_s,detail_objectFileHashSha1_s_s,detail_objectFileHashSha256_s_s,detail_objectFileModifiedTime_d_s,detail_objectFileSize_d_s,detail_objectHashId_d_s,detail_objectIntegrityLevel_d_s,detail_objectLaunchTime_d_s,detail_objectName_s_s,detail_objectPid_d_s,detail_objectRunAsLocalAccount_b_s,detail_objectSessionId_d_s,detail_objectSigner_s_s,detail_objectSignerValid_s_s,detail_objectTrueType_d_s,detail_objectUser_s_s,detail_objectUserDomain_s_s,detail_osDescription_s_s,detail_osName_s_s,detail_osType_s_d,detail_osVer_s_s,detail_parentAuthId_d_s,detail_parentCmd_s_s,detail_parentFileCreation_d_s,detail_parentFileHashId_d_s,detail_parentFileHashMd5_g_s,detail_parentFileHashSha1_s_s,detail_parentFileHashSha256_s_s,detail_parentFileModifiedTime_d_s,detail_parentFilePath_s_s,detail_parentFileSize_d_s,detail_parentHashId_d_s,detail_parentIntegrityLevel_d_s,detail_parentLaunchTime_d_s,detail_parentName_s_s,detail_parentPid_d_s,detail_parentSessionId_d_s,detail_parentSigner_s_s,detail_parentSignerValid_s_s,detail_parentTrueType_d_s,detail_parentUser_s_s,detail_parentUserDomain_s_s,detail_plang_d_d,detail_pname_s_d,detail_pplat_d_d,detail_processFileCreation_d_d,detail_processFileHashId_d_s,detail_processFileHashMd5_g_g,detail_processFileHashSha1_s_s,detail_processFileHashSha256_s_s,detail_processFileModifiedTime_d_d,detail_processFileSize_d_d,detail_processHashId_d_s,detail_processLaunchTime_d_d,detail_processName_s_s,detail_processPid_d_d,detail_processSigner_s_s,detail_processSignerValid_s_s,detail_processTrueType_d_d,detail_processUser_s_s,detail_processUserDomain_s_s,detail_productCode_s_s,detail_pver_s_s,detail_sessionId_d_d,detail_timezone_s_s,detail_userDomain_s_s,detail_uuid_g_g,Type_s,_ResourceId_s,detail_app_s,detail_blocking_s,detail_cccaDetectionSource_s,detail_cccaRiskLevel_d,detail_direction_s,detail_interestedHost_s,detail_policyName_s,detail_rating_s,detail_request_s,detail_score_d,detail_urlCat_s,detail_patType_s,detail_suid_s,detail_compressedFileName_s,detail_malFamily_s,detail_correlationData_s,detail_eventDataProviderName_s,detail_eventDataProviderPath_s,detail_providerGUID_g,detail_providerName_s,detail_rawDataSize_d,detail_rawDataStr_s,detail_rt_d,detail_winEventId_d,detail_confidence_d,detail_detectionName_s,detail_detectionType_s,detail_fileCreation_t [UTC],detail_fileSize_d,detail_threatType_s,detail_act_s,detail_aggregatedCount_d,detail_behaviorCat_s,detail_bmGroup_s,detail_engineOperation_s,detail_instanceId_g,detail_policyId_s,detail_riskLevel_s,detail_ruleId_d,detail_actResult_s,detail_channel_s,detail_deviceGUID_g,detail_domainName_s,detail_dvchost_s,detail_endpointGUID_g,detail_engType_s,detail_engVer_s,detail_eventId_d,detail_eventName_s,detail_eventSubName_s,detail_fileHash_s,detail_fileName_s,detail_filePath_s,detail_firstAct_s,detail_firstActResult_s,detail_fullPath_s,detail_interestedIp_s,detail_logKey_s,detail_mDevice_s,detail_mDeviceGUID_g,detail_malDst_s,detail_malName_s,detail_malSubType_s,detail_malType_s,detail_mpname_s,detail_mpver_s,detail_pComp_s,detail_patVer_s,detail_rt_t [UTC],detail_rtDate_s,detail_rtHour_d,detail_rtWeekDay_s,detail_rt_utc_t [UTC],detail_ruleName_s,detail_scanType_s,detail_secondAct_s,detail_secondActResult_s,detail_senderGUID_g,detail_senderIp_s,detail_severity_d,detail_deviceType_s,detail_nativeDeviceCharacteristics_d,detail_nativeDeviceType_d,detail_nativeStorageDeviceBusType_d,detail_objectSubTrueType_d,detail_objectFirstSeen_d,detail_objectLastSeen_d,detail_objectRegType_d,detail_objectRegistryData_s,detail_objectRegistryKeyHandle_s,detail_objectRegistryRoot_d,detail_objectRegistryValue_s,detail_eventSourceType_s,xdrCustomerId_g,detectionTime_t [UTC],endpoint_name_s,endpoint_guid_g,endpoint_ips_s,filters_s,entityType_s,entityName_s,detail_endpointHostName_s,detail_endpointIp_s,detail_logonUser_s,detail_processFilePath_s,detail_processCmd_s,detail_eventSubId_s,detail_objectFilePath_s,detail_objectCmd_s,detail_tags_s,detail_endpointGuid_g,detail_authId_d,detail_endpointMacAddress_s,detail_eventHashId_d,detail_eventId_s,detail_eventTime_d,detail_eventTimeDT_t [UTC],detail_filterRiskLevel_s,detail_firstSeen_t [UTC],detail_integrityLevel_d,detail_lastSeen_t [UTC],detail_objectAuthId_d,detail_objectFileCreation_d,detail_objectFileHashId_d,detail_objectFileHashMd5_g,detail_objectFileHashSha1_s,detail_objectFileHashSha256_s,detail_objectFileModifiedTime_d,detail_objectFileSize_d,detail_objectHashId_d,detail_objectIntegrityLevel_d,detail_objectLaunchTime_d,detail_objectName_s,detail_objectPid_d,detail_objectRunAsLocalAccount_b,detail_objectSessionId_d,detail_objectSigner_s,detail_objectSignerValid_s,detail_objectTrueType_d,detail_objectUser_s,detail_objectUserDomain_s,detail_osDescription_s,detail_osName_s,detail_osType_s,detail_osVer_s,detail_parentAuthId_d,detail_parentCmd_s,detail_parentFileCreation_d,detail_parentFileHashId_d,detail_parentFileHashMd5_g,detail_parentFileHashSha1_s,detail_parentFileHashSha256_s,detail_parentFileModifiedTime_d,detail_parentFilePath_s,detail_parentFileSize_d,detail_parentHashId_d,detail_parentIntegrityLevel_d,detail_parentLaunchTime_d,detail_parentName_s,detail_parentPid_d,detail_parentSessionId_d,detail_parentSigner_s,detail_parentSignerValid_s,detail_parentTrueType_d,detail_parentUser_s,detail_parentUserDomain_s,detail_plang_d,detail_pname_s,detail_pplat_d,detail_processFileCreation_d,detail_processFileHashId_d,detail_processFileHashMd5_g,detail_processFileHashSha1_s,detail_processFileHashSha256_s,detail_processFileModifiedTime_d,detail_processFileSize_d,detail_processHashId_d,detail_processLaunchTime_d,detail_processName_s,detail_processPid_d,detail_processSigner_s,detail_processSignerValid_s,detail_processTrueType_d,detail_processUser_s,detail_processUserDomain_s,detail_productCode_s,detail_pver_s,detail_sessionId_d,detail_timezone_s,detail_userDomain_s,detail_uuid_g,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 9:15:27 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 8:49:49 AM",DESKTOP_--007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Net share was executed to display information about all resources shared on the local computer."",""highlightedObjects"":[{""field"":""objectCmd"",""type"":""command_line"",""value"":""net.exe share""}],""id"":""F4677"",""level"":""low"",""name"":""Network Share Discovery via Net share"",""tactics"":[""TA0007""],""techniques"":[""T1135""],""type"":""preset"",""unique_id"":""8d5bc15e-7946-40bb-bded-3fec6aab6d3e""},{""description"":""List the shared drives on the local system or remote system"",""highlightedObjects"":[{""field"":""objectCmd"",""type"":""command_line"",""value"":""net.exe share""}],""id"":""F2201"",""level"":""low"",""name"":""Network Share Discovery Via NET Commandline"",""tactics"":[""TA0007""],""techniques"":[""T1135""],""type"":""preset"",""unique_id"":""6644aca6-ef14-46fc-8ac1-7895880df4ae""},{""description"":""List of computers, domains or resources in current domain"",""highlightedObjects"":[{""field"":""objectCmd"",""master"":true,""type"":""command_line"",""value"":""net.exe share""},{""field"":""objectFilePath"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\net.exe""},{""field"":""processCmd"",""type"":""command_line"",""value"":""C:\\Windows\\system32\\cmd.exe /c net.exe share""},{""field"":""processFilePath"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\cmd.exe""}],""id"":""F1798"",""level"":""low"",""name"":""Remote System Discovery"",""tactics"":[""TA0002"",""TA0007""],""techniques"":[""T1018"",""T1059"",""T1135""],""type"":""preset"",""unique_id"":""c94971c6-da34-441c-b50d-cecefbc01e9d""}]",endpoint,"DESKTOP_--007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,2401:4900:3610:9372:5ba3:5cb6:327d:be9a,2401:4900:3610:9372:fd36:42ba:56c9:e43f,fe80::ae56:7be8:236b:799d,172.20.10.2,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP_--007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\cmd.exe,C:\Windows\system32\cmd.exe /c net.exe share,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\net.exe,net.exe share,"[""MITRE.T1135"",""XSAE.F4677"",""XSAE.F2201"",""MITRE.T1018"",""XSAE.F1798"",""MITRE.T1059"",""ATTACK.G0010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",1.25928E+18,TELEMETRY_PROCESS,1688978989077,"7/10/2023, 8:49:49 AM",low,"7/10/2023, 8:49:49 AM",16384,"7/10/2023, 8:49:49 AM",999,1651900802636,7.9754E+18,bb1ae49b-6b7c-5349-9e94-613761a6ac56,76866dde54ee3fa5bc8efefb9d44e6bf859973aa,afbe51517092256504f797f6a5abc02515a09d603e8c046ae31d7d7855568e91,1651900802636,81920,7.80486E+18,16384,1688978989071,C:\Windows\System32\net.exe,4364,FALSE,0,"[""Microsoft Windows""]",[true],7,SYSTEM,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560346388,4.78232E+18,5a6be4d2-5195-1524-1d0c-133a26cf62c0,13e9bb7e85ff9b08c26a440412e5cd5d296c4d35,423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb,1688560346394,323584,6.61005E+18,1688978989024,C:\Windows\System32\cmd.exe,14240,"[""Microsoft Windows""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP_--007""]",a2b277a0-e261-4c06-a5e2-5c3919a70e1d,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/12/2023, 7:21:08 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/12/2023, 12:45:08 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,TELEMETRY_PROCESS_CREATE,C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2303.17.0_x64__8wekyb3d8bbwe\SnippingTool\SnippingTool.exe,"""C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2303.17.0_x64__8wekyb3d8bbwe\SnippingTool\SnippingTool.exe"" ms-screensketch:edit?&source=Toast&sharedAccessToken=219A1DEE-7BEC-454B-987F-C6C1737B1B9C&secondarySharedAccessToken=AF453BB3-C6A7-4835-8FC3-A13B7548B4B8&isTemporary=false&saved=true","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",-8.52728E+18,TELEMETRY_PROCESS,1689165908252,"7/12/2023, 12:45:08 PM",low,"7/12/2023, 12:45:08 PM",16384,"7/12/2023, 12:45:08 PM",3434568,1688560138079,2.98418E+18,3afc4b82-9307-e689-e37c-a037719cf75a,78742d200f7699e9e2e01e24b91f03c5a59d8378,dac46a37d2ad8fe1b31f290ceeba9560f8e7bb9648dc8285d1d1e2d96e9799e1,1688560162322,1182208,1.11901E+18,8192,1689165908217,C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2303.17.0_x64__8wekyb3d8bbwe\SnippingTool\SnippingTool.exe,20732,FALSE,1,,,7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,3.81383E+18,1689150808051,C:\Windows\System32\svchost.exe,4724,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",eda05d0b-5821-4fd2-a212-ba22ff4942ff,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/13/2023, 5:45:47 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 5:25:34 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe,"""C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",-3.49448E+18,TELEMETRY_PROCESS,1689225934625,"7/13/2023, 5:25:34 AM",low,"7/13/2023, 5:25:35 AM",16384,"7/13/2023, 5:25:35 AM",3434568,1688604770265,6.22713E+18,1f53141e-8051-d6ca-7545-dcb0f42c99a5,579574aaf2cf9d91e480129829f660213373f070,48d9e16fcac51fb4e586e4e3125bf4a788bdbc5f699a88028dcd638638b863c5,1688988028222,4125560,6.88483E+17,8192,1689225934610,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe,15064,FALSE,1,"[""Microsoft Corporation""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",d8cf9a41-cbe4-46ec-9f02-5ba2551893fb,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/13/2023, 5:45:48 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 5:19:47 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""LOCAL SERVICE""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\appidcertstorecheck.exe,"""C:\Windows\system32\appidcertstorecheck.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",-2.64278E+17,TELEMETRY_PROCESS,1689225587844,"7/13/2023, 5:19:47 AM",low,"7/13/2023, 5:19:48 AM",16384,"7/13/2023, 5:19:48 AM",997,1688560364115,-5.73786E+17,046dbdef-295f-4439-7ae2-b578bdf39e02,a75d2f06891c443709ab5a832626bf78bb79de24,109d7fa51e3ebb2dd1c64251e65cca782bff45d811f73f7dee3708ddad726833,1688560364119,77824,-8.65663E+18,16384,1689225587851,C:\Windows\System32\appidcertstorecheck.exe,14800,FALSE,0,"[""Microsoft Windows""]",[true],7,LOCAL SERVICE,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",6f85575d-a07a-44b7-b81d-e7a180f86204,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/13/2023, 5:45:48 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 5:20:47 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""LOCAL SERVICE""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\appidcertstorecheck.exe,"""C:\Windows\system32\appidcertstorecheck.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",2.89913E+18,TELEMETRY_PROCESS,1689225647927,"7/13/2023, 5:20:47 AM",low,"7/13/2023, 5:20:48 AM",16384,"7/13/2023, 5:20:48 AM",997,1688560364115,-5.73786E+17,046dbdef-295f-4439-7ae2-b578bdf39e02,a75d2f06891c443709ab5a832626bf78bb79de24,109d7fa51e3ebb2dd1c64251e65cca782bff45d811f73f7dee3708ddad726833,1688560364119,77824,-7.21997E+18,16384,1689225647924,C:\Windows\System32\appidcertstorecheck.exe,11660,FALSE,0,"[""Microsoft Windows""]",[true],7,LOCAL SERVICE,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",f682931b-e167-4f9b-957f-f555d5ad04e6,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/7/2023, 2:20:23 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/7/2023, 1:56:55 PM",DESKTOP_--007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Identify system hostname for Windows."",""highlightedObjects"":[{""field"":""objectCmd"",""type"":""command_line"",""value"":""hostname""}],""id"":""F1920"",""level"":""low"",""name"":""Hostname Discovery (Windows)"",""tactics"":[""TA0007""],""techniques"":[""T1082""],""type"":""preset"",""unique_id"":""ef6c473b-ba82-43c9-b866-c572d219f696""}]",endpoint,"DESKTOP_--007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP_--007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\cmd.exe,"""C:\Windows\system32\cmd.exe"" ",TELEMETRY_PROCESS_CREATE,C:\Windows\System32\HOSTNAME.EXE,hostname,"[""XSAE.F1920"",""MITRE.T1082""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,1174357,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",6.71948E+18,TELEMETRY_PROCESS,1688738215950,"7/7/2023, 1:56:55 PM",low,"7/7/2023, 1:56:56 PM",8192,"7/7/2023, 1:56:56 PM",1174357,1651900802714,8.11844E+18,26867c73-1cf9-4931-3f11-8fa0911789cb,bca0e9be08895fb35f15c5670ae88af3668a9291,193d56937965c2eecc6556619cac6b6ce7adb1827d12830bfed1a7b038288613,1651900802714,36864,1.97421E+18,8192,1688738215916,C:\Windows\System32\HOSTNAME.EXE,16752,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP_--007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,1174357,C:\Windows\Explorer.EXE,1688563643427,1.76711E+18,5c0d8772-fd64-4b53-1efe-2a6ad639c54e,4b77878925d2e7ca9d5ebdd2ce48f9acfb221cc0,ecf234737d25c207b6f7f96c0db62b8ede40f1774ef02eaab205368af974b4fb,1688563643615,C:\Windows\explorer.exe,5071344,-1.35037E+18,8192,1688736546142,C:\Windows\explorer.exe,3864,1,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP_--007,1,751,5889,1688560346388,4.78232E+18,5a6be4d2-5195-1524-1d0c-133a26cf62c0,13e9bb7e85ff9b08c26a440412e5cd5d296c4d35,423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb,1688560346394,323584,-7.92105E+18,1688738212779,C:\Windows\System32\cmd.exe,12968,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP_--007,xes,1.2.0.4110,1,UTC+05:30,"[""DESKTOP_--007""]",3965f671-be07-4fdd-983f-f5090be5dc9f,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/7/2023, 5:46:31 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"2/22/2023, 6:00:20 AM",MSEDGEWIN10,fbc58859-5e6b-4912-a6af-4492d6dfdcdc,"[""fefe::efef"",""10.1.2.0""]","[{""id"":""F3965"",""unique_id"":""4574679d-50ee-4422-ba27-0ff86743c5e9"",""level"":""medium"",""name"":""Demo - Copying Of NTDS File"",""description"":""A copy operation of ntds.dit file for possible credential dumping"",""tactics"":[""TA0006""],""techniques"":[""T1003.003"",""T1003.002""],""highlightedObjects"":[{""field"":""objectCmd"",""type"":""command_line"",""value"":""C:\\Windows\\System32\\cmd.exe /c echo \""copy C:\\Windows\\NTDS\\ntds.dit C:\\trend-micro-test\\ntds.dit\""""}]}]",endpoint,MSEDGEWIN10,MSEDGEWIN10,"[""10.211.55.36""]","[""IEUser""]",C:\Windows\System32\cmd.exe,"C:\Windows\System32\cmd.exe /c """"C:\test\T1003_Demo_Script\T1003_Demo_Script.bat"" """,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\cmd.exe,"C:\Windows\System32\cmd.exe /c echo ""copy C:\Windows\NTDS\ntds.dit C:\trend-micro-test\ntds.dit""","[""MITREV9.T1003.003"",""MITRE.T1003"",""MITREV9.T1003.002"",""BAS.TMDEMOKIT"",""XSAE.F3965""]",fbc58859-5e6b-4912-a6af-4492d6dfdcdc,386293,"[""00:16:00:00:d3:bd""]",4.41813E+18,TELEMETRY_PROCESS,1677045620000,"2/22/2023, 6:00:20 AM",medium,"2/22/2023, 6:00:20 AM",8192,"2/22/2023, 6:00:20 AM",386293,1536996518122,4.78232E+18,0d088f5b-cfa8-f086-fba1-63647cd80cab,08cc2e8dca652bdda1acca9c446560d4bc1bcdf9,9023f8aaeda4a1da45ac477a81b5bbe4128e413f19a0abfa3715465ad66ed5cd,1536996518122,278528,-2.14684E+18,8192,1677045620,C:\Windows\System32\cmd.exe,9500,FALSE,1,"[""Microsoft Windows""]",[true],7,IEUser,MSEDGEWIN10,Windows 10 Enterprise Evaluation (64 bit) build 17763,Windows,0x00000048,10.0.17763,386293,C:\Windows\Explorer.EXE,1553132717182,1.76711E+18,2f62005f-cea7-430b-b871-a56f7700f81c,3eb9d6f8f4448cb1fd6478189edebe3d70477ea7,b759293373a11d1a972873a902bc64b2c9690ab947ce4a185cd047195521296d,1553132717263,C:\Windows\explorer.exe,4245280,-2.92175E+18,8192,1677045620,C:\Windows\explorer.exe,5368,1,"[""Microsoft Windows""]",[true],7,IEUser,MSEDGEWIN10,1,751,5889,1536996518122,4.78232E+18,0d088f5b-cfa8-f086-fba1-63647cd80cab,08cc2e8dca652bdda1acca9c446560d4bc1bcdf9,9023f8aaeda4a1da45ac477a81b5bbe4128e413f19a0abfa3715465ad66ed5cd,1536996518122,278528,-6.63365E+17,1677045620,C:\Windows\System32\cmd.exe,3612,"[""Microsoft Windows""]",[true],7,IEUser,MSEDGEWIN10,xes,1.1.0.1762,1,UTC+08:00,"[""MSEDGEWIN10""]",76c2fafc-e810-46cd-a7db-dd4169c2d69a,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/7/2023, 1:25:36 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/7/2023, 1:05:50 PM",DESKTOP_--007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Identify system hostname for Windows."",""highlightedObjects"":[{""field"":""objectCmd"",""type"":""command_line"",""value"":""hostname""}],""id"":""F1920"",""level"":""low"",""name"":""Hostname Discovery (Windows)"",""tactics"":[""TA0007""],""techniques"":[""T1082""],""type"":""preset"",""unique_id"":""ef6c473b-ba82-43c9-b866-c572d219f696""}]",endpoint,"DESKTOP_--007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP_--007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\cmd.exe,"""C:\Windows\system32\cmd.exe"" ",TELEMETRY_PROCESS_CREATE,C:\Windows\System32\HOSTNAME.EXE,hostname,"[""XSAE.F1920"",""MITRE.T1082""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,1795229,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",2.15203E+18,TELEMETRY_PROCESS,1688735150847,"7/7/2023, 1:05:50 PM",low,"7/7/2023, 1:05:51 PM",8192,"7/7/2023, 1:05:51 PM",1795229,1651900802714,8.11844E+18,26867c73-1cf9-4931-3f11-8fa0911789cb,bca0e9be08895fb35f15c5670ae88af3668a9291,193d56937965c2eecc6556619cac6b6ce7adb1827d12830bfed1a7b038288613,1651900802714,36864,-7.21647E+18,8192,1688735150843,C:\Windows\System32\HOSTNAME.EXE,8144,FALSE,2,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP_--007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,1795229,C:\Windows\Explorer.EXE,1688563643427,1.76711E+18,5c0d8772-fd64-4b53-1efe-2a6ad639c54e,4b77878925d2e7ca9d5ebdd2ce48f9acfb221cc0,ecf234737d25c207b6f7f96c0db62b8ede40f1774ef02eaab205368af974b4fb,1688563643615,C:\Windows\explorer.exe,5071344,7.06878E+18,8192,1688724154256,C:\Windows\explorer.exe,4112,2,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP_--007,1,751,5889,1688560346388,4.78232E+18,5a6be4d2-5195-1524-1d0c-133a26cf62c0,13e9bb7e85ff9b08c26a440412e5cd5d296c4d35,423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb,1688560346394,323584,3.32939E+18,1688735146288,C:\Windows\System32\cmd.exe,4052,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP_--007,xes,1.2.0.4110,2,UTC+05:30,"[""DESKTOP_--007""]",b874d6a9-422b-46f2-8655-5b5a6fa48b50,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:38:44 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 11:22:33 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\taskhostw.exe,taskhostw.exe KEYROAMING,"[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",7.26656E+18,TELEMETRY_PROCESS,1689247353302,"7/13/2023, 11:22:33 AM",low,"7/13/2023, 11:22:33 AM",16384,"7/13/2023, 11:22:33 AM",3434568,1688560329966,-5.6427E+16,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,1688560329967,113000,-5.74269E+18,8192,1689247353295,C:\Windows\System32\taskhostw.exe,8536,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",c6bb1924-8fcf-47b9-8cbb-68bec28a0168,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:38:44 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 11:22:41 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""LOCAL SERVICE""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\appidcertstorecheck.exe,"""C:\Windows\system32\appidcertstorecheck.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",8.40174E+18,TELEMETRY_PROCESS,1689247361150,"7/13/2023, 11:22:41 AM",low,"7/13/2023, 11:22:41 AM",16384,"7/13/2023, 11:22:41 AM",997,1688560364115,-5.73786E+17,046dbdef-295f-4439-7ae2-b578bdf39e02,a75d2f06891c443709ab5a832626bf78bb79de24,109d7fa51e3ebb2dd1c64251e65cca782bff45d811f73f7dee3708ddad726833,1688560364119,77824,1.42463E+17,16384,1689247361148,C:\Windows\System32\appidcertstorecheck.exe,15068,FALSE,0,"[""Microsoft Windows""]",[true],7,LOCAL SERVICE,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",283237c2-c986-45ff-9c46-25041c48985e,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:38:48 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 11:27:48 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""LOCAL SERVICE""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\appidcertstorecheck.exe,"""C:\Windows\system32\appidcertstorecheck.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",3.52103E+18,TELEMETRY_PROCESS,1689247668299,"7/13/2023, 11:27:48 AM",low,"7/13/2023, 11:27:48 AM",16384,"7/13/2023, 11:27:48 AM",997,1688560364115,-5.73786E+17,046dbdef-295f-4439-7ae2-b578bdf39e02,a75d2f06891c443709ab5a832626bf78bb79de24,109d7fa51e3ebb2dd1c64251e65cca782bff45d811f73f7dee3708ddad726833,1688560364119,77824,-7.31387E+18,16384,1689247668300,C:\Windows\System32\appidcertstorecheck.exe,5160,FALSE,0,"[""Microsoft Windows""]",[true],7,LOCAL SERVICE,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",d16d5710-c2df-45a8-a88c-e880b30fef0a,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:40:35 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 12:23:56 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe,"""C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",5.36407E+18,TELEMETRY_PROCESS,1689251036531,"7/13/2023, 12:23:56 PM",low,"7/13/2023, 12:23:57 PM",16384,"7/13/2023, 12:23:57 PM",3434568,1688604770265,6.22713E+18,1f53141e-8051-d6ca-7545-dcb0f42c99a5,579574aaf2cf9d91e480129829f660213373f070,48d9e16fcac51fb4e586e4e3125bf4a788bdbc5f699a88028dcd638638b863c5,1688988028222,4125560,-6.21488E+18,8192,1689251036519,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe,13696,FALSE,1,"[""Microsoft Corporation""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",447e7649-1ff1-480a-b1cd-2cb0f12e90ec,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:40:35 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 12:25:16 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""LOCAL SERVICE""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\appidcertstorecheck.exe,"""C:\Windows\system32\appidcertstorecheck.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",3.00863E+18,TELEMETRY_PROCESS,1689251116732,"7/13/2023, 12:25:16 PM",low,"7/13/2023, 12:25:17 PM",16384,"7/13/2023, 12:25:17 PM",997,1688560364115,-5.73786E+17,046dbdef-295f-4439-7ae2-b578bdf39e02,a75d2f06891c443709ab5a832626bf78bb79de24,109d7fa51e3ebb2dd1c64251e65cca782bff45d811f73f7dee3708ddad726833,1688560364119,77824,-3.29187E+18,16384,1689251116723,C:\Windows\System32\appidcertstorecheck.exe,15196,FALSE,0,"[""Microsoft Windows""]",[true],7,LOCAL SERVICE,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",a8d2326a-bb13-4c71-9b56-0c41c08e5e9a,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:40:37 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 12:29:08 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""LOCAL SERVICE""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\appidcertstorecheck.exe,"""C:\Windows\system32\appidcertstorecheck.exe""","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",-5.90356E+18,TELEMETRY_PROCESS,1689251348787,"7/13/2023, 12:29:08 PM",low,"7/13/2023, 12:29:09 PM",16384,"7/13/2023, 12:29:09 PM",997,1688560364115,-5.73786E+17,046dbdef-295f-4439-7ae2-b578bdf39e02,a75d2f06891c443709ab5a832626bf78bb79de24,109d7fa51e3ebb2dd1c64251e65cca782bff45d811f73f7dee3708ddad726833,1688560364119,77824,9.12735E+18,16384,1689251348787,C:\Windows\System32\appidcertstorecheck.exe,17240,FALSE,0,"[""Microsoft Windows""]",[true],7,LOCAL SERVICE,NT AUTHORITY,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",a0234857-ebce-47c9-8e2a-051a0e30a57e,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:51:21 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 10:32:14 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\taskhostw.exe,taskhostw.exe KEYROAMING,"[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",8.91641E+18,TELEMETRY_PROCESS,1689244334784,"7/13/2023, 10:32:14 AM",low,"7/13/2023, 10:32:15 AM",16384,"7/13/2023, 10:32:15 AM",3434568,1688560329966,-5.6427E+16,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,1688560329967,113000,2.78831E+18,8192,1689244334778,C:\Windows\System32\taskhostw.exe,1472,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",88d887c5-c963-4480-add6-975ca5d11177,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:51:21 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 10:33:25 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\taskhostw.exe,taskhostw.exe,"[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",4.32579E+18,TELEMETRY_PROCESS,1689244405013,"7/13/2023, 10:33:25 AM",low,"7/13/2023, 10:33:25 AM",16384,"7/13/2023, 10:33:25 AM",3434568,1688560329966,-5.6427E+16,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,1688560329967,113000,-1.8455E+17,8192,1689244405020,C:\Windows\System32\taskhostw.exe,16944,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",cc834a45-19e1-44dc-87e3-3105555926d5,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:38:46 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 11:37:54 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\taskhostw.exe,taskhostw.exe KEYROAMING,"[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",1.80911E+17,TELEMETRY_PROCESS,1689248274522,"7/13/2023, 11:37:54 AM",low,"7/13/2023, 11:37:55 AM",16384,"7/13/2023, 11:37:55 AM",3434568,1688560329966,-5.6427E+16,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,1688560329967,113000,1.78899E+18,8192,1689248274518,C:\Windows\System32\taskhostw.exe,13588,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",9d84a042-d7ce-4f54-9f34-8fc0d9fbb123,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:40:33 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 12:18:01 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\taskhostw.exe,taskhostw.exe KEYROAMING,"[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",1.63815E+18,TELEMETRY_PROCESS,1689250681959,"7/13/2023, 12:18:01 PM",low,"7/13/2023, 12:18:02 PM",16384,"7/13/2023, 12:18:02 PM",3434568,1688560329966,-5.6427E+16,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,1688560329967,113000,-4.30997E+18,8192,1689250681958,C:\Windows\System32\taskhostw.exe,18676,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",ed513114-d91e-4824-a182-701534dab091,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:40:33 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 12:18:04 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Windows\System32\taskhostw.exe,taskhostw.exe KEYROAMING,"[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",7.44225E+18,TELEMETRY_PROCESS,1689250684699,"7/13/2023, 12:18:04 PM",low,"7/13/2023, 12:18:05 PM",16384,"7/13/2023, 12:18:05 PM",3434568,1688560329966,-5.6427E+16,4887a65f-d4f6-598a-f498-6cbc1c0e5488,0882f3f9947405bb80c2e830adf69af85c9b51c7,82472a84bcbb4009add338200f8e853fe4c5eafe2e2c3a2d711b85bf29b72d54,1688560329967,113000,-3.71403E+18,8192,1689250684699,C:\Windows\System32\taskhostw.exe,21260,FALSE,1,"[""Microsoft Windows""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",b6d9bd52-ef4c-41c5-aca2-f099255a121e,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/14/2023, 6:40:33 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/13/2023, 12:20:32 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""A new process was executed under a different user, potentially in an attempt to escalate priviledge or bypass access control via service"",""highlightedObjects"":[{""field"":""processFilePath"",""master"":true,""riskLevel"":""low"",""type"":""fullpath"",""value"":""C:\\Windows\\System32\\svchost.exe""},{""field"":""objectUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""Crest""},{""field"":""processUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":""SYSTEM""}],""id"":""F6612"",""level"":""low"",""name"":""Process Execution under a Different User via Service"",""tactics"":[""TA0002""],""techniques"":[""T1569.002""],""type"":""preset"",""unique_id"":""84741ba8-aca7-49f1-9503-a58ea8a931d4""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,192.168.5.46,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,TELEMETRY_PROCESS_CREATE,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe,"""C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe"" /reporting","[""MITRE.T1569.002"",""XSAE.F6612""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",3.72769E+18,TELEMETRY_PROCESS,1689250832561,"7/13/2023, 12:20:32 PM",low,"7/13/2023, 12:20:33 PM",16384,"7/13/2023, 12:20:33 PM",3434568,1688604770265,6.22713E+18,1f53141e-8051-d6ca-7545-dcb0f42c99a5,579574aaf2cf9d91e480129829f660213373f070,48d9e16fcac51fb4e586e4e3125bf4a788bdbc5f699a88028dcd638638b863c5,1688988028222,4125560,8.09122E+18,8192,1689250832560,C:\Users\Crest\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe,17100,FALSE,1,"[""Microsoft Corporation""]",[true],7,Crest,CLO007,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\services.exe,1688560359581,-4.09258E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,C:\Windows\System32\services.exe,757576,-3.41135E+18,16384,1689148340717,C:\Windows\System32\services.exe,1240,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900770237,-8.21808E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,79920,7.53014E+18,1689148341501,C:\Windows\System32\svchost.exe,2976,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",b945da7d-b79a-447b-a8af-b31bfaa3ae24,TrendMicro_XDR_OAT_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/TrendMicroVisionOne_ASimRegistryEvent_IngestedLogs.csv b/Sample Data/ASIM/TrendMicroVisionOne_ASimRegistryEvent_IngestedLogs.csv new file mode 100644 index 00000000000..7f3302b0306 --- /dev/null +++ b/Sample Data/ASIM/TrendMicroVisionOne_ASimRegistryEvent_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,detail_compressedFileName_s,detail_malFamily_s,detail_correlationData_s,detail_eventDataProviderName_s,detail_eventDataProviderPath_s,detail_providerGUID_g,detail_providerName_s,detail_rawDataSize_d,detail_rawDataStr_s,detail_rt_d,detail_winEventId_d,detail_confidence_d,detail_detectionName_s,detail_detectionType_s,detail_fileCreation_t [UTC],detail_fileSize_d,detail_threatType_s,detail_act_s,detail_aggregatedCount_d,detail_behaviorCat_s,detail_bmGroup_s,detail_engineOperation_s,detail_instanceId_g,detail_policyId_s,detail_riskLevel_s,detail_ruleId_d,detail_actResult_s,detail_channel_s,detail_deviceGUID_g,detail_domainName_s,detail_dvchost_s,detail_endpointGUID_g,detail_engType_s,detail_engVer_s,detail_eventId_d,detail_eventName_s,detail_eventSubName_s,detail_fileHash_s,detail_fileName_s,detail_filePath_s,detail_firstAct_s,detail_firstActResult_s,detail_fullPath_s,detail_interestedIp_s,detail_logKey_s,detail_mDevice_s,detail_mDeviceGUID_g,detail_malDst_s,detail_malName_s,detail_malSubType_s,detail_malType_s,detail_mpname_s,detail_mpver_s,detail_pComp_s,detail_patVer_s,detail_rt_t [UTC],detail_rtDate_s,detail_rtHour_d,detail_rtWeekDay_s,detail_rt_utc_t [UTC],detail_ruleName_s,detail_scanType_s,detail_secondAct_s,detail_secondActResult_s,detail_senderGUID_g,detail_senderIp_s,detail_severity_d,detail_deviceType_s,detail_nativeDeviceCharacteristics_d,detail_nativeDeviceType_d,detail_nativeStorageDeviceBusType_d,detail_objectSubTrueType_d,detail_objectFirstSeen_d,detail_objectLastSeen_d,detail_objectRegType_d,detail_objectRegistryData_s,detail_objectRegistryKeyHandle_s,detail_objectRegistryRoot_d,detail_objectRegistryValue_s,detail_eventSourceType_s,xdrCustomerId_g,detectionTime_t [UTC],endpoint_name_s,endpoint_guid_g,endpoint_ips_s,filters_s,entityType_s,entityName_s,detail_endpointHostName_s,detail_endpointIp_s,detail_logonUser_s,detail_processFilePath_s,detail_processCmd_s,detail_eventSubId_s,detail_objectFilePath_s,detail_objectCmd_s,detail_tags_s,detail_endpointGuid_g,detail_authId_d,detail_endpointMacAddress_s,detail_eventHashId_d,detail_eventId_s,detail_eventTime_d,detail_eventTimeDT_t [UTC],detail_filterRiskLevel_s,detail_firstSeen_t [UTC],detail_integrityLevel_d,detail_lastSeen_t [UTC],detail_objectAuthId_d,detail_objectFileCreation_d,detail_objectFileHashId_d,detail_objectFileHashMd5_g,detail_objectFileHashSha1_s,detail_objectFileHashSha256_s,detail_objectFileModifiedTime_d,detail_objectFileSize_d,detail_objectHashId_d,detail_objectIntegrityLevel_d,detail_objectLaunchTime_d,detail_objectName_s,detail_objectPid_d,detail_objectRunAsLocalAccount_b,detail_objectSessionId_d,detail_objectSigner_s,detail_objectSignerValid_s,detail_objectTrueType_d,detail_objectUser_s,detail_objectUserDomain_s,detail_osDescription_s,detail_osName_s,detail_osType_s,detail_osVer_s,detail_parentAuthId_d,detail_parentCmd_s,detail_parentFileCreation_d,detail_parentFileHashId_d,detail_parentFileHashMd5_g,detail_parentFileHashSha1_s,detail_parentFileHashSha256_s,detail_parentFileModifiedTime_d,detail_parentFilePath_s,detail_parentFileSize_d,detail_parentHashId_d,detail_parentIntegrityLevel_d,detail_parentLaunchTime_d,detail_parentName_s,detail_parentPid_d,detail_parentSessionId_d,detail_parentSigner_s,detail_parentSignerValid_s,detail_parentTrueType_d,detail_parentUser_s,detail_parentUserDomain_s,detail_plang_d,detail_pname_s,detail_pplat_d,detail_processFileCreation_d,detail_processFileHashId_d,detail_processFileHashMd5_g,detail_processFileHashSha1_s,detail_processFileHashSha256_s,detail_processFileModifiedTime_d,detail_processFileSize_d,detail_processHashId_d,detail_processLaunchTime_d,detail_processName_s,detail_processPid_d,detail_processSigner_s,detail_processSignerValid_s,detail_processTrueType_d,detail_processUser_s,detail_processUserDomain_s,detail_productCode_s,detail_pver_s,detail_sessionId_d,detail_timezone_s,detail_userDomain_s,detail_uuid_g,Type,_ResourceId +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/21/2023, 8:40:50 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1689927727960,1689927727960,1,C:\Program Files\Google\Drive File Stream\78.0.1.0\GoogleDriveFS.exe --startup_mode,HKCU\Software\Microsoft\Windows\CurrentVersion\Run,2,googledrivefs,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/21/2023, 8:22:07 AM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Uncommon Run/RunOnce Registry Entry Creation"",""highlightedObjects"":[{""field"":""objectRegistryKeyHandle"",""master"":true,""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run""},{""field"":""objectRegistryData"",""type"":""registry_value_data"",""value"":""C:\\Program Files\\Google\\Drive File Stream\\78.0.1.0\\GoogleDriveFS.exe --startup_mode""},{""field"":""objectRegistryValue"",""type"":""registry_value"",""value"":""googledrivefs""},{""field"":""processCmd"",""riskLevel"":""low"",""type"":""command_line"",""value"":""\""C:\\Program Files (x86)\\Google\\Update\\Install\\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\\setup.exe\"" /quiet /norestart MSI_UILEVEL=2 ""}],""id"":""D0007"",""level"":""low"",""name"":""Uncommon Run/RunOnce Registry Entry Creation"",""tactics"":[""TA0003"",""TA0004""],""techniques"":[""T1547.001""],""type"":""preset"",""unique_id"":""34e8005e-485c-42b6-8f5b-4bbd7c5b50d7""},{""description"":""An autostart registry key was created in the system."",""highlightedObjects"":[{""field"":""endpointHostName"",""type"":""text"",""value"":""CLO007""},{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""C:\\Program Files\\Google\\Drive File Stream\\78.0.1.0\\GoogleDriveFS.exe --startup_mode""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""googledrivefs""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run""}],""id"":""F1002"",""level"":""low"",""name"":""Auto-start Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1547.001""],""type"":""preset"",""unique_id"":""60305696-c02a-418e-b590-019e0c1fe464""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,172.20.240.235,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]",,C:\Program Files (x86)\Google\Update\Install\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\setup.exe,"""C:\Program Files (x86)\Google\Update\Install\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\setup.exe"" /quiet /norestart MSI_UILEVEL=2 ",TELEMETRY_REGISTRY_SET,,,"[""XSAE.D0007"",""MITRE.T1112"",""MITRE.T1547.001"",""XSAE.F1002"",""ATTACK.G0010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:18""]",-1.00E+18,TELEMETRY_REGISTRY,1689927727960,"7/21/2023, 8:22:07 AM",low,"7/21/2023, 8:22:08 AM",16384,"7/21/2023, 8:22:08 AM",,,,,,,,,8.53E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,"""C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"" /svc",1688559976840,4.19E+18,5722709c-b676-e5b6-f247-3943f9e71632,f825840cb4ac0427340e407598ae4ab558dd7453,0c48c63acec1892ecf03ab327d6584adfe084e8470d165a91f793d7c28f70eeb,1688559966914,C:\Program Files (x86)\Google\Update\GoogleUpdate.exe,162072,-4.11E+18,16384,1689914856423,C:\Program Files (x86)\Google\Update\GoogleUpdate.exe,19124,0,"[""Google LLC""]",[true],7,SYSTEM,NT AUTHORITY,1,,5889,1689914915926,-4.18E+17,,,,1689914905388,332718872,6.95E+18,1689914928671,C:\Program Files (x86)\Google\Update\Install\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\setup.exe,3316,,,7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,,2b7e7f38-785d-4047-9d2f-636d0d4be0fd,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:47 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688991193134,1688991193134,2,\SystemRoot\system32\DRIVERS\tbimdsa.sys,HKLM\SYSTEM\CurrentControlSet\Services\tbimdsa,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:13:13 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\\SystemRoot\\system32\\DRIVERS\\tbimdsa.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\tbimdsa""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",5.33E+18,TELEMETRY_REGISTRY,1688991193134,"7/10/2023, 12:13:13 PM",low,"7/10/2023, 12:13:13 PM",16384,"7/10/2023, 12:13:13 PM",,,,,,,,,-2.65E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",65ba7925-18b1-420f-aa7b-27a363a4b778,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:47 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688991193344,1688991193344,2,"""C:\Program Files (x86)\Trend Micro\iService\iVP\iVPAgent.exe"" -service",HKLM\SYSTEM\CurrentControlSet\Services\iVPAgent,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:13:13 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\iService\\iVP\\iVPAgent.exe\"" -service""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\iVPAgent""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-1.86E+18,TELEMETRY_REGISTRY,1688991193344,"7/10/2023, 12:13:13 PM",low,"7/10/2023, 12:13:13 PM",16384,"7/10/2023, 12:13:13 PM",,,,,,,,,7.84E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",a0748545-ec4b-41a4-af5a-58cf59be9a34,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:47 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688991236123,1688991236123,2,system32\DRIVERS\AcDriver.sys,HKLM\SYSTEM\CurrentControlSet\Services\AcDriver,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:13:56 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""system32\\DRIVERS\\AcDriver.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AcDriver""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",9.03E+17,TELEMETRY_REGISTRY,1688991236123,"7/10/2023, 12:13:56 PM",low,"7/10/2023, 12:13:56 PM",16384,"7/10/2023, 12:13:56 PM",,,,,,,,,-1.62E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",d9700de8-9e94-4559-ade1-ceec71ec2db9,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:47 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688991236282,1688991236282,2,\SystemRoot\system32\DRIVERS\AcDriverHelper.sys,HKLM\SYSTEM\CurrentControlSet\Services\AcDriverHelper,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:13:56 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\\SystemRoot\\system32\\DRIVERS\\AcDriverHelper.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AcDriverHelper""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",3.35E+18,TELEMETRY_REGISTRY,1688991236282,"7/10/2023, 12:13:56 PM",low,"7/10/2023, 12:13:56 PM",16384,"7/10/2023, 12:13:56 PM",,,,,,,,,2.92E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",8ca63d1b-1c0b-434e-b1a0-16ee6515d967,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:47 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688991236283,1688991236283,2,"""C:\Program Files (x86)\Trend Micro\iService\iAC\ac_bin\TMiACAgentSvc.exe"" --mode SVC --sc --l DEBUG",HKLM\SYSTEM\CurrentControlSet\Services\TMiACAgentSvc,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:13:56 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\iService\\iAC\\ac_bin\\TMiACAgentSvc.exe\"" --mode SVC --sc --l DEBUG""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACAgentSvc""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-3.04E+18,TELEMETRY_REGISTRY,1688991236283,"7/10/2023, 12:13:56 PM",low,"7/10/2023, 12:13:56 PM",16384,"7/10/2023, 12:13:56 PM",,,,,,,,,-1.35E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",22d06385-f446-439a-98cd-5db330bd63d7,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:48 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688990642296,1688990642296,2,"""C:\Program Files (x86)\Trend Micro\Security Agent\CCSF\TmCCSF.exe"" -1",HKLM\SYSTEM\CurrentControlSet\Services\TmCCSF,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:04:02 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\"" -1""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",3.96E+18,TELEMETRY_REGISTRY,1688990642296,"7/10/2023, 12:04:02 PM",low,"7/10/2023, 12:04:02 PM",16384,"7/10/2023, 12:04:02 PM",,,,,,,,,6.70E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",e4b5917a-6524-4451-b2a7-fbe359498bf1,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:48 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688990642296,1688990642296,2,"""C:\Program Files (x86)\Trend Micro\Security Agent\CCSF\TmCCSF.exe""",HKLM\SYSTEM\CurrentControlSet\Services\TmCCSF,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:04:02 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\""""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-1.81E+17,TELEMETRY_REGISTRY,1688990642296,"7/10/2023, 12:04:02 PM",low,"7/10/2023, 12:04:02 PM",16384,"7/10/2023, 12:04:02 PM",,,,,,,,,-6.87E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",bd4bd445-d738-4fa5-9708-8fe8fede53f9,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:48 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688990720313,1688990720313,2,%SystemRoot%\system32\dgagent\DSAGENT.exe,HKLM\SYSTEM\CurrentControlSet\Services\DSASvc,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:05:20 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""%SystemRoot%\\system32\\dgagent\\DSAGENT.exe""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\DSASvc""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",1.26E+17,TELEMETRY_REGISTRY,1688990720313,"7/10/2023, 12:05:20 PM",low,"7/10/2023, 12:05:20 PM",16384,"7/10/2023, 12:05:20 PM",,,,,,,,,-6.31E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",f7e011a9-28e7-44cc-a2dd-2be0fb1b0e91,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 12:30:48 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688990720351,1688990720351,2,system32\drivers\sakfile.sys,HKLM\SYSTEM\CurrentControlSet\Services\SAKFile,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 12:05:20 PM",CLO007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""system32\\drivers\\sakfile.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SAKFile""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",CLO007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-8.64E+18,TELEMETRY_REGISTRY,1688990720351,"7/10/2023, 12:05:20 PM",low,"7/10/2023, 12:05:20 PM",16384,"7/10/2023, 12:05:20 PM",,,,,,,,,5.02E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,4.12E+18,1688989886343,C:\Windows\System32\services.exe,708,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""CLO007""]",05f114fa-3ea2-4a11-b439-3fa23f3c0197,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:40:34 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688988137810,1688988137810,2,\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{05847FDD-290D-4477-8F4F-32857B1105F1}\MpKslDrv.sys,HKLM\SYSTEM\CurrentControlSet\Services\MpKsl187af448,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:22:17 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{05847FDD-290D-4477-8F4F-32857B1105F1}\\MpKslDrv.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl187af448""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-1.87E+18,TELEMETRY_REGISTRY,1688988137810,"7/10/2023, 11:22:17 AM",low,"7/10/2023, 11:22:18 AM",16384,"7/10/2023, 11:22:18 AM",,,,,,,,,-8.18E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,-4.26E+18,1688987978405,C:\Windows\System32\services.exe,1052,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",85317a2e-491f-42ac-b0cf-9b2e1e9dbf27,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:40:37 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688987928253,1688987928253,2,\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BB504FFE-54D3-410B-AB9A-7E5DA82763CA}\MpKslDrv.sys,HKLM\SYSTEM\CurrentControlSet\Services\MpKsl5369ff9d,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:18:48 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{BB504FFE-54D3-410B-AB9A-7E5DA82763CA}\\MpKslDrv.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl5369ff9d""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",4.30E+18,TELEMETRY_REGISTRY,1688987928253,"7/10/2023, 11:18:48 AM",low,"7/10/2023, 11:18:48 AM",16384,"7/10/2023, 11:18:48 AM",,,,,,,,,-5.71E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,6.00E+18,1688966689341,C:\Windows\System32\services.exe,1380,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",766c5ae6-f9f5-4809-943f-aee55e6720c7,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:40:37 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688987943149,1688987943149,2,\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3B713FD4-674D-4CFF-A5F2-C553AF804E4A}\MpKslDrv.sys,HKLM\SYSTEM\CurrentControlSet\Services\MpKsl17f86b97,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:19:03 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{3B713FD4-674D-4CFF-A5F2-C553AF804E4A}\\MpKslDrv.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl17f86b97""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",2.91E+18,TELEMETRY_REGISTRY,1688987943149,"7/10/2023, 11:19:03 AM",low,"7/10/2023, 11:19:03 AM",16384,"7/10/2023, 11:19:03 AM",,,,,,,,,8.69E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,6.00E+18,1688966689341,C:\Windows\System32\services.exe,1380,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",8d01936f-d2ff-484e-b3e7-3d9bfebcd781,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:40:37 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688987946208,1688987946208,2,\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{05847FDD-290D-4477-8F4F-32857B1105F1}\MpKslDrv.sys,HKLM\SYSTEM\CurrentControlSet\Services\MpKslb40da2fb,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:19:06 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{05847FDD-290D-4477-8F4F-32857B1105F1}\\MpKslDrv.sys""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKslb40da2fb""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-1.30E+18,TELEMETRY_REGISTRY,1688987946208,"7/10/2023, 11:19:06 AM",low,"7/10/2023, 11:19:06 AM",16384,"7/10/2023, 11:19:06 AM",,,,,,,,,-4.92E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,6.00E+18,1688966689341,C:\Windows\System32\services.exe,1380,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",fe5ce08d-5e57-428e-bb04-66d94880b1eb,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:30:24 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688987668223,1688987668223,4,2,HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification,2,startuptnotiofficescannt monitor,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:14:28 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""An autostart registry key was created in the system."",""highlightedObjects"":[{""field"":""logonUser"",""riskLevel"":""low"",""type"":""user_account"",""value"":[""Crest""]},{""field"":""endpointHostName"",""type"":""text"",""value"":""DESKTOP-007""},{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""2""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""startuptnotiofficescannt monitor""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunNotification""}],""id"":""F1002"",""level"":""low"",""name"":""Auto-start Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1547.001""],""type"":""preset"",""unique_id"":""60305696-c02a-418e-b590-019e0c1fe464""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\sihost.exe,sihost.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1547.001"",""XSAE.F1002"",""ATTACK.G0010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,313096,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",4.77E+18,TELEMETRY_REGISTRY,1688987668223,"7/10/2023, 11:14:28 AM",low,"7/10/2023, 11:14:28 AM",8192,"7/10/2023, 11:14:28 AM",,,,,,,,,5.63E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,999,C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager,1651900770237,-8.22E+17,8ec922c7-a58a-8701-ab48-1b7be9644536,3f64c98f22da277a07cab248c44c56eedb796a81,949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b,1651900770237,C:\Windows\System32\svchost.exe,79920,8.75E+18,16384,1688966689796,C:\Windows\System32\svchost.exe,2284,0,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,1,751,5889,1651900760391,4.80E+18,e5a23407-157b-23f3-c244-1d412163e4ee,e8d9750e757e5b580c56521a81ed0cc41d327d82,51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13,1651900760391,147456,4.95E+18,1688966692731,C:\Windows\System32\sihost.exe,8396,"[""Microsoft Windows""]",[true],7,Crest,DESKTOP-007,xes,1.2.0.4110,1,UTC+05:30,"[""DESKTOP-007""]",96a908c7-2aa4-44c9-9e48-ed1d671a6a6c,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:30:24 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688987832381,1688987832381,2,C:\Program Files (x86)\Trend Micro\Security Agent\temp\iAC\program\TMiACAgentSetup.exe --mode uninstall,HKLM\SYSTEM\CurrentControlSet\Services\TMiACUninstallSvc,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:17:12 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\temp\\iAC\\program\\TMiACAgentSetup.exe --mode uninstall""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACUninstallSvc""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""},{""description"":""Trend Micro Endpoint Protection Product was possibly uninstalled by an adversary mimicking the legitimate way of uninstallation."",""highlightedObjects"":[{""field"":""objectRegistryKeyHandle"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACUninstallSvc""},{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\temp\\iAC\\program\\TMiACAgentSetup.exe --mode uninstall""}],""id"":""F5532"",""level"":""low"",""name"":""Possible Security Product Uninstallation"",""tactics"":[""TA0005""],""techniques"":[""T1562.001""],""type"":""preset"",""unique_id"":""2f6ae4fc-39c7-42a2-9b39-cdd54a7bb894""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1562.001"",""MITRE.T1574.011"",""XSAE.F1010"",""XSAE.F5532""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",5.66E+18,TELEMETRY_REGISTRY,1688987832381,"7/10/2023, 11:17:12 AM",low,"7/10/2023, 11:17:12 AM",16384,"7/10/2023, 11:17:12 AM",,,,,,,,,2.44E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,6.00E+18,1688966689341,C:\Windows\System32\services.exe,1380,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",62567424-480c-4748-a71a-b52d66fe0007,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:30:24 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688987855687,1688987855687,2,"""C:\Program Files (x86)\Trend Micro\Security Agent\PccNTUpd.exe"" -service",HKLM\SYSTEM\CurrentControlSet\Services\PccNTUpd,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:17:35 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\PccNTUpd.exe\"" -service""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\PccNTUpd""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-2.50E+18,TELEMETRY_REGISTRY,1688987855687,"7/10/2023, 11:17:35 AM",low,"7/10/2023, 11:17:36 AM",16384,"7/10/2023, 11:17:36 AM",,,,,,,,,8.02E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,6.00E+18,1688966689341,C:\Windows\System32\services.exe,1380,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",e0343fe9-bed6-47df-9f50-e6509437cf4a,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:50:24 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688988444848,1688988444848,2,"""C:\Program Files (x86)\Trend Micro\Security Agent\TmWSCSvc.exe""",HKLM\SYSTEM\CurrentControlSet\Services\TmWSCSvc,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:27:24 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\TmWSCSvc.exe\""""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmWSCSvc""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",6.79E+18,TELEMETRY_REGISTRY,1688988444848,"7/10/2023, 11:27:24 AM",low,"7/10/2023, 11:27:25 AM",16384,"7/10/2023, 11:27:25 AM",,,,,,,,,-5.53E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,-4.26E+18,1688987978405,C:\Windows\System32\services.exe,1052,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",0f6da4d6-fc33-4b47-968c-0ce92152ef0a,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:50:24 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688988444868,1688988444868,2,"""C:\Program Files (x86)\Trend Micro\Security Agent\CCSF\TmCCSF.exe""",HKLM\SYSTEM\CurrentControlSet\Services\TmCCSF,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:27:24 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\""""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",-1.81E+17,TELEMETRY_REGISTRY,1688988444868,"7/10/2023, 11:27:24 AM",low,"7/10/2023, 11:27:25 AM",16384,"7/10/2023, 11:27:25 AM",,,,,,,,,-6.87E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,-4.26E+18,1688987978405,C:\Windows\System32\services.exe,1052,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",cb1b1cf1-5987-4fc8-b604-e41a9b16b993,TrendMicro_XDR_OAT_CL, +1a0e2567-2e58-4989-ad18-206108185325,RestAPI,,,"7/10/2023, 11:50:24 AM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1688988505475,1688988505475,2,"""C:\Program Files (x86)\Trend Micro\Security Agent\tmlisten.exe""",HKLM\SYSTEM\CurrentControlSet\Services\tmlisten,3,imagepath,EVENT_SOURCE_TELEMETRY,37fe6e71-9495-4dd3-8915-9625e5a38754,"7/10/2023, 11:28:25 AM",DESKTOP-007,9a06dee6-06ef-44b3-9b6b-cb734c048f8b,"[""fefe::efef"",""10.1.2.0""]","[{""description"":""Detect creation or modification of service imagepath registry"",""highlightedObjects"":[{""field"":""objectRegistryData"",""master"":true,""type"":""registry_value_data"",""value"":""\""C:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmlisten.exe\""""},{""field"":""objectRegistryValue"",""riskLevel"":""low"",""type"":""registry_value"",""value"":""imagepath""},{""field"":""objectRegistryKeyHandle"",""riskLevel"":""low"",""type"":""registry_key"",""value"":""HKLM\\SYSTEM\\CurrentControlSet\\Services\\tmlisten""}],""id"":""F1010"",""level"":""low"",""name"":""Creation or Modification of Service ImagePath Registry"",""tactics"":[""TA0003"",""TA0004"",""TA0005""],""techniques"":[""T1112"",""T1543.003"",""T1574.011""],""type"":""preset"",""unique_id"":""c14fbd5f-9786-4382-929c-1666f8357f4c""}]",endpoint,"DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)",DESKTOP-007,"[""fefe::efef"",""10.1.2.0""]","[""Crest""]",C:\Windows\System32\services.exe,C:\Windows\system32\services.exe,TELEMETRY_REGISTRY_SET,,,"[""MITRE.T1112"",""MITRE.T1543.003"",""MITRE.T1574.011"",""XSAE.F1010""]",9a06dee6-06ef-44b3-9b6b-cb734c048f8b,999,"[""00:2b:67:c0:3f:10"",""00:09:0f:aa:00:01"",""a8:7e:ea:bd:83:15"",""aa:7e:ea:bd:83:14"",""a8:7e:ea:bd:83:14"",""00:09:0f:fe:00:01"",""a8:7e:ea:bd:83:18""]",8.48E+17,TELEMETRY_REGISTRY,1688988505475,"7/10/2023, 11:28:25 AM",low,"7/10/2023, 11:28:25 AM",16384,"7/10/2023, 11:28:25 AM",,,,,,,,,3.30E+18,,,,,,,,,,,,Windows 10 Pro (64 bit) build 22621,Windows,0x00000030,10.0.22621,,,,,,,,,,,,,,,,,,,,,,1,751,5889,1688560359581,-4.09E+18,68483e45-9f55-5389-ad8b-a6424bbaf42f,16d12a866c716390af9ca4d87bd7674d6e478f42,4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb,1688560359596,757576,-4.26E+18,1688987978405,C:\Windows\System32\services.exe,1052,"[""Microsoft Windows Publisher""]",[true],7,SYSTEM,NT AUTHORITY,xes,1.2.0.4110,0,UTC+05:30,"[""DESKTOP-007""]",c40c072c-f32c-458e-b93a-95148f605bc3,TrendMicro_XDR_OAT_CL, \ No newline at end of file diff --git a/Sample Data/ASIM/TrendMicroVisionOne_ASimRegistryEvent_RawLogs.json b/Sample Data/ASIM/TrendMicroVisionOne_ASimRegistryEvent_RawLogs.json new file mode 100644 index 00000000000..284f4c8951d --- /dev/null +++ b/Sample Data/ASIM/TrendMicroVisionOne_ASimRegistryEvent_RawLogs.json @@ -0,0 +1,5401 @@ +[ + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/21/2023, 8:40:50 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": 133335259636786000, + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1689927727960, + "detail_objectLastSeen": 1689927727960, + "detail_objectRegType": 1, + "detail_objectRegistryData": "C:\\Program Files\\Google\\Drive File Stream\\78.0.1.0\\GoogleDriveFS.exe --startup_mode", + "detail_objectRegistryKeyHandle": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "detail_objectRegistryRoot": 2, + "detail_objectRegistryValue": "googledrivefs", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/21/2023, 8:22:07 AM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Uncommon Run/RunOnce Registry Entry Creation", + "highlightedObjects": [ + { + "field": "objectRegistryKeyHandle", + "master": true, + "riskLevel": "low", + "type": "registry_key", + "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" + }, + { + "field": "objectRegistryData", + "type": "registry_value_data", + "value": "C:\\Program Files\\Google\\Drive File Stream\\78.0.1.0\\GoogleDriveFS.exe --startup_mode" + }, + { + "field": "objectRegistryValue", + "type": "registry_value", + "value": "googledrivefs" + }, + { + "field": "processCmd", + "riskLevel": "low", + "type": "command_line", + "value": "\"C:\\Program Files (x86)\\Google\\Update\\Install\\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\\setup.exe\" /quiet /norestart MSI_UILEVEL=2 " + } + ], + "id": "D0007", + "level": "low", + "name": "Uncommon Run/RunOnce Registry Entry Creation", + "tactics": [ + "TA0003", + "TA0004" + ], + "techniques": [ + "T1547.001" + ], + "type": "preset", + "unique_id": "34e8005e-485c-42b6-8f5b-4bbd7c5b50d7" + }, + { + "description": "An autostart registry key was created in the system.", + "highlightedObjects": [ + { + "field": "endpointHostName", + "type": "text", + "value": "CLO007" + }, + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "C:\\Program Files\\Google\\Drive File Stream\\78.0.1.0\\GoogleDriveFS.exe --startup_mode" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "googledrivefs" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" + } + ], + "id": "F1002", + "level": "low", + "name": "Auto-start Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1547.001" + ], + "type": "preset", + "unique_id": "60305696-c02a-418e-b590-019e0c1fe464" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::ae56:7be8:236b:799d,172.20.240.235,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": "", + "detail_processFilePath": "C:\\Program Files (x86)\\Google\\Update\\Install\\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\\setup.exe", + "detail_processCmd": "C:\\Program Files (x86)\\Google\\Update\\Install\\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\\setup.exe\" /quiet /norestart MSI_UILEVEL=2", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "XSAE.D0007", + "MITRE.T1112", + "MITRE.T1547.001", + "XSAE.F1002", + "ATTACK.G0010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -1000000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1689927727960, + "detail_eventTimeDT": "7/21/2023, 8:22:07 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/21/2023, 8:22:08 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/21/2023, 8:22:08 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 8530000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": 999, + "detail_parentCmd": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc", + "detail_parentFileCreation": 1688559976840, + "detail_parentFileHashId": 4190000000000000000, + "detail_parentFileHashMd5": "5722709c-b676-e5b6-f247-3943f9e71632", + "detail_parentFileHashSha1": "f825840cb4ac0427340e407598ae4ab558dd7453", + "detail_parentFileHashSha256": "0c48c63acec1892ecf03ab327d6584adfe084e8470d165a91f793d7c28f70eeb", + "detail_parentFileModifiedTime": 1688559966914, + "detail_parentFilePath": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "detail_parentFileSize": 162072, + "detail_parentHashId": -4110000000000000000, + "detail_parentIntegrityLevel": 16384, + "detail_parentLaunchTime": 1689914856423, + "detail_parentName": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "detail_parentPid": 19124, + "detail_parentSessionId": 0, + "detail_parentSigner": [ + "Google LLC" + ], + "detail_parentSignerValid": [ + true + ], + "detail_parentTrueType": 7, + "detail_parentUser": "SYSTEM", + "detail_parentUserDomain": "NT AUTHORITY", + "detail_plang": 1, + "detail_pname": "", + "detail_pplat": 5889, + "detail_processFileCreation": 1689914915926, + "detail_processFileHashId": -418000000000000000, + "detail_processFileHashMd5": "", + "detail_processFileHashSha1": "", + "detail_processFileHashSha256": "", + "detail_processFileModifiedTime": 1689914905388, + "detail_processFileSize": 332718872, + "detail_processHashId": 6950000000000000000, + "detail_processLaunchTime": 1689914928671, + "detail_processName": "C:\\Program Files (x86)\\Google\\Update\\Install\\{5FAD9309-FD0A-49B9-AA1F-9393A308F8AD}\\setup.exe", + "detail_processPid": 3316, + "detail_processSigner": "", + "detail_processSignerValid": "", + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": "", + "detail_uuid": "2b7e7f38-785d-4047-9d2f-636d0d4be0fd", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:47 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688991193134, + "detail_objectLastSeen": 1688991193134, + "detail_objectRegType": 2, + "detail_objectRegistryData": "\\SystemRoot\\system32\\DRIVERS\\tbimdsa.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\tbimdsa", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:13:13 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\\SystemRoot\\system32\\DRIVERS\\tbimdsa.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\tbimdsa" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 5330000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688991193134, + "detail_eventTimeDT": "7/10/2023, 12:13:13 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:13:13 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:13:13 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -2650000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "65ba7925-18b1-420f-aa7b-27a363a4b778", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:47 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688991193344, + "detail_objectLastSeen": 1688991193344, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\iService\\iVP\\iVPAgent.exe\" -service", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\iVPAgent", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:13:13 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\iService\\iVP\\iVPAgent.exe\" -service" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\iVPAgent" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -1860000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688991193344, + "detail_eventTimeDT": "7/10/2023, 12:13:13 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:13:13 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:13:13 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 7840000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "a0748545-ec4b-41a4-af5a-58cf59be9a34", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:47 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688991236123, + "detail_objectLastSeen": 1688991236123, + "detail_objectRegType": 2, + "detail_objectRegistryData": "system32\\DRIVERS\\AcDriver.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AcDriver", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:13:56 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "system32\\DRIVERS\\AcDriver.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AcDriver" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 903000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688991236123, + "detail_eventTimeDT": "7/10/2023, 12:13:56 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:13:56 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:13:56 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -1620000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "d9700de8-9e94-4559-ade1-ceec71ec2db9", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:47 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688991236282, + "detail_objectLastSeen": 1688991236282, + "detail_objectRegType": 2, + "detail_objectRegistryData": "\\SystemRoot\\system32\\DRIVERS\\AcDriverHelper.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AcDriverHelper", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:13:56 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\\SystemRoot\\system32\\DRIVERS\\AcDriverHelper.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AcDriverHelper" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 3350000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688991236282, + "detail_eventTimeDT": "7/10/2023, 12:13:56 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:13:56 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:13:56 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 2920000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "8ca63d1b-1c0b-434e-b1a0-16ee6515d967", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:47 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688991236283, + "detail_objectLastSeen": 1688991236283, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\iService\\iAC\\ac_bin\\TMiACAgentSvc.exe\" --mode SVC --sc --l DEBUG", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACAgentSvc", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:13:56 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\iService\\iAC\\ac_bin\\TMiACAgentSvc.exe\" --mode SVC --sc --l DEBUG" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACAgentSvc" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -3040000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688991236283, + "detail_eventTimeDT": "7/10/2023, 12:13:56 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:13:56 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:13:56 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -1350000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "22d06385-f446-439a-98cd-5db330bd63d7", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:48 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688990642296, + "detail_objectLastSeen": 1688990642296, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\" -1", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:04:02 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\" -1" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 3960000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688990642296, + "detail_eventTimeDT": "7/10/2023, 12:04:02 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:04:02 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:04:02 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 6700000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "e4b5917a-6524-4451-b2a7-fbe359498bf1", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:48 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688990642296, + "detail_objectLastSeen": 1688990642296, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:04:02 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\"" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -181000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688990642296, + "detail_eventTimeDT": "7/10/2023, 12:04:02 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:04:02 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:04:02 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -6870000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "bd4bd445-d738-4fa5-9708-8fe8fede53f9", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:48 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688990720313, + "detail_objectLastSeen": 1688990720313, + "detail_objectRegType": 2, + "detail_objectRegistryData": "%SystemRoot%\\system32\\dgagent\\DSAGENT.exe", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\DSASvc", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:05:20 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "%SystemRoot%\\system32\\dgagent\\DSAGENT.exe" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\DSASvc" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 126000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688990720313, + "detail_eventTimeDT": "7/10/2023, 12:05:20 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:05:20 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:05:20 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -6310000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "f7e011a9-28e7-44cc-a2dd-2be0fb1b0e91", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 12:30:48 PM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688990720351, + "detail_objectLastSeen": 1688990720351, + "detail_objectRegType": 2, + "detail_objectRegistryData": "system32\\drivers\\sakfile.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SAKFile", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 12:05:20 PM", + "endpoint_name": "CLO007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "system32\\drivers\\sakfile.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SAKFile" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "CLO007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "CLO007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -8640000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688990720351, + "detail_eventTimeDT": "7/10/2023, 12:05:20 PM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 12:05:20 PM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 12:05:20 PM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 5020000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 4120000000000000000, + "detail_processLaunchTime": 1688989886343, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 708, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "CLO007" + ], + "detail_uuid": "05f114fa-3ea2-4a11-b439-3fa23f3c0197", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:40:34 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688988137810, + "detail_objectLastSeen": 1688988137810, + "detail_objectRegType": 2, + "detail_objectRegistryData": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{05847FDD-290D-4477-8F4F-32857B1105F1}\\MpKslDrv.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl187af448", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:22:17 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{05847FDD-290D-4477-8F4F-32857B1105F1}\\MpKslDrv.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl187af448" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -1870000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688988137810, + "detail_eventTimeDT": "7/10/2023, 11:22:17 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:22:18 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:22:18 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -8180000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": -4260000000000000000, + "detail_processLaunchTime": 1688987978405, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1052, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "85317a2e-491f-42ac-b0cf-9b2e1e9dbf27", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:40:37 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688987928253, + "detail_objectLastSeen": 1688987928253, + "detail_objectRegType": 2, + "detail_objectRegistryData": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{BB504FFE-54D3-410B-AB9A-7E5DA82763CA}\\MpKslDrv.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl5369ff9d", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:18:48 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{BB504FFE-54D3-410B-AB9A-7E5DA82763CA}\\MpKslDrv.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl5369ff9d" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 4300000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688987928253, + "detail_eventTimeDT": "7/10/2023, 11:18:48 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:18:48 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:18:48 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -5710000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 6000000000000000000, + "detail_processLaunchTime": 1688966689341, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1380, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "766c5ae6-f9f5-4809-943f-aee55e6720c7", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:40:37 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688987943149, + "detail_objectLastSeen": 1688987943149, + "detail_objectRegType": 2, + "detail_objectRegistryData": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{3B713FD4-674D-4CFF-A5F2-C553AF804E4A}\\MpKslDrv.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl17f86b97", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:19:03 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{3B713FD4-674D-4CFF-A5F2-C553AF804E4A}\\MpKslDrv.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKsl17f86b97" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 2910000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688987943149, + "detail_eventTimeDT": "7/10/2023, 11:19:03 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:19:03 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:19:03 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 8690000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 6000000000000000000, + "detail_processLaunchTime": 1688966689341, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1380, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "8d01936f-d2ff-484e-b3e7-3d9bfebcd781", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:40:37 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688987946208, + "detail_objectLastSeen": 1688987946208, + "detail_objectRegType": 2, + "detail_objectRegistryData": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{05847FDD-290D-4477-8F4F-32857B1105F1}\\MpKslDrv.sys", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKslb40da2fb", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:19:06 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\\??\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{05847FDD-290D-4477-8F4F-32857B1105F1}\\MpKslDrv.sys" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\MpKslb40da2fb" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -1300000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688987946208, + "detail_eventTimeDT": "7/10/2023, 11:19:06 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:19:06 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:19:06 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -4920000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 6000000000000000000, + "detail_processLaunchTime": 1688966689341, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1380, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "fe5ce08d-5e57-428e-bb04-66d94880b1eb", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:30:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688987668223, + "detail_objectLastSeen": 1688987668223, + "detail_objectRegType": 4, + "detail_objectRegistryData": 2, + "detail_objectRegistryKeyHandle": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunNotification", + "detail_objectRegistryRoot": 2, + "detail_objectRegistryValue": "startuptnotiofficescannt monitor", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:14:28 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "An autostart registry key was created in the system.", + "highlightedObjects": [ + { + "field": "logonUser", + "riskLevel": "low", + "type": "user_account", + "value": [ + "Crest" + ] + }, + { + "field": "endpointHostName", + "type": "text", + "value": "DESKTOP-007" + }, + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "2" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "startuptnotiofficescannt monitor" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunNotification" + } + ], + "id": "F1002", + "level": "low", + "name": "Auto-start Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1547.001" + ], + "type": "preset", + "unique_id": "60305696-c02a-418e-b590-019e0c1fe464" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\sihost.exe", + "detail_processCmd": "sihost.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1547.001", + "XSAE.F1002", + "ATTACK.G0010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 313096, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 4770000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688987668223, + "detail_eventTimeDT": "7/10/2023, 11:14:28 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:14:28 AM", + "detail_integrityLevel": 8192, + "detail_lastSeen": "7/10/2023, 11:14:28 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 5630000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": 999, + "detail_parentCmd": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager", + "detail_parentFileCreation": 1651900770237, + "detail_parentFileHashId": -822000000000000000, + "detail_parentFileHashMd5": "8ec922c7-a58a-8701-ab48-1b7be9644536", + "detail_parentFileHashSha1": "3f64c98f22da277a07cab248c44c56eedb796a81", + "detail_parentFileHashSha256": "949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b", + "detail_parentFileModifiedTime": 1651900770237, + "detail_parentFilePath": "C:\\Windows\\System32\\svchost.exe", + "detail_parentFileSize": 79920, + "detail_parentHashId": 8750000000000000000, + "detail_parentIntegrityLevel": 16384, + "detail_parentLaunchTime": 1688966689796, + "detail_parentName": "C:\\Windows\\System32\\svchost.exe", + "detail_parentPid": 2284, + "detail_parentSessionId": 0, + "detail_parentSigner": [ + "Microsoft Windows Publisher" + ], + "detail_parentSignerValid": [ + true + ], + "detail_parentTrueType": 7, + "detail_parentUser": "SYSTEM", + "detail_parentUserDomain": "NT AUTHORITY", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1651900760391, + "detail_processFileHashId": 4800000000000000000, + "detail_processFileHashMd5": "e5a23407-157b-23f3-c244-1d412163e4ee", + "detail_processFileHashSha1": "e8d9750e757e5b580c56521a81ed0cc41d327d82", + "detail_processFileHashSha256": "51eb6455bdca85d3102a00b1ce89969016efc3ed8b08b24a2aa10e03ba1e2b13", + "detail_processFileModifiedTime": 1651900760391, + "detail_processFileSize": 147456, + "detail_processHashId": 4950000000000000000, + "detail_processLaunchTime": 1688966692731, + "detail_processName": "C:\\Windows\\System32\\sihost.exe", + "detail_processPid": 8396, + "detail_processSigner": [ + "Microsoft Windows" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "Crest", + "detail_processUserDomain": "DESKTOP-007", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 1, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "96a908c7-2aa4-44c9-9e48-ed1d671a6a6c", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:30:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688987832381, + "detail_objectLastSeen": 1688987832381, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\temp\\iAC\\program\\TMiACAgentSetup.exe --mode uninstall", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACUninstallSvc", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:17:12 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\temp\\iAC\\program\\TMiACAgentSetup.exe --mode uninstall" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACUninstallSvc" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + }, + { + "description": "Trend Micro Endpoint Protection Product was possibly uninstalled by an adversary mimicking the legitimate way of uninstallation.", + "highlightedObjects": [ + { + "field": "objectRegistryKeyHandle", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TMiACUninstallSvc" + }, + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\temp\\iAC\\program\\TMiACAgentSetup.exe --mode uninstall" + } + ], + "id": "F5532", + "level": "low", + "name": "Possible Security Product Uninstallation", + "tactics": [ + "TA0005" + ], + "techniques": [ + "T1562.001" + ], + "type": "preset", + "unique_id": "2f6ae4fc-39c7-42a2-9b39-cdd54a7bb894" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1562.001", + "MITRE.T1574.011", + "XSAE.F1010", + "XSAE.F5532" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 5660000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688987832381, + "detail_eventTimeDT": "7/10/2023, 11:17:12 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:17:12 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:17:12 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 2440000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 6000000000000000000, + "detail_processLaunchTime": 1688966689341, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1380, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "62567424-480c-4748-a71a-b52d66fe0007", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:30:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688987855687, + "detail_objectLastSeen": 1688987855687, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\PccNTUpd.exe\" -service", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\PccNTUpd", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:17:35 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\PccNTUpd.exe\" -service" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\PccNTUpd" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -2500000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688987855687, + "detail_eventTimeDT": "7/10/2023, 11:17:35 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:17:36 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:17:36 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 8020000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": 6000000000000000000, + "detail_processLaunchTime": 1688966689341, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1380, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "e0343fe9-bed6-47df-9f50-e6509437cf4a", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:50:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688988444848, + "detail_objectLastSeen": 1688988444848, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\TmWSCSvc.exe", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmWSCSvc", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:27:24 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\TmWSCSvc.exe\"" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmWSCSvc" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 6790000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688988444848, + "detail_eventTimeDT": "7/10/2023, 11:27:24 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:27:25 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:27:25 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -5530000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": -4260000000000000000, + "detail_processLaunchTime": 1688987978405, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1052, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "0f6da4d6-fc33-4b47-968c-0ce92152ef0a", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:50:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688988444868, + "detail_objectLastSeen": 1688988444868, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:27:24 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\CCSF\\TmCCSF.exe\"" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TmCCSF" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": -181000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688988444868, + "detail_eventTimeDT": "7/10/2023, 11:27:24 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:27:25 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:27:25 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": -6870000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": -4260000000000000000, + "detail_processLaunchTime": 1688987978405, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1052, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "cb1b1cf1-5987-4fc8-b604-e41a9b16b993", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:50:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688988505475, + "detail_objectLastSeen": 1688988505475, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmlisten.exe", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\tmlisten", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:28:25 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmlisten.exe\"" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\tmlisten" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 848000000000000000, + "detail_eventId": "TELEMETRY_REGISTRY", + "detail_eventTime": 1688988505475, + "detail_eventTimeDT": "7/10/2023, 11:28:25 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:28:25 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:28:25 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 3300000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": -4260000000000000000, + "detail_processLaunchTime": 1688987978405, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1052, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "c40c072c-f32c-458e-b93a-95148f605bc3", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + }, + { + "TenantId": "1a0e2567-2e58-4989-ad18-206108185325", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated": "7/10/2023, 11:50:24 AM", + "Computer": "", + "RawData": "", + "detail_compressedFileName": "", + "detail_malFamily": "", + "detail_correlationData": "", + "detail_eventDataProviderName": "", + "detail_eventDataProviderPath": "", + "detail_providerGUID": "", + "detail_providerName": "", + "detail_rawDataSize": "", + "detail_rawDataStr": "", + "detail_rt": "", + "detail_winEventId": "", + "detail_confidence": "", + "detail_detectionName": "", + "detail_detectionType": "", + "detail_fileCreation": "", + "detail_fileSize": "", + "detail_threatType": "", + "detail_act": "", + "detail_aggregatedCount": "", + "detail_behaviorCat": "", + "detail_bmGroup": "", + "detail_engineOperation": "", + "detail_instanceId": "", + "detail_policyId": "", + "detail_riskLevel": "", + "detail_ruleId": "", + "detail_actResult": "", + "detail_channel": "", + "detail_deviceGUID": "", + "detail_domainName": "", + "detail_dvchost": "", + "detail_endpointGUID": "", + "detail_engType": "", + "detail_engVer": "", + "detail_eventName": "", + "detail_eventSubName": "", + "detail_fileHash": "", + "detail_fileName": "", + "detail_filePath": "", + "detail_firstAct": "", + "detail_firstActResult": "", + "detail_fullPath": "", + "detail_interestedIp": "", + "detail_logKey": "", + "detail_mDevice": "", + "detail_mDeviceGUID": "", + "detail_malDst": "", + "detail_malName": "", + "detail_malSubType": "", + "detail_malType": "", + "detail_mpname": "", + "detail_mpver": "", + "detail_pComp": "", + "detail_patVer": "", + "detail_rtDate": "", + "detail_rtHour": "", + "detail_rtWeekDay": "", + "detail_rt_utc": "", + "detail_ruleName": "", + "detail_scanType": "", + "detail_secondAct": "", + "detail_secondActResult": "", + "detail_senderGUID": "", + "detail_senderIp": "", + "detail_severity": "", + "detail_deviceType": "", + "detail_nativeDeviceCharacteristics": "", + "detail_nativeDeviceType": "", + "detail_nativeStorageDeviceBusType": "", + "detail_objectSubTrueType": "", + "detail_objectFirstSeen": 1688988505475, + "detail_objectLastSeen": 1688988505475, + "detail_objectRegType": 2, + "detail_objectRegistryData": "C:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmlisten.exe", + "detail_objectRegistryKeyHandle": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\tmlisten", + "detail_objectRegistryRoot": 3, + "detail_objectRegistryValue": "imagepath", + "detail_eventSourceType": "EVENT_SOURCE_TELEMETRY", + "xdrCustomerId": "37fe6e71-9495-4dd3-8915-9625e5a38754", + "detectionTime": "7/10/2023, 11:28:25 AM", + "endpoint_name": "DESKTOP-007", + "endpoint_guid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "endpoint_ips": [ + "fefe::efef", + "10.1.2.0" + ], + "filters": [ + { + "description": "Detect creation or modification of service imagepath registry", + "highlightedObjects": [ + { + "field": "objectRegistryData", + "master": true, + "type": "registry_value_data", + "value": "\"C:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmlisten.exe\"" + }, + { + "field": "objectRegistryValue", + "riskLevel": "low", + "type": "registry_value", + "value": "imagepath" + }, + { + "field": "objectRegistryKeyHandle", + "riskLevel": "low", + "type": "registry_key", + "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\tmlisten" + } + ], + "id": "F1010", + "level": "low", + "name": "Creation or Modification of Service ImagePath Registry", + "tactics": [ + "TA0003", + "TA0004", + "TA0005" + ], + "techniques": [ + "T1112", + "T1543.003", + "T1574.011" + ], + "type": "preset", + "unique_id": "c14fbd5f-9786-4382-929c-1666f8357f4c" + } + ], + "entityType": "endpoint", + "entityName": "DESKTOP-007(fe80::f19e:6c09:cbf5:c693,169.254.34.60,fe80::2a5f:7cee:b55d:5e2d,169.254.63.154,fe80::8635:c554:9240:c8a3,169.254.240.122,fe80::d8fd:1384:9fa3:113a,169.254.162.163,fe80::ae56:7be8:236b:799d,172.20.240.146,fe80::480b:3324:a450:4f96,169.254.104.250,fe80::c440:ac94:d7ac:a5a9,169.254.32.40)", + "detail_endpointHostName": "DESKTOP-007", + "detail_endpointIp": [ + "fefe::efef", + "10.1.2.0" + ], + "detail_logonUser": [ + "Crest" + ], + "detail_processFilePath": "C:\\Windows\\System32\\services.exe", + "detail_processCmd": "C:\\Windows\\system32\\services.exe", + "detail_eventSubId": "TELEMETRY_REGISTRY_SET", + "detail_objectFilePath": "", + "detail_objectCmd": "", + "detail_tags": [ + "MITRE.T1112", + "MITRE.T1543.003", + "MITRE.T1574.011", + "XSAE.F1010" + ], + "detail_endpointGuid": "9a06dee6-06ef-44b3-9b6b-cb734c048f8b", + "detail_authId": 999, + "detail_endpointMacAddress": [ + "00:2b:67:c0:3f:10", + "00:09:0f:aa:00:01", + "a8:7e:ea:bd:83:15", + "aa:7e:ea:bd:83:14", + "a8:7e:ea:bd:83:14", + "00:09:0f:fe:00:01", + "a8:7e:ea:bd:83:18" + ], + "detail_eventHashId": 848000000000000000, + "detail_eventId": 100100, + "detail_eventTime": 1688988505475, + "detail_eventTimeDT": "7/10/2023, 11:28:25 AM", + "detail_filterRiskLevel": "low", + "detail_firstSeen": "7/10/2023, 11:28:25 AM", + "detail_integrityLevel": 16384, + "detail_lastSeen": "7/10/2023, 11:28:25 AM", + "detail_objectAuthId": "", + "detail_objectFileCreation": "", + "detail_objectFileHashId": "", + "detail_objectFileHashMd5": "", + "detail_objectFileHashSha1": "", + "detail_objectFileHashSha256": "", + "detail_objectFileModifiedTime": "", + "detail_objectFileSize": "", + "detail_objectHashId": 3300000000000000000, + "detail_objectIntegrityLevel": "", + "detail_objectLaunchTime": "", + "detail_objectName": "", + "detail_objectPid": "", + "detail_objectRunAsLocalAccount": "", + "detail_objectSessionId": "", + "detail_objectSigner": "", + "detail_objectSignerValid": "", + "detail_objectTrueType": "", + "detail_objectUser": "", + "detail_objectUserDomain": "", + "detail_osDescription": "Windows 10 Pro (64 bit) build 22621", + "detail_osName": "Windows", + "detail_osType": "0x00000030", + "detail_osVer": "10.0.22621", + "detail_parentAuthId": "", + "detail_parentCmd": "", + "detail_parentFileCreation": "", + "detail_parentFileHashId": "", + "detail_parentFileHashMd5": "", + "detail_parentFileHashSha1": "", + "detail_parentFileHashSha256": "", + "detail_parentFileModifiedTime": "", + "detail_parentFilePath": "", + "detail_parentFileSize": "", + "detail_parentHashId": "", + "detail_parentIntegrityLevel": "", + "detail_parentLaunchTime": "", + "detail_parentName": "", + "detail_parentPid": "", + "detail_parentSessionId": "", + "detail_parentSigner": "", + "detail_parentSignerValid": "", + "detail_parentTrueType": "", + "detail_parentUser": "", + "detail_parentUserDomain": "", + "detail_plang": 1, + "detail_pname": 751, + "detail_pplat": 5889, + "detail_processFileCreation": 1688560359581, + "detail_processFileHashId": -4090000000000000000, + "detail_processFileHashMd5": "68483e45-9f55-5389-ad8b-a6424bbaf42f", + "detail_processFileHashSha1": "16d12a866c716390af9ca4d87bd7674d6e478f42", + "detail_processFileHashSha256": "4a12143226b7090d6e9bb8d040618a2c7a9ef5282f7cc10fa374adc9ab19cbeb", + "detail_processFileModifiedTime": 1688560359596, + "detail_processFileSize": 757576, + "detail_processHashId": -4260000000000000000, + "detail_processLaunchTime": 1688987978405, + "detail_processName": "C:\\Windows\\System32\\services.exe", + "detail_processPid": 1052, + "detail_processSigner": [ + "Microsoft Windows Publisher" + ], + "detail_processSignerValid": [ + true + ], + "detail_processTrueType": 7, + "detail_processUser": "SYSTEM", + "detail_processUserDomain": "NT AUTHORITY", + "detail_productCode": "xes", + "detail_pver": "1.2.0.4110", + "detail_sessionId": 0, + "detail_timezone": "UTC+05:30", + "detail_userDomain": [ + "DESKTOP-007" + ], + "detail_uuid": "c40c072c-f32c-458e-b93a-95148f605bc3", + "Type": "TrendMicro_XDR_OAT_CL", + "_ResourceId": "" + } +] \ No newline at end of file diff --git a/Sample Data/ASIM/TrendMicro_XDR_OAT_CL_Schema.csv b/Sample Data/ASIM/TrendMicro_XDR_OAT_CL_Schema.csv new file mode 100644 index 00000000000..c7028e72597 --- /dev/null +++ b/Sample Data/ASIM/TrendMicro_XDR_OAT_CL_Schema.csv @@ -0,0 +1,488 @@ +ColumnName,ColumnOrdinal,DataType,ColumnType +TenantId,0,"System.String",string +SourceSystem,1,"System.String",string +MG,2,"System.String",string +ManagementGroupName,3,"System.String",string +TimeGenerated,4,"System.DateTime",datetime +Computer,5,"System.String",string +RawData,6,"System.String",string +"detailuid_s_s",7,"System.String",string +"detail_fileCreation_t_UTC_s",8,"System.String",string +"detaileviceGUID_s",9,"System.String",string +"detail_rt_t_UTC_s",10,"System.String",string +"detail_rt_utc_t_UTC_s",11,"System.String",string +"detailenderGUID_s",12,"System.String",string +"detectionTime_t_UTC_s",13,"System.String",string +"detail_eventTimeDT_t_UTC_s",14,"System.String",string +"detail_firstSeen_t_UTC_s",15,"System.String",string +"detail_lastSeen_t_UTC_s",16,"System.String",string +"detailessionId_s",17,"System.String",string +"detail_score_s",18,"System.String",string +"detail_providerGUID_s",19,"System.String",string +"detail_instanceId_s",20,"System.String",string +"detail_deviceGUID_s",21,"System.String",string +"detail_endpointGUID_s",22,"System.String",string +"detail_mDeviceGUID_s",23,"System.String",string +"detail_senderGUID_s",24,"System.String",string +"detail_severity_s",25,"System.String",string +"detail_objectFileHashMd5_s",26,"System.String",string +"detail_objectRunAsLocalAccount_s",27,"System.String",string +"detail_parentFileHashMd5_s",28,"System.String",string +"detail_fileCreation_UTC__s",29,"System.String",string +"detail_rt_UTC__s",30,"System.String",string +"detail_rt_utc_UTC__s",31,"System.String",string +"detectionTime_UTC__s",32,"System.String",string +"detail_eventTimeDT_UTC__s",33,"System.String",string +"detail_firstSeen_UTC__s",34,"System.String",string +"detail_lastSeen_UTC__s",35,"System.String",string +"TimeGenerated_UTC_s",36,"System.String",string +"detail_cccaRiskLevel_s",37,"System.String",string +"detailirection_s",38,"System.String",string +"detailcore_s",39,"System.String",string +"detailuid_s",40,"System.String",string +"detail_rawDataSize_s",41,"System.String",string +"detail_rt_s",42,"System.String",string +"detail_winEventId_s",43,"System.String",string +"detail_confidence_s",44,"System.String",string +"detailetectionName_s",45,"System.String",string +"detailetectionType_s",46,"System.String",string +"detail_fileCreation_t_UTC__s",47,"System.String",string +"detail_fileSize_s",48,"System.String",string +"detail_aggregatedCount_s",49,"System.String",string +"detail_ruleId_s",50,"System.String",string +"detaileviceGUID_g_s",51,"System.String",string +"detailomainName_s",52,"System.String",string +"detailvchost_s",53,"System.String",string +"detail_rt_t_UTC__s",54,"System.String",string +"detail_rtHour_s",55,"System.String",string +"detail_rt_utc_t_UTC__s",56,"System.String",string +"detailcanType_s",57,"System.String",string +"detailecondAct_s",58,"System.String",string +"detailecondActResult_s",59,"System.String",string +"detailenderGUID_g_s",60,"System.String",string +"detailenderIp_s",61,"System.String",string +"detaileverity_s",62,"System.String",string +"detaileviceType_s",63,"System.String",string +"detail_nativeDeviceCharacteristics_s",64,"System.String",string +"detail_nativeDeviceType_s",65,"System.String",string +"detail_nativeStorageDeviceBusType_s",66,"System.String",string +"detail_objectSubTrueType_s",67,"System.String",string +"xdrCustomerId_g_g_g",68,"System.String",string +"detectionTime_t_UTC__s",69,"System.String",string +"endpoint_guid_g_g_g",70,"System.String",string +"detail_endpointGuid_g_g_g",71,"System.String",string +"detail_eventHashId_s",72,"System.String",string +"detail_eventTimeDT_t_UTC__s",73,"System.String",string +"detail_firstSeen_t_UTC__s",74,"System.String",string +"detail_lastSeen_t_UTC__s",75,"System.String",string +"detail_objectAuthId_s",76,"System.String",string +"detail_objectFileCreation_s",77,"System.String",string +"detail_objectFileHashId_s",78,"System.String",string +"detail_objectFileModifiedTime_s",79,"System.String",string +"detail_objectFileSize_s",80,"System.String",string +"detail_objectHashId_s",81,"System.String",string +"detail_objectIntegrityLevel_s",82,"System.String",string +"detail_objectLaunchTime_s",83,"System.String",string +"detail_objectPid_s",84,"System.String",string +"detail_objectSessionId_s",85,"System.String",string +"detail_objectTrueType_s",86,"System.String",string +"detail_osType_d",87,"System.Double",real +"detail_parentAuthId_s",88,"System.String",string +"detail_parentFileCreation_s",89,"System.String",string +"detail_parentFileHashId_s",90,"System.String",string +"detail_parentFileModifiedTime_s",91,"System.String",string +"detail_parentFileSize_s",92,"System.String",string +"detail_parentHashId_s",93,"System.String",string +"detail_parentIntegrityLevel_s",94,"System.String",string +"detail_parentLaunchTime_s",95,"System.String",string +"detail_parentPid_s",96,"System.String",string +"detail_parentSessionId_s",97,"System.String",string +"detail_parentTrueType_s",98,"System.String",string +"detail_pname_d",99,"System.Double",real +"detail_processFileHashId_s",100,"System.String",string +"detail_processFileHashMd5_g_g_g",101,"System.String",string +"detail_processHashId_s",102,"System.String",string +"detailessionId_d",103,"System.Double",real +"detail_uuid_g_g_g",104,"System.String",string +"MG_s",105,"System.String",string +"TimeGenerated_UTC__s",106,"System.String",string +"detail_app_s_s",107,"System.String",string +"detail_blocking_s_s",108,"System.String",string +"detail_cccaDetectionSource_s_s",109,"System.String",string +"detail_cccaRiskLevel_d_s",110,"System.String",string +"detail_direction_s_s",111,"System.String",string +"detail_interestedHost_s_s",112,"System.String",string +"detail_policyName_s_s",113,"System.String",string +"detail_rating_s_s",114,"System.String",string +"detail_request_s_s",115,"System.String",string +"detail_score_d_s",116,"System.String",string +"detail_urlCat_s_s",117,"System.String",string +"detail_patType_s_s",118,"System.String",string +"detail_suid_s_s",119,"System.String",string +"detail_compressedFileName_s_s",120,"System.String",string +"detail_malFamily_s_s",121,"System.String",string +"detail_correlationData_s_s",122,"System.String",string +"detail_eventDataProviderName_s_s",123,"System.String",string +"detail_eventDataProviderPath_s_s",124,"System.String",string +"detail_providerGUID_g_s",125,"System.String",string +"detail_providerName_s_s",126,"System.String",string +"detail_rawDataSize_d_s",127,"System.String",string +"detail_rawDataStr_s_s",128,"System.String",string +"detail_rt_d_s",129,"System.String",string +"detail_winEventId_d_s",130,"System.String",string +"detail_confidence_d_s",131,"System.String",string +"detail_detectionName_s_s",132,"System.String",string +"detail_detectionType_s_s",133,"System.String",string +"detail_fileSize_d_s",134,"System.String",string +"detail_threatType_s_s",135,"System.String",string +"detail_act_s_s",136,"System.String",string +"detail_aggregatedCount_d_s",137,"System.String",string +"detail_behaviorCat_s_s",138,"System.String",string +"detail_bmGroup_s_s",139,"System.String",string +"detail_engineOperation_s_s",140,"System.String",string +"detail_instanceId_g_s",141,"System.String",string +"detail_policyId_s_s",142,"System.String",string +"detail_riskLevel_s_s",143,"System.String",string +"detail_ruleId_d_s",144,"System.String",string +"detail_actResult_s_s",145,"System.String",string +"detail_channel_s_s",146,"System.String",string +"detail_deviceGUID_g_s",147,"System.String",string +"detail_domainName_s_s",148,"System.String",string +"detail_dvchost_s_s",149,"System.String",string +"detail_endpointGUID_g_s",150,"System.String",string +"detail_engType_s_s",151,"System.String",string +"detail_engVer_s_s",152,"System.String",string +"detail_eventId_d_s",153,"System.String",string +"detail_eventName_s_s",154,"System.String",string +"detail_eventSubName_s_s",155,"System.String",string +"detail_fileHash_s_s",156,"System.String",string +"detail_fileName_s_s",157,"System.String",string +"detail_filePath_s_s",158,"System.String",string +"detail_firstAct_s_s",159,"System.String",string +"detail_firstActResult_s_s",160,"System.String",string +"detail_fullPath_s_s",161,"System.String",string +"detail_interestedIp_s_s",162,"System.String",string +"detail_logKey_s_s",163,"System.String",string +"detail_mDevice_s_s",164,"System.String",string +"detail_mDeviceGUID_g_s",165,"System.String",string +"detail_malDst_s_s",166,"System.String",string +"detail_malName_s_s",167,"System.String",string +"detail_malSubType_s_s",168,"System.String",string +"detail_malType_s_s",169,"System.String",string +"detail_mpname_s_s",170,"System.String",string +"detail_mpver_s_s",171,"System.String",string +"detail_pComp_s_s",172,"System.String",string +"detail_patVer_s_s",173,"System.String",string +"detail_rtDate_s_s",174,"System.String",string +"detail_rtHour_d_s",175,"System.String",string +"detail_rtWeekDay_s_s",176,"System.String",string +"detail_ruleName_s_s",177,"System.String",string +"detail_scanType_s_s",178,"System.String",string +"detail_secondAct_s_s",179,"System.String",string +"detail_secondActResult_s_s",180,"System.String",string +"detail_senderGUID_g_s",181,"System.String",string +"detail_senderIp_s_s",182,"System.String",string +"detail_severity_d_s",183,"System.String",string +"detail_deviceType_s_s",184,"System.String",string +"detail_nativeDeviceCharacteristics_d_s",185,"System.String",string +"detail_nativeDeviceType_d_s",186,"System.String",string +"detail_nativeStorageDeviceBusType_d_s",187,"System.String",string +"detail_objectSubTrueType_d_s",188,"System.String",string +"detail_objectFirstSeen_d_d",189,"System.Double",real +"detail_objectLastSeen_d_d",190,"System.Double",real +"detail_objectRegType_d_d",191,"System.Double",real +"detail_objectRegistryData_s_s",192,"System.String",string +"detail_objectRegistryKeyHandle_s_s",193,"System.String",string +"detail_objectRegistryRoot_d_d",194,"System.Double",real +"detail_objectRegistryValue_s_s",195,"System.String",string +"detail_eventSourceType_s_s",196,"System.String",string +"xdrCustomerId_g_g",197,"System.String",string +"endpoint_name_s_s",198,"System.String",string +"endpoint_guid_g_g",199,"System.String",string +"endpoint_ips_s_s",200,"System.String",string +"filters_s_s",201,"System.String",string +"entityType_s_s",202,"System.String",string +"entityName_s_s",203,"System.String",string +"detail_endpointHostName_s_s",204,"System.String",string +"detail_endpointIp_s_s",205,"System.String",string +"detail_logonUser_s_s",206,"System.String",string +"detail_processFilePath_s_s",207,"System.String",string +"detail_processCmd_s_s",208,"System.String",string +"detail_eventSubId_s_s",209,"System.String",string +"detail_objectFilePath_s_s",210,"System.String",string +"detail_objectCmd_s_s",211,"System.String",string +"detail_tags_s_s",212,"System.String",string +"detail_endpointGuid_g_g",213,"System.String",string +"detail_authId_d_d",214,"System.Double",real +"detail_endpointMacAddress_s_s",215,"System.String",string +"detail_eventHashId_d_s",216,"System.String",string +"detail_eventId_s_s",217,"System.String",string +"detail_eventTime_d_d",218,"System.Double",real +"detail_filterRiskLevel_s_s",219,"System.String",string +"detail_integrityLevel_d_d",220,"System.Double",real +"detail_objectAuthId_d_s",221,"System.String",string +"detail_objectFileCreation_d_s",222,"System.String",string +"detail_objectFileHashId_d_s",223,"System.String",string +"detail_objectFileHashMd5_g_s",224,"System.String",string +"detail_objectFileHashSha1_s_s",225,"System.String",string +"detail_objectFileHashSha256_s_s",226,"System.String",string +"detail_objectFileModifiedTime_d_s",227,"System.String",string +"detail_objectFileSize_d_s",228,"System.String",string +"detail_objectHashId_d_s",229,"System.String",string +"detail_objectIntegrityLevel_d_s",230,"System.String",string +"detail_objectLaunchTime_d_s",231,"System.String",string +"detail_objectName_s_s",232,"System.String",string +"detail_objectPid_d_s",233,"System.String",string +"detail_objectRunAsLocalAccount_b_s",234,"System.String",string +"detail_objectSessionId_d_s",235,"System.String",string +"detail_objectSigner_s_s",236,"System.String",string +"detail_objectSignerValid_s_s",237,"System.String",string +"detail_objectTrueType_d_s",238,"System.String",string +"detail_objectUser_s_s",239,"System.String",string +"detail_objectUserDomain_s_s",240,"System.String",string +"detail_osDescription_s_s",241,"System.String",string +"detail_osName_s_s",242,"System.String",string +"detail_osType_s_d",243,"System.Double",real +"detail_osVer_s_s",244,"System.String",string +"detail_parentAuthId_d_s",245,"System.String",string +"detail_parentCmd_s_s",246,"System.String",string +"detail_parentFileCreation_d_s",247,"System.String",string +"detail_parentFileHashId_d_s",248,"System.String",string +"detail_parentFileHashMd5_g_s",249,"System.String",string +"detail_parentFileHashSha1_s_s",250,"System.String",string +"detail_parentFileHashSha256_s_s",251,"System.String",string +"detail_parentFileModifiedTime_d_s",252,"System.String",string +"detail_parentFilePath_s_s",253,"System.String",string +"detail_parentFileSize_d_s",254,"System.String",string +"detail_parentHashId_d_s",255,"System.String",string +"detail_parentIntegrityLevel_d_s",256,"System.String",string +"detail_parentLaunchTime_d_s",257,"System.String",string +"detail_parentName_s_s",258,"System.String",string +"detail_parentPid_d_s",259,"System.String",string +"detail_parentSessionId_d_s",260,"System.String",string +"detail_parentSigner_s_s",261,"System.String",string +"detail_parentSignerValid_s_s",262,"System.String",string +"detail_parentTrueType_d_s",263,"System.String",string +"detail_parentUser_s_s",264,"System.String",string +"detail_parentUserDomain_s_s",265,"System.String",string +"detail_plang_d_d",266,"System.Double",real +"detail_pname_s_d",267,"System.Double",real +"detail_pplat_d_d",268,"System.Double",real +"detail_processFileCreation_d_d",269,"System.Double",real +"detail_processFileHashId_d_s",270,"System.String",string +"detail_processFileHashMd5_g_g",271,"System.String",string +"detail_processFileHashSha1_s_s",272,"System.String",string +"detail_processFileHashSha256_s_s",273,"System.String",string +"detail_processFileModifiedTime_d_d",274,"System.Double",real +"detail_processFileSize_d_d",275,"System.Double",real +"detail_processHashId_d_s",276,"System.String",string +"detail_processLaunchTime_d_d",277,"System.Double",real +"detail_processName_s_s",278,"System.String",string +"detail_processPid_d_d",279,"System.Double",real +"detail_processSigner_s_s",280,"System.String",string +"detail_processSignerValid_s_s",281,"System.String",string +"detail_processTrueType_d_d",282,"System.Double",real +"detail_processUser_s_s",283,"System.String",string +"detail_processUserDomain_s_s",284,"System.String",string +"detail_productCode_s_s",285,"System.String",string +"detail_pver_s_s",286,"System.String",string +"detail_sessionId_d_d",287,"System.Double",real +"detail_timezone_s_s",288,"System.String",string +"detail_userDomain_s_s",289,"System.String",string +"detail_uuid_g_g",290,"System.String",string +"Type_s",291,"System.String",string +"_ResourceId_s",292,"System.String",string +"detail_app_s",293,"System.String",string +"detail_blocking_s",294,"System.String",string +"detail_cccaDetectionSource_s",295,"System.String",string +"detail_cccaRiskLevel_d",296,"System.Double",real +"detail_direction_s",297,"System.String",string +"detail_interestedHost_s",298,"System.String",string +"detail_policyName_s",299,"System.String",string +"detail_rating_s",300,"System.String",string +"detail_request_s",301,"System.String",string +"detail_score_d",302,"System.Double",real +"detail_urlCat_s",303,"System.String",string +"detail_patType_s",304,"System.String",string +"detail_suid_s",305,"System.String",string +"detail_compressedFileName_s",306,"System.String",string +"detail_malFamily_s",307,"System.String",string +"detail_correlationData_s",308,"System.String",string +"detail_eventDataProviderName_s",309,"System.String",string +"detail_eventDataProviderPath_s",310,"System.String",string +"detail_providerGUID_g",311,"System.String",string +"detail_providerName_s",312,"System.String",string +"detail_rawDataSize_d",313,"System.Double",real +"detail_rawDataStr_s",314,"System.String",string +"detail_rt_d",315,"System.Double",real +"detail_winEventId_d",316,"System.Double",real +"detail_confidence_d",317,"System.Double",real +"detail_detectionName_s",318,"System.String",string +"detail_detectionType_s",319,"System.String",string +"detail_fileCreation_t",320,"System.DateTime",datetime +"detail_fileSize_d",321,"System.Double",real +"detail_threatType_s",322,"System.String",string +"detail_act_s",323,"System.String",string +"detail_aggregatedCount_d",324,"System.Double",real +"detail_behaviorCat_s",325,"System.String",string +"detail_bmGroup_s",326,"System.String",string +"detail_engineOperation_s",327,"System.String",string +"detail_instanceId_g",328,"System.String",string +"detail_policyId_s",329,"System.String",string +"detail_riskLevel_s",330,"System.String",string +"detail_ruleId_d",331,"System.Double",real +"detail_actResult_s",332,"System.String",string +"detail_channel_s",333,"System.String",string +"detail_deviceGUID_g",334,"System.String",string +"detail_domainName_s",335,"System.String",string +"detail_dvchost_s",336,"System.String",string +"detail_endpointGUID_g",337,"System.String",string +"detail_engType_s",338,"System.String",string +"detail_engVer_s",339,"System.String",string +"detail_eventId_d",340,"System.Double",real +"detail_eventName_s",341,"System.String",string +"detail_eventSubName_s",342,"System.String",string +"detail_fileHash_s",343,"System.String",string +"detail_fileName_s",344,"System.String",string +"detail_filePath_s",345,"System.String",string +"detail_firstAct_s",346,"System.String",string +"detail_firstActResult_s",347,"System.String",string +"detail_fullPath_s",348,"System.String",string +"detail_interestedIp_s",349,"System.String",string +"detail_logKey_s",350,"System.String",string +"detail_mDevice_s",351,"System.String",string +"detail_mDeviceGUID_g",352,"System.String",string +"detail_malDst_s",353,"System.String",string +"detail_malName_s",354,"System.String",string +"detail_malSubType_s",355,"System.String",string +"detail_malType_s",356,"System.String",string +"detail_mpname_s",357,"System.String",string +"detail_mpver_s",358,"System.String",string +"detail_pComp_s",359,"System.String",string +"detail_patVer_s",360,"System.String",string +"detail_rt_t",361,"System.DateTime",datetime +"detail_rtDate_s",362,"System.String",string +"detail_rtHour_d",363,"System.Double",real +"detail_rtWeekDay_s",364,"System.String",string +"detail_rt_utc_t",365,"System.DateTime",datetime +"detail_ruleName_s",366,"System.String",string +"detail_scanType_s",367,"System.String",string +"detail_secondAct_s",368,"System.String",string +"detail_secondActResult_s",369,"System.String",string +"detail_senderGUID_g",370,"System.String",string +"detail_senderIp_s",371,"System.String",string +"detail_severity_d",372,"System.Double",real +"detail_deviceType_s",373,"System.String",string +"detail_nativeDeviceCharacteristics_d",374,"System.Double",real +"detail_nativeDeviceType_d",375,"System.Double",real +"detail_nativeStorageDeviceBusType_d",376,"System.Double",real +"detail_objectSubTrueType_d",377,"System.Double",real +"detail_objectFirstSeen_d",378,"System.Double",real +"detail_objectLastSeen_d",379,"System.Double",real +"detail_objectRegType_d",380,"System.Double",real +"detail_objectRegistryData_s",381,"System.String",string +"detail_objectRegistryKeyHandle_s",382,"System.String",string +"detail_objectRegistryRoot_d",383,"System.Double",real +"detail_objectRegistryValue_s",384,"System.String",string +"detail_eventSourceType_s",385,"System.String",string +"xdrCustomerId_g",386,"System.String",string +"detectionTime_t",387,"System.DateTime",datetime +"endpoint_name_s",388,"System.String",string +"endpoint_guid_g",389,"System.String",string +"endpoint_ips_s",390,"System.String",string +"filters_s",391,"System.String",string +"entityType_s",392,"System.String",string +"entityName_s",393,"System.String",string +"detail_endpointHostName_s",394,"System.String",string +"detail_endpointIp_s",395,"System.String",string +"detail_logonUser_s",396,"System.String",string +"detail_processFilePath_s",397,"System.String",string +"detail_processCmd_s",398,"System.String",string +"detail_eventSubId_s",399,"System.String",string +"detail_objectFilePath_s",400,"System.String",string +"detail_objectCmd_s",401,"System.String",string +"detail_tags_s",402,"System.String",string +"detail_endpointGuid_g",403,"System.String",string +"detail_authId_d",404,"System.Double",real +"detail_endpointMacAddress_s",405,"System.String",string +"detail_eventHashId_d",406,"System.Double",real +"detail_eventId_s",407,"System.String",string +"detail_eventTime_d",408,"System.Double",real +"detail_eventTimeDT_t",409,"System.DateTime",datetime +"detail_filterRiskLevel_s",410,"System.String",string +"detail_firstSeen_t",411,"System.DateTime",datetime +"detail_integrityLevel_d",412,"System.Double",real +"detail_lastSeen_t",413,"System.DateTime",datetime +"detail_objectAuthId_d",414,"System.Double",real +"detail_objectFileCreation_d",415,"System.Double",real +"detail_objectFileHashId_d",416,"System.Double",real +"detail_objectFileHashMd5_g",417,"System.String",string +"detail_objectFileHashSha1_s",418,"System.String",string +"detail_objectFileHashSha256_s",419,"System.String",string +"detail_objectFileModifiedTime_d",420,"System.Double",real +"detail_objectFileSize_d",421,"System.Double",real +"detail_objectHashId_d",422,"System.Double",real +"detail_objectIntegrityLevel_d",423,"System.Double",real +"detail_objectLaunchTime_d",424,"System.Double",real +"detail_objectName_s",425,"System.String",string +"detail_objectPid_d",426,"System.Double",real +"detail_objectRunAsLocalAccount_b",427,"System.SByte",bool +"detail_objectSessionId_d",428,"System.Double",real +"detail_objectSigner_s",429,"System.String",string +"detail_objectSignerValid_s",430,"System.String",string +"detail_objectTrueType_d",431,"System.Double",real +"detail_objectUser_s",432,"System.String",string +"detail_objectUserDomain_s",433,"System.String",string +"detail_osDescription_s",434,"System.String",string +"detail_osName_s",435,"System.String",string +"detail_osType_s",436,"System.String",string +"detail_osVer_s",437,"System.String",string +"detail_parentAuthId_d",438,"System.Double",real +"detail_parentCmd_s",439,"System.String",string +"detail_parentFileCreation_d",440,"System.Double",real +"detail_parentFileHashId_d",441,"System.Double",real +"detail_parentFileHashMd5_g",442,"System.String",string +"detail_parentFileHashSha1_s",443,"System.String",string +"detail_parentFileHashSha256_s",444,"System.String",string +"detail_parentFileModifiedTime_d",445,"System.Double",real +"detail_parentFilePath_s",446,"System.String",string +"detail_parentFileSize_d",447,"System.Double",real +"detail_parentHashId_d",448,"System.Double",real +"detail_parentIntegrityLevel_d",449,"System.Double",real +"detail_parentLaunchTime_d",450,"System.Double",real +"detail_parentName_s",451,"System.String",string +"detail_parentPid_d",452,"System.Double",real +"detail_parentSessionId_d",453,"System.Double",real +"detail_parentSigner_s",454,"System.String",string +"detail_parentSignerValid_s",455,"System.String",string +"detail_parentTrueType_d",456,"System.Double",real +"detail_parentUser_s",457,"System.String",string +"detail_parentUserDomain_s",458,"System.String",string +"detail_plang_d",459,"System.Double",real +"detail_pname_s",460,"System.String",string +"detail_pplat_d",461,"System.Double",real +"detail_processFileCreation_d",462,"System.Double",real +"detail_processFileHashId_d",463,"System.Double",real +"detail_processFileHashMd5_g",464,"System.String",string +"detail_processFileHashSha1_s",465,"System.String",string +"detail_processFileHashSha256_s",466,"System.String",string +"detail_processFileModifiedTime_d",467,"System.Double",real +"detail_processFileSize_d",468,"System.Double",real +"detail_processHashId_d",469,"System.Double",real +"detail_processLaunchTime_d",470,"System.Double",real +"detail_processName_s",471,"System.String",string +"detail_processPid_d",472,"System.Double",real +"detail_processSigner_s",473,"System.String",string +"detail_processSignerValid_s",474,"System.String",string +"detail_processTrueType_d",475,"System.Double",real +"detail_processUser_s",476,"System.String",string +"detail_processUserDomain_s",477,"System.String",string +"detail_productCode_s",478,"System.String",string +"detail_pver_s",479,"System.String",string +"detail_sessionId_d",480,"System.Double",real +"detail_timezone_s",481,"System.String",string +"detail_userDomain_s",482,"System.String",string +"detail_uuid_g",483,"System.String",string +Type,484,"System.String",string +"_ResourceId",485,"System.String",string +"_ItemId",486,"System.String",string