diff --git a/SumoLogic/Snapshot_SumoLogic_IP.json b/SumoLogic/Snapshot_SumoLogic_IP.json index 757b6376..5b75e19f 100644 --- a/SumoLogic/Snapshot_SumoLogic_IP.json +++ b/SumoLogic/Snapshot_SumoLogic_IP.json @@ -1 +1 @@ -{"description": "Sumo Logic IP", "schema_version": "1.1.3", "type": "investigation", "search-txt": "ip:\"10.100.20.5\"", "actions": "[{\"arg\":{\"text\":\"10.100.20.5\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-12T14:12:13.612Z\",\"id\":\"collect-604aa699\",\"result\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-12T14:12:13.837Z\",\"uuid\":\"b036545c-53c5-4f09-8bc3-c0df4db72a98\"},{\"arg\":{\"type\":\"ip\",\"value\":\"10.100.20.5\"},\"created\":\"2021-07-12T14:12:13.863Z\",\"id\":\"investigate-1d5829f9\",\"result\":{\"data\":[{\"module\":\"Sumo Logic\",\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687523998635010\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635010&startTime=1626097925978&endTime=1626097925979\",\"id\":\"809687523998635010\",\"count\":16029145,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:52:05.978Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\",\"UDP\",\"Built\",\"50506\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378816\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378816&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378816\",\"count\":16029275,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\",\"UDP\",\"Built\",\"49691\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986946\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986946&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986946\",\"count\":16029503,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\",\"UDP\",\"Built\",\"64846\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320133\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320133&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320133\",\"count\":16029314,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344820\",\"302015\",\"50060\",\"53\",\"50060\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335046\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335046&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335046\",\"count\":16029947,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344986\",\"302015\",\"49643\",\"53\",\"49643\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828416\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828416&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828416\",\"count\":16030186,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\",\"UDP\",\"Built\",\"49562\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839253\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839253&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839253\",\"count\":16029848,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\",\"UDP\",\"Built\",\"49170\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986947\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986947&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986947\",\"count\":16029504,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344870\",\"302015\",\"64846\",\"53\",\"64846\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151752\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151752&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151752\",\"count\":16030124,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\",\"UDP\",\"Built\",\"64971\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335045\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335045&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335045\",\"count\":16029946,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\",\"UDP\",\"Built\",\"49643\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151755\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151755&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151755\",\"count\":16030127,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345032\",\"302015\",\"50400\",\"53\",\"50400\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335044\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335044&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335044\",\"count\":16029945,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344985\",\"302015\",\"64945\",\"53\",\"64945\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349062\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349062&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349062\",\"count\":16030143,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\",\"UDP\",\"Built\",\"65385\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348491\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348491&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348491\",\"count\":16029618,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344896\",\"302015\",\"64998\",\"53\",\"64998\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828417\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828417&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828417\",\"count\":16030187,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345047\",\"302015\",\"49562\",\"53\",\"49562\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839251\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839251&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839251\",\"count\":16029846,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\",\"UDP\",\"Built\",\"65230\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620430\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620430&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620430\",\"count\":16030074,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\",\"UDP\",\"Built\",\"49611\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706114\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706114&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706114\",\"count\":16029695,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\",\"UDP\",\"Built\",\"64784\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466049\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466049&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466049\",\"count\":16029436,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344853\",\"302015\",\"64764\",\"53\",\"64764\"]]}},{\"description\":\"```\\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478018\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478018&startTime=1626098021031&endTime=1626098021032\",\"id\":\"809689201099478018\",\"count\":16029244,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:41.031Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"}],\"rows\":[[\"Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\",\"TCP\",\"Deny\",\"443\",\"6\",\"54.69.174.114\",\"10.100.20.5\",\"106015\",\"64009\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839252\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839252&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839252\",\"count\":16029847,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344968\",\"302015\",\"65230\",\"53\",\"65230\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170242\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170242&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170242\",\"count\":16029263,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\",\"UDP\",\"Built\",\"49787\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T14:00:00.4789615Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955446,\\\"Execution\\\":{\\\"ThreadID\\\":2088,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x9949ff5\\\",\\\"IpPort\\\":\\\"64196\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x9949FF5\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64196\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693387534963720\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693387534963720&startTime=1626098400478&endTime=1626098400479\",\"id\":\"809693387534963720\",\"count\":142605,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:00:00.478Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340928\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340928&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340928\",\"count\":16029554,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\",\"UDP\",\"Built\",\"50695\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674374\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674374&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674374\",\"count\":16029370,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\",\"UDP\",\"Built\",\"49377\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230216\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230216&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230216\",\"count\":16029901,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\",\"UDP\",\"Built\",\"65098\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674375\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674375&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674375\",\"count\":16029371,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344835\",\"302015\",\"49377\",\"53\",\"49377\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706116\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706116&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706116\",\"count\":16029697,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\",\"UDP\",\"Built\",\"50626\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004611\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004611&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004611\",\"count\":16030002,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\",\"UDP\",\"Built\",\"65291\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706117\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706117&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706117\",\"count\":16029698,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344925\",\"302015\",\"50626\",\"53\",\"50626\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674372\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674372&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674372\",\"count\":16029368,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\",\"UDP\",\"Built\",\"50682\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706115\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706115&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706115\",\"count\":16029696,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344924\",\"302015\",\"64784\",\"53\",\"64784\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320135\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320135&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320135\",\"count\":16029316,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344821\",\"302015\",\"50113\",\"53\",\"50113\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230217\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230217&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230217\",\"count\":16029902,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344977\",\"302015\",\"65098\",\"53\",\"65098\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378818\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378818&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378818\",\"count\":16029277,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\",\"TCP\",\"Built\",\"64188\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349061\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349061&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349061\",\"count\":16030142,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345036\",\"302015\",\"64783\",\"53\",\"64783\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674382\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674382&startTime=1626098171125&endTime=1626098171126\",\"id\":\"809691484847674382\",\"count\":16029380,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:56:11.125Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\",\"UDP\",\"Built\",\"50455\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687271082103828\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103828&startTime=1626097912979&endTime=1626097912980\",\"id\":\"809687271082103828\",\"count\":16029134,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:51:52.979Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344773\",\"302015\",\"50677\",\"53\",\"50677\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230219\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230219&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230219\",\"count\":16029904,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344978\",\"302015\",\"50745\",\"53\",\"50745\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170243\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170243&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170243\",\"count\":16029264,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344808\",\"302015\",\"49787\",\"53\",\"49787\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892034\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892034&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892034\",\"count\":16029956,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\",\"TCP\",\"Built\",\"64217\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466051\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466051&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466051\",\"count\":16029438,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344854\",\"302015\",\"49908\",\"53\",\"49908\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349060\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349060&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349060\",\"count\":16030141,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\",\"UDP\",\"Built\",\"64783\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478024\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478024&startTime=1626098023033&endTime=1626098023034\",\"id\":\"809689201099478024\",\"count\":16029251,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:43.033Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\",\"TCP\",\"Built\",\"64186\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620432\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620432&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620432\",\"count\":16030076,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\",\"UDP\",\"Built\",\"49898\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859782\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859782&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859782\",\"count\":16030231,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\",\"UDP\",\"Built\",\"65343\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348493\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348493&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348493\",\"count\":16029620,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344897\",\"302015\",\"50204\",\"53\",\"50204\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282632\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282632&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282632\",\"count\":16029776,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\",\"UDP\",\"Built\",\"50248\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004614\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004614&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004614\",\"count\":16030005,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345008\",\"302015\",\"50277\",\"53\",\"50277\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282633\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282633&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282633\",\"count\":16029777,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344950\",\"302015\",\"50248\",\"53\",\"50248\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282630\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282630&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282630\",\"count\":16029774,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\",\"UDP\",\"Built\",\"49247\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320132\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320132&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320132\",\"count\":16029313,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\",\"UDP\",\"Built\",\"50060\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859785\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859785&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859785\",\"count\":16030234,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345058\",\"302015\",\"49731\",\"53\",\"49731\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828418\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828418&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828418\",\"count\":16030188,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\",\"UDP\",\"Built\",\"50195\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892032\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892032&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892032\",\"count\":16029954,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\",\"UDP\",\"Built\",\"50326\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348492\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348492&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348492\",\"count\":16029619,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\",\"UDP\",\"Built\",\"50204\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054085\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054085&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054085\",\"count\":16029187,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344783\",\"302015\",\"49173\",\"53\",\"49173\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340931\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340931&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340931\",\"count\":16029557,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344878\",\"302015\",\"65519\",\"53\",\"65519\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687523998635011\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635011&startTime=1626097925978&endTime=1626097925979\",\"id\":\"809687523998635011\",\"count\":16029146,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:52:05.978Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344775\",\"302015\",\"50506\",\"53\",\"50506\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620431\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620431&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620431\",\"count\":16030075,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345022\",\"302015\",\"49611\",\"53\",\"49611\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054084\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054084&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054084\",\"count\":16029186,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\",\"UDP\",\"Built\",\"49173\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302013: Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.68.107.242\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478025\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478025&startTime=1626098023033&endTime=1626098023034\",\"id\":\"809689201099478025\",\"count\":16029252,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:43.033Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\",\"TCP\",\"Built\",\"443\",\"6\",\"54.68.107.242\",\"inside\",\"54.68.107.242\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344804\",\"302013\",\"64186\",\"443\",\"64186\"]]}},{\"description\":\"```\\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478016\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478016&startTime=1626098021031&endTime=1626098021032\",\"id\":\"809689201099478016\",\"count\":16029242,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:41.031Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"}],\"rows\":[[\"Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\",\"TCP\",\"Deny\",\"443\",\"6\",\"54.69.174.114\",\"10.100.20.5\",\"106015\",\"64009\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004613\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004613&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004613\",\"count\":16030004,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\",\"UDP\",\"Built\",\"50277\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620433\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620433&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620433\",\"count\":16030077,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345023\",\"302015\",\"49898\",\"53\",\"49898\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986945\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986945&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986945\",\"count\":16029502,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344869\",\"302015\",\"65195\",\"53\",\"65195\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340930\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340930&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340930\",\"count\":16029556,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\",\"UDP\",\"Built\",\"65519\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151753\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151753&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151753\",\"count\":16030125,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345031\",\"302015\",\"64971\",\"53\",\"64971\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466050\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466050&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466050\",\"count\":16029437,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\",\"UDP\",\"Built\",\"49908\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170244\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170244&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170244\",\"count\":16029265,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\",\"UDP\",\"Built\",\"49248\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892033\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892033&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892033\",\"count\":16029955,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344988\",\"302015\",\"50326\",\"53\",\"50326\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809686263241184260\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809686263241184260&startTime=1626097855032&endTime=1626097855033\",\"id\":\"809686263241184260\",\"count\":16029040,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:50:55.032Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344747\",\"302015\",\"49352\",\"53\",\"49352\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674373\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674373&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674373\",\"count\":16029369,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344834\",\"302015\",\"50682\",\"53\",\"50682\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282631\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282631&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282631\",\"count\":16029775,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344949\",\"302015\",\"49247\",\"53\",\"49247\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T13:55:00.2628542Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955405,\\\"Execution\\\":{\\\"ThreadID\\\":3852,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x99411c9\\\",\\\"IpPort\\\":\\\"64181\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x99411C9\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64181\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688350612067336\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688350612067336&startTime=1626098100262&endTime=1626098100263\",\"id\":\"809688350612067336\",\"count\":142564,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:55:00.262Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839254\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839254&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839254\",\"count\":16029849,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344969\",\"302015\",\"49170\",\"53\",\"49170\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054087\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054087&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054087\",\"count\":16029189,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344784\",\"302015\",\"49870\",\"53\",\"49870\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335043\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335043&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335043\",\"count\":16029944,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\",\"UDP\",\"Built\",\"64945\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320134\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320134&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320134\",\"count\":16029315,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\",\"UDP\",\"Built\",\"50113\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349063\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349063&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349063\",\"count\":16030144,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345037\",\"302015\",\"65385\",\"53\",\"65385\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170245\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170245&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170245\",\"count\":16029266,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344809\",\"302015\",\"49248\",\"53\",\"49248\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004612\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004612&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004612\",\"count\":16030003,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345007\",\"302015\",\"65291\",\"53\",\"65291\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T14:05:00.6935032Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955484,\\\"Execution\\\":{\\\"ThreadID\\\":2088,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x9951965\\\",\\\"IpPort\\\":\\\"64210\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x9951965\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64210\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698427058328584\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698427058328584&startTime=1626098700693&endTime=1626098700694\",\"id\":\"809698427058328584\",\"count\":142643,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:00.693Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}},{\"description\":\"```\\n<166>%ASA-6-302013: Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"4.27.9.254\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892035\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892035&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892035\",\"count\":16029957,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\",\"TCP\",\"Built\",\"80\",\"6\",\"4.27.9.254\",\"inside\",\"4.27.9.254\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344989\",\"302013\",\"64217\",\"80\",\"64217\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054086\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054086&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054086\",\"count\":16029188,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\",\"UDP\",\"Built\",\"49870\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859784\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859784&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859784\",\"count\":16030233,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\",\"UDP\",\"Built\",\"49731\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230218\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230218&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230218\",\"count\":16029903,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\",\"UDP\",\"Built\",\"50745\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478017\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478017&startTime=1626098021031&endTime=1626098021032\",\"id\":\"809689201099478017\",\"count\":16029243,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:53:41.031Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"}],\"rows\":[[\"Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\",\"TCP\",\"Deny\",\"443\",\"6\",\"54.69.174.114\",\"10.100.20.5\",\"106015\",\"64009\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986944\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986944&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986944\",\"count\":16029501,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\",\"UDP\",\"Built\",\"65195\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151754\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151754&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151754\",\"count\":16030126,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\",\"UDP\",\"Built\",\"50400\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378817\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378817&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378817\",\"count\":16029276,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344812\",\"302015\",\"49691\",\"53\",\"49691\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674383\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674383&startTime=1626098171125&endTime=1626098171126\",\"id\":\"809691484847674383\",\"count\":16029381,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:56:11.125Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344838\",\"302015\",\"50455\",\"53\",\"50455\"]]}},{\"description\":\"```\\n<166>%ASA-6-302013: Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"52.137.106.217\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378819\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378819&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378819\",\"count\":16029278,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\",\"TCP\",\"Built\",\"443\",\"6\",\"52.137.106.217\",\"inside\",\"52.137.106.217\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344813\",\"302013\",\"64188\",\"443\",\"64188\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466048\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466048&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466048\",\"count\":16029435,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\",\"UDP\",\"Built\",\"64764\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340929\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340929&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340929\",\"count\":16029555,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344877\",\"302015\",\"50695\",\"53\",\"50695\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828419\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828419&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828419\",\"count\":16030189,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345048\",\"302015\",\"50195\",\"53\",\"50195\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687271082103827\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103827&startTime=1626097912979&endTime=1626097912980\",\"id\":\"809687271082103827\",\"count\":16029133,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T13:51:52.979Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\",\"UDP\",\"Built\",\"50677\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859783\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859783&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859783\",\"count\":16030232,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345057\",\"302015\",\"65343\",\"53\",\"65343\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348490\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348490&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348490\",\"count\":16029617,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\",\"UDP\",\"Built\",\"64998\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T14:10:00.8598157Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955528,\\\"Execution\\\":{\\\"ThreadID\\\":2088,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x997152b\\\",\\\"IpPort\\\":\\\"64224\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x997152B\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64224\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703524647638024\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703524647638024&startTime=1626099000859&endTime=1626099000860\",\"id\":\"809703524647638024\",\"count\":142687,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-06-26T14:10:00.859Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages.\",\"type\":\"warning\",\"module\":\"Sumo Logic\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-12T14:12:24.794Z\",\"uuid\":\"f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e\"},{\"arg\":[{\"type\":\"ip\",\"value\":\"10.100.20.5\"},{\"type\":\"ip\",\"value\":\"4.27.9.254\"},{\"type\":\"ip\",\"value\":\"52.137.106.217\"},{\"type\":\"ip\",\"value\":\"54.68.107.242\"},{\"type\":\"ip\",\"value\":\"54.69.174.114\"},{\"type\":\"ip\",\"value\":\"8.8.8.8\"}],\"created\":\"2021-07-12T14:12:25.446Z\",\"id\":\"deliberate-3e507d5a\",\"result\":{\"data\":[{\"module\":\"AMP File Reputation\",\"module_instance_id\":\"ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3\",\"module_type_id\":\"1898d0e8-45f7-550d-8ab5-915f064426dd\",\"data\":{\"verdicts\":{\"count\":0,\"docs\":[]}}},{\"module\":\"Umbrella\",\"module_instance_id\":\"2d1cf6f6-f941-4caa-ba98-a87c3d9fa5b3\",\"module_type_id\":\"188d70f7-29d5-5069-9098-d83a3ec8e797\",\"data\":{\"verdicts\":{\"count\":5,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-06-26T14:12:27.242Z\",\"end_time\":\"2023-07-26T14:12:27.242Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"4.27.9.254\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-06-26T14:12:27.140Z\",\"end_time\":\"2023-07-26T14:12:27.140Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"52.137.106.217\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-06-26T14:12:26.412Z\",\"end_time\":\"2023-07-26T14:12:26.412Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"54.68.107.242\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-06-26T14:12:26.497Z\",\"end_time\":\"2023-07-26T14:12:26.497Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-06-26T14:12:26.045Z\",\"end_time\":\"2023-07-26T14:12:26.045Z\"}}]}}},{\"module\":\"Sumo Logic\",\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"data\":{}}]},\"state\":\"ok\",\"type\":\"deliberate\",\"updated\":\"2021-07-12T14:12:57.510Z\",\"uuid\":\"d25daa24-6560-4f68-bb6b-9a41d8e0a5ad\"}]", "short_description": "Snapshot @ 20210712 14:14:28", "omittedObservables": [], "archivedObservables": [{"key": "0dea2b71-74ae-4200-8840-99a1149c1725", "value": "10.100.20.5", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable_id": "3f0d90f3", "module_type_id": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable": {"type": "ip", "value": "10.100.20.5"}, "type": "warning", "action_id": "f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e", "code": "too-many-messages-warning", "module_name": "Sumo Logic", "module_instance_id": "947937b2-0a11-414a-8741-60f7ed7009bb", "message": "There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "10.100.20.5", "id": "3f0d90f3", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:10:00.8598157Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955528,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x997152b\",\"IpPort\":\"64224\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x997152B\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64224\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:10:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142687, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703524647638024"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703524647638024&startTime=1626099000859&endTime=1626099000860", "disposition_name": "Unknown", "id": "809703524647638024", "observed_start_time": "2021-07-12T14:10:00Z", "count": 142687, "observable_type": "ip", "ctr_uuid": "4918eb82-db45-485f-a981-1649bf564b94", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:00.859Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029617, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348490"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348490&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348490", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029617, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998", "UDP", "Built", "64998", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030232, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859783"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859783&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859783", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030232, "observable_type": "ip", "ctr_uuid": "3eed88f1-1bf7-406f-a565-e904031cceba", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345057", "302015", "65343", "53", "65343"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029133, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103827"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103827&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103827", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029133, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677", "UDP", "Built", "50677", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828419"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828419&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828419", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030189, "observable_type": "ip", "ctr_uuid": "efca3729-1589-41e2-9ebd-087f2f1dc008", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345048", "302015", "50195", "53", "50195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029555, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340929"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340929&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340929", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029555, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344877", "302015", "50695", "53", "50695"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029435, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466048"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466048&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466048", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029435, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764", "UDP", "Built", "64764", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "52.137.106.217", "type": "ip"}}], "unknown": 16029278, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378819"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378819&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378819", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029278, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)", "TCP", "Built", "443", "6", "52.137.106.217", "inside", "52.137.106.217", "10.100.20.5", "24.141.154.216", "outbound", "344813", "302013", "64188", "443", "64188"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029381, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674383"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674383&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674383", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029381, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344838", "302015", "50455", "53", "50455"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029276, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378817"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378817&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378817", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029276, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344812", "302015", "49691", "53", "49691"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030126, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151754"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151754&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151754", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030126, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400", "UDP", "Built", "50400", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029501, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986944"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986944&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986944", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029501, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195", "UDP", "Built", "65195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029243, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478017"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478017&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478017", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029243, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029903, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230218"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230218&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230218", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029903, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745", "UDP", "Built", "50745", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030233, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859784"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859784&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859784", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030233, "observable_type": "ip", "ctr_uuid": "8ae66931-86fb-4b92-b59c-b3ec8c212d90", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731", "UDP", "Built", "49731", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054086"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054086&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054086", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029188, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870", "UDP", "Built", "49870", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "4.27.9.254", "type": "ip"}}], "unknown": 16029957, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892035"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892035&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892035", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029957, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)", "TCP", "Built", "80", "6", "4.27.9.254", "inside", "4.27.9.254", "10.100.20.5", "24.141.154.216", "outbound", "344989", "302013", "64217", "80", "64217"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:05:00.6935032Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955484,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9951965\",\"IpPort\":\"64210\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9951965\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64210\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:05:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142643, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698427058328584"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698427058328584&startTime=1626098700693&endTime=1626098700694", "disposition_name": "Unknown", "id": "809698427058328584", "observed_start_time": "2021-07-12T14:05:00Z", "count": 142643, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:00.693Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030003, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004612"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004612&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004612", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030003, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345007", "302015", "65291", "53", "65291"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029266, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170245"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170245&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170245", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029266, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344809", "302015", "49248", "53", "49248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030144, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349063"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349063&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349063", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030144, "observable_type": "ip", "ctr_uuid": "449352e1-f59c-47cf-a4bc-f086f939d29a", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345037", "302015", "65385", "53", "65385"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029315, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320134"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320134&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320134", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029315, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113", "UDP", "Built", "50113", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029944, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335043"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335043&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335043", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029944, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945", "UDP", "Built", "64945", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054087"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054087&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054087", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029189, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344784", "302015", "49870", "53", "49870"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029849, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839254"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839254&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839254", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029849, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344969", "302015", "49170", "53", "49170"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T13:55:00.2628542Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955405,\"Execution\":{\"ThreadID\":3852,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x99411c9\",\"IpPort\":\"64181\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x99411C9\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64181\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T13:55:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142564, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688350612067336"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688350612067336&startTime=1626098100262&endTime=1626098100263", "disposition_name": "Unknown", "id": "809688350612067336", "observed_start_time": "2021-07-12T13:55:00Z", "count": 142564, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:00.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029775, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282631"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282631&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282631", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029775, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344949", "302015", "49247", "53", "49247"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029369, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674373"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674373&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674373", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029369, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344834", "302015", "50682", "53", "50682"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\n```", "observed_end_time": "2021-07-12T13:50:55Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029040, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809686263241184260"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809686263241184260&startTime=1626097855032&endTime=1626097855033", "disposition_name": "Unknown", "id": "809686263241184260", "observed_start_time": "2021-07-12T13:50:55Z", "count": 16029040, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:50:55.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344747", "302015", "49352", "53", "49352"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029955, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892033"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892033&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892033", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029955, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344988", "302015", "50326", "53", "50326"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029265, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170244"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170244&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170244", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029265, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248", "UDP", "Built", "49248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029437, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466050"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466050&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466050", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029437, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908", "UDP", "Built", "49908", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030125, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151753"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151753&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151753", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030125, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345031", "302015", "64971", "53", "64971"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029556, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340930"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340930&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340930", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029556, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519", "UDP", "Built", "65519", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029502, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986945"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986945&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986945", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029502, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344869", "302015", "65195", "53", "65195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030077, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620433"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620433&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620433", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030077, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345023", "302015", "49898", "53", "49898"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030004, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004613"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004613&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004613", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030004, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277", "UDP", "Built", "50277", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029242, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478016"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478016&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478016", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029242, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.68.107.242", "type": "ip"}}], "unknown": 16029252, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478025"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478025&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478025", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029252, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)", "TCP", "Built", "443", "6", "54.68.107.242", "inside", "54.68.107.242", "10.100.20.5", "24.141.154.216", "outbound", "344804", "302013", "64186", "443", "64186"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054084"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054084&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054084", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029186, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173", "UDP", "Built", "49173", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030075, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620431"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620431&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620431", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030075, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345022", "302015", "49611", "53", "49611"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029146, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635011"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635011&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635011", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029146, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344775", "302015", "50506", "53", "50506"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029557, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340931"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340931&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340931", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029557, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344878", "302015", "65519", "53", "65519"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054085"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054085&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054085", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029187, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344783", "302015", "49173", "53", "49173"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029619, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348492"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348492&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348492", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029619, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204", "UDP", "Built", "50204", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029954, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892032"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892032&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892032", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029954, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326", "UDP", "Built", "50326", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828418"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828418&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828418", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030188, "observable_type": "ip", "ctr_uuid": "15efd3bf-4368-4790-84fe-4946c2c52d8b", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195", "UDP", "Built", "50195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030234, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859785"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859785&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859785", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030234, "observable_type": "ip", "ctr_uuid": "ada8ef67-f7de-4ee6-baf4-b657e61f3d66", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345058", "302015", "49731", "53", "49731"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029313, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320132"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320132&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320132", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029313, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060", "UDP", "Built", "50060", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029774, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282630"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282630&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282630", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029774, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247", "UDP", "Built", "49247", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029777, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282633"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282633&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282633", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029777, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344950", "302015", "50248", "53", "50248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030005, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004614"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004614&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004614", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030005, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345008", "302015", "50277", "53", "50277"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029776, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282632"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282632&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282632", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029776, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248", "UDP", "Built", "50248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029620, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348493"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348493&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348493", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029620, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344897", "302015", "50204", "53", "50204"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030231, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859782"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859782&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859782", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030231, "observable_type": "ip", "ctr_uuid": "fcc2f499-ee84-40ca-9749-1a33a16587cb", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343", "UDP", "Built", "65343", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030076, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620432"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620432&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620432", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030076, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898", "UDP", "Built", "49898", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029251, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478024"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478024&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478024", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029251, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186", "TCP", "Built", "64186", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030141, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349060"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349060&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349060", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030141, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783", "UDP", "Built", "64783", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029438, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466051"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466051&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466051", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029438, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344854", "302015", "49908", "53", "49908"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029956, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892034"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892034&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892034", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029956, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217", "TCP", "Built", "64217", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029264, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170243"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170243&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170243", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029264, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344808", "302015", "49787", "53", "49787"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029904, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230219"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230219&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230219", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029904, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344978", "302015", "50745", "53", "50745"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029134, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103828"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103828&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103828", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029134, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344773", "302015", "50677", "53", "50677"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029380, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674382"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674382&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674382", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029380, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455", "UDP", "Built", "50455", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030142, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349061"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349061&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349061", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030142, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345036", "302015", "64783", "53", "64783"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029277, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378818"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378818&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378818", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029277, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188", "TCP", "Built", "64188", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029902, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230217"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230217&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230217", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029902, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344977", "302015", "65098", "53", "65098"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029316, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320135"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320135&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320135", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029316, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344821", "302015", "50113", "53", "50113"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029696, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706115"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706115&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706115", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029696, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344924", "302015", "64784", "53", "64784"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029368, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674372"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674372&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674372", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029368, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682", "UDP", "Built", "50682", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029698, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706117"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706117&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706117", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029698, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344925", "302015", "50626", "53", "50626"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030002, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004611"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004611&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004611", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030002, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291", "UDP", "Built", "65291", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029697, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706116"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706116&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706116", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029697, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626", "UDP", "Built", "50626", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029371, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674375"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674375&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674375", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029371, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344835", "302015", "49377", "53", "49377"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029901, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230216"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230216&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230216", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029901, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098", "UDP", "Built", "65098", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029370, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674374"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674374&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674374", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029370, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377", "UDP", "Built", "49377", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029554, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340928"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340928&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340928", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029554, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695", "UDP", "Built", "50695", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:00:00.4789615Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955446,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9949ff5\",\"IpPort\":\"64196\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9949FF5\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64196\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:00:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142605, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693387534963720"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693387534963720&startTime=1626098400478&endTime=1626098400479", "disposition_name": "Unknown", "id": "809693387534963720", "observed_start_time": "2021-07-12T14:00:00Z", "count": 142605, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:00.478Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029263, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170242"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170242&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170242", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029263, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787", "UDP", "Built", "49787", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029847, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839252"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839252&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839252", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029847, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344968", "302015", "65230", "53", "65230"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029244, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478018"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478018&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478018", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029244, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029436, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466049"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466049&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466049", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029436, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344853", "302015", "64764", "53", "64764"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029695, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706114"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706114&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706114", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029695, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784", "UDP", "Built", "64784", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030074, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620430"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620430&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620430", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030074, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611", "UDP", "Built", "49611", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029846, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839251"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839251&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839251", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029846, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230", "UDP", "Built", "65230", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828417"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828417&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828417", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030187, "observable_type": "ip", "ctr_uuid": "a264f82d-474e-41fb-a311-21f35934261d", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345047", "302015", "49562", "53", "49562"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029618, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348491"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348491&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348491", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029618, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344896", "302015", "64998", "53", "64998"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030143, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349062"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349062&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349062", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030143, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385", "UDP", "Built", "65385", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029945, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335044"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335044&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335044", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029945, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344985", "302015", "64945", "53", "64945"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030127, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151755"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151755&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151755", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030127, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345032", "302015", "50400", "53", "50400"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029946, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335045"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335045&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335045", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029946, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643", "UDP", "Built", "49643", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030124, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151752"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151752&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151752", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030124, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971", "UDP", "Built", "64971", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029504, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986947"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986947&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986947", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029504, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344870", "302015", "64846", "53", "64846"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029848, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839253"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839253&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839253", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029848, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170", "UDP", "Built", "49170", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828416"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828416&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828416", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030186, "observable_type": "ip", "ctr_uuid": "712716e7-8463-45d4-baeb-6e480f5bb5f2", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562", "UDP", "Built", "49562", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029947, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335046"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335046&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335046", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029947, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344986", "302015", "49643", "53", "49643"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029314, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320133"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320133&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320133", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029314, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344820", "302015", "50060", "53", "50060"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029503, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986946"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986946&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986946", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029503, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846", "UDP", "Built", "64846", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029275, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378816"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378816&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378816", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029275, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691", "UDP", "Built", "49691", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029145, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635010"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635010&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635010", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029145, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506", "UDP", "Built", "50506", "6", "24.141.154.216", "outside", "305011"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "e188457d-01e0-4c40-a780-f585120edf6b", "observable": {"key": "0dea2b71-74ae-4200-8840-99a1149c1725", "value": "10.100.20.5", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable_id": "3f0d90f3", "module_type_id": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable": {"type": "ip", "value": "10.100.20.5"}, "type": "warning", "action_id": "f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e", "code": "too-many-messages-warning", "module_name": "Sumo Logic", "module_instance_id": "947937b2-0a11-414a-8741-60f7ed7009bb", "message": "There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "10.100.20.5", "id": "3f0d90f3", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:10:00.8598157Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955528,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x997152b\",\"IpPort\":\"64224\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x997152B\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64224\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:10:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142687, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703524647638024"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703524647638024&startTime=1626099000859&endTime=1626099000860", "disposition_name": "Unknown", "id": "809703524647638024", "observed_start_time": "2021-07-12T14:10:00Z", "count": 142687, "observable_type": "ip", "ctr_uuid": "4918eb82-db45-485f-a981-1649bf564b94", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:00.859Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029617, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348490"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348490&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348490", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029617, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998", "UDP", "Built", "64998", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030232, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859783"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859783&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859783", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030232, "observable_type": "ip", "ctr_uuid": "3eed88f1-1bf7-406f-a565-e904031cceba", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345057", "302015", "65343", "53", "65343"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029133, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103827"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103827&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103827", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029133, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677", "UDP", "Built", "50677", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828419"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828419&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828419", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030189, "observable_type": "ip", "ctr_uuid": "efca3729-1589-41e2-9ebd-087f2f1dc008", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345048", "302015", "50195", "53", "50195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029555, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340929"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340929&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340929", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029555, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344877", "302015", "50695", "53", "50695"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029435, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466048"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466048&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466048", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029435, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764", "UDP", "Built", "64764", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "52.137.106.217", "type": "ip"}}], "unknown": 16029278, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378819"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378819&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378819", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029278, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)", "TCP", "Built", "443", "6", "52.137.106.217", "inside", "52.137.106.217", "10.100.20.5", "24.141.154.216", "outbound", "344813", "302013", "64188", "443", "64188"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029381, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674383"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674383&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674383", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029381, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344838", "302015", "50455", "53", "50455"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029276, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378817"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378817&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378817", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029276, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344812", "302015", "49691", "53", "49691"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030126, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151754"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151754&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151754", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030126, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400", "UDP", "Built", "50400", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029501, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986944"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986944&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986944", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029501, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195", "UDP", "Built", "65195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029243, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478017"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478017&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478017", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029243, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029903, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230218"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230218&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230218", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029903, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745", "UDP", "Built", "50745", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030233, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859784"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859784&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859784", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030233, "observable_type": "ip", "ctr_uuid": "8ae66931-86fb-4b92-b59c-b3ec8c212d90", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731", "UDP", "Built", "49731", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054086"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054086&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054086", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029188, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870", "UDP", "Built", "49870", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "4.27.9.254", "type": "ip"}}], "unknown": 16029957, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892035"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892035&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892035", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029957, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)", "TCP", "Built", "80", "6", "4.27.9.254", "inside", "4.27.9.254", "10.100.20.5", "24.141.154.216", "outbound", "344989", "302013", "64217", "80", "64217"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:05:00.6935032Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955484,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9951965\",\"IpPort\":\"64210\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9951965\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64210\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:05:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142643, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698427058328584"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698427058328584&startTime=1626098700693&endTime=1626098700694", "disposition_name": "Unknown", "id": "809698427058328584", "observed_start_time": "2021-07-12T14:05:00Z", "count": 142643, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:00.693Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030003, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004612"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004612&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004612", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030003, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345007", "302015", "65291", "53", "65291"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029266, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170245"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170245&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170245", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029266, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344809", "302015", "49248", "53", "49248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030144, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349063"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349063&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349063", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030144, "observable_type": "ip", "ctr_uuid": "449352e1-f59c-47cf-a4bc-f086f939d29a", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345037", "302015", "65385", "53", "65385"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029315, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320134"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320134&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320134", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029315, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113", "UDP", "Built", "50113", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029944, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335043"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335043&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335043", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029944, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945", "UDP", "Built", "64945", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054087"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054087&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054087", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029189, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344784", "302015", "49870", "53", "49870"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029849, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839254"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839254&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839254", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029849, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344969", "302015", "49170", "53", "49170"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T13:55:00.2628542Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955405,\"Execution\":{\"ThreadID\":3852,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x99411c9\",\"IpPort\":\"64181\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x99411C9\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64181\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T13:55:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142564, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688350612067336"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688350612067336&startTime=1626098100262&endTime=1626098100263", "disposition_name": "Unknown", "id": "809688350612067336", "observed_start_time": "2021-07-12T13:55:00Z", "count": 142564, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:00.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029775, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282631"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282631&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282631", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029775, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344949", "302015", "49247", "53", "49247"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029369, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674373"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674373&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674373", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029369, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344834", "302015", "50682", "53", "50682"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\n```", "observed_end_time": "2021-07-12T13:50:55Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029040, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809686263241184260"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809686263241184260&startTime=1626097855032&endTime=1626097855033", "disposition_name": "Unknown", "id": "809686263241184260", "observed_start_time": "2021-07-12T13:50:55Z", "count": 16029040, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:50:55.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344747", "302015", "49352", "53", "49352"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029955, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892033"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892033&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892033", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029955, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344988", "302015", "50326", "53", "50326"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029265, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170244"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170244&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170244", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029265, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248", "UDP", "Built", "49248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029437, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466050"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466050&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466050", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029437, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908", "UDP", "Built", "49908", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030125, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151753"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151753&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151753", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030125, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345031", "302015", "64971", "53", "64971"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029556, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340930"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340930&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340930", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029556, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519", "UDP", "Built", "65519", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029502, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986945"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986945&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986945", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029502, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344869", "302015", "65195", "53", "65195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030077, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620433"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620433&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620433", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030077, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345023", "302015", "49898", "53", "49898"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030004, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004613"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004613&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004613", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030004, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277", "UDP", "Built", "50277", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029242, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478016"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478016&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478016", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029242, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.68.107.242", "type": "ip"}}], "unknown": 16029252, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478025"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478025&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478025", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029252, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)", "TCP", "Built", "443", "6", "54.68.107.242", "inside", "54.68.107.242", "10.100.20.5", "24.141.154.216", "outbound", "344804", "302013", "64186", "443", "64186"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054084"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054084&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054084", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029186, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173", "UDP", "Built", "49173", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030075, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620431"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620431&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620431", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030075, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345022", "302015", "49611", "53", "49611"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029146, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635011"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635011&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635011", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029146, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344775", "302015", "50506", "53", "50506"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029557, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340931"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340931&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340931", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029557, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344878", "302015", "65519", "53", "65519"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054085"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054085&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054085", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029187, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344783", "302015", "49173", "53", "49173"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029619, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348492"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348492&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348492", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029619, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204", "UDP", "Built", "50204", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029954, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892032"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892032&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892032", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029954, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326", "UDP", "Built", "50326", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828418"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828418&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828418", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030188, "observable_type": "ip", "ctr_uuid": "15efd3bf-4368-4790-84fe-4946c2c52d8b", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195", "UDP", "Built", "50195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030234, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859785"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859785&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859785", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030234, "observable_type": "ip", "ctr_uuid": "ada8ef67-f7de-4ee6-baf4-b657e61f3d66", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345058", "302015", "49731", "53", "49731"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029313, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320132"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320132&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320132", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029313, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060", "UDP", "Built", "50060", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029774, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282630"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282630&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282630", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029774, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247", "UDP", "Built", "49247", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029777, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282633"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282633&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282633", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029777, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344950", "302015", "50248", "53", "50248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030005, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004614"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004614&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004614", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030005, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345008", "302015", "50277", "53", "50277"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029776, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282632"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282632&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282632", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029776, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248", "UDP", "Built", "50248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029620, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348493"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348493&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348493", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029620, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344897", "302015", "50204", "53", "50204"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030231, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859782"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859782&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859782", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030231, "observable_type": "ip", "ctr_uuid": "fcc2f499-ee84-40ca-9749-1a33a16587cb", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343", "UDP", "Built", "65343", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030076, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620432"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620432&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620432", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030076, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898", "UDP", "Built", "49898", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029251, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478024"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478024&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478024", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029251, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186", "TCP", "Built", "64186", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030141, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349060"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349060&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349060", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030141, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783", "UDP", "Built", "64783", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029438, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466051"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466051&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466051", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029438, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344854", "302015", "49908", "53", "49908"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029956, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892034"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892034&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892034", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029956, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217", "TCP", "Built", "64217", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029264, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170243"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170243&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170243", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029264, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344808", "302015", "49787", "53", "49787"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029904, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230219"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230219&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230219", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029904, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344978", "302015", "50745", "53", "50745"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029134, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103828"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103828&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103828", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029134, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344773", "302015", "50677", "53", "50677"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029380, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674382"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674382&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674382", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029380, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455", "UDP", "Built", "50455", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030142, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349061"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349061&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349061", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030142, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345036", "302015", "64783", "53", "64783"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029277, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378818"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378818&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378818", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029277, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188", "TCP", "Built", "64188", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029902, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230217"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230217&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230217", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029902, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344977", "302015", "65098", "53", "65098"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029316, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320135"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320135&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320135", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029316, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344821", "302015", "50113", "53", "50113"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029696, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706115"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706115&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706115", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029696, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344924", "302015", "64784", "53", "64784"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029368, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674372"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674372&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674372", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029368, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682", "UDP", "Built", "50682", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029698, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706117"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706117&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706117", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029698, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344925", "302015", "50626", "53", "50626"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030002, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004611"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004611&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004611", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030002, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291", "UDP", "Built", "65291", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029697, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706116"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706116&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706116", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029697, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626", "UDP", "Built", "50626", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029371, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674375"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674375&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674375", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029371, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344835", "302015", "49377", "53", "49377"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029901, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230216"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230216&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230216", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029901, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098", "UDP", "Built", "65098", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029370, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674374"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674374&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674374", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029370, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377", "UDP", "Built", "49377", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029554, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340928"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340928&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340928", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029554, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695", "UDP", "Built", "50695", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:00:00.4789615Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955446,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9949ff5\",\"IpPort\":\"64196\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9949FF5\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64196\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:00:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142605, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693387534963720"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693387534963720&startTime=1626098400478&endTime=1626098400479", "disposition_name": "Unknown", "id": "809693387534963720", "observed_start_time": "2021-07-12T14:00:00Z", "count": 142605, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:00.478Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029263, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170242"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170242&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170242", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029263, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787", "UDP", "Built", "49787", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029847, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839252"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839252&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839252", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029847, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344968", "302015", "65230", "53", "65230"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029244, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478018"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478018&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478018", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029244, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029436, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466049"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466049&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466049", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029436, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344853", "302015", "64764", "53", "64764"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029695, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706114"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706114&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706114", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029695, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784", "UDP", "Built", "64784", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030074, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620430"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620430&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620430", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030074, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611", "UDP", "Built", "49611", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029846, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839251"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839251&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839251", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029846, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230", "UDP", "Built", "65230", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828417"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828417&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828417", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030187, "observable_type": "ip", "ctr_uuid": "a264f82d-474e-41fb-a311-21f35934261d", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345047", "302015", "49562", "53", "49562"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029618, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348491"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348491&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348491", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029618, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344896", "302015", "64998", "53", "64998"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030143, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349062"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349062&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349062", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030143, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385", "UDP", "Built", "65385", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029945, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335044"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335044&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335044", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029945, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344985", "302015", "64945", "53", "64945"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030127, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151755"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151755&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151755", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030127, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345032", "302015", "50400", "53", "50400"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029946, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335045"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335045&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335045", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029946, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643", "UDP", "Built", "49643", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030124, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151752"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151752&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151752", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030124, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971", "UDP", "Built", "64971", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029504, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986947"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986947&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986947", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029504, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344870", "302015", "64846", "53", "64846"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029848, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839253"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839253&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839253", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029848, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170", "UDP", "Built", "49170", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828416"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828416&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828416", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030186, "observable_type": "ip", "ctr_uuid": "712716e7-8463-45d4-baeb-6e480f5bb5f2", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562", "UDP", "Built", "49562", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029947, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335046"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335046&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335046", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029947, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344986", "302015", "49643", "53", "49643"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029314, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320133"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320133&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320133", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029314, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344820", "302015", "50060", "53", "50060"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029503, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986946"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986946&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986946", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029503, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846", "UDP", "Built", "64846", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029275, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378816"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378816&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378816", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029275, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691", "UDP", "Built", "49691", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029145, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635010"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635010&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635010", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029145, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506", "UDP", "Built", "50506", "6", "24.141.154.216", "outside", "305011"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable_id": "3f0d90f3", "module_type_id": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable": {"type": "ip", "value": "10.100.20.5"}, "type": "warning", "action_id": "f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e", "code": "too-many-messages-warning", "module_name": "Sumo Logic", "module_instance_id": "947937b2-0a11-414a-8741-60f7ed7009bb", "message": "There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "ip", "value": "10.100.20.5", "id": "3f0d90f3"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-2ea701d3-5d0b-4470-b9f5-b2d278c4fbbb", "tlp": "amber", "groups": ["8952c102-9799-4d12-b8fb-fd6acc5a860a"], "timestamp": "2021-07-12T14:14:38.744Z", "owner": "43c79817-42b6-4010-ba53-cfbb5f832a4d", "source": "Olena Shynkarenko"} \ No newline at end of file +{"description": "Sumo Logic IP", "schema_version": "1.1.3", "type": "investigation", "search-txt": "ip:\"10.100.20.5\"", "actions": "[{\"arg\":{\"text\":\"10.100.20.5\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-12T14:12:13.612Z\",\"id\":\"collect-604aa699\",\"result\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-12T14:12:13.837Z\",\"uuid\":\"b036545c-53c5-4f09-8bc3-c0df4db72a98\"},{\"arg\":{\"type\":\"ip\",\"value\":\"10.100.20.5\"},\"created\":\"2021-07-12T14:12:13.863Z\",\"id\":\"investigate-1d5829f9\",\"result\":{\"data\":[{\"module\":\"Sumo Logic\",\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"data\":{\"sightings\":{\"count\":100,\"docs\":[{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687523998635010\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635010&startTime=1626097925978&endTime=1626097925979\",\"id\":\"809687523998635010\",\"count\":16029145,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:52:05.978Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\",\"UDP\",\"Built\",\"50506\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378816\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378816&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378816\",\"count\":16029275,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\",\"UDP\",\"Built\",\"49691\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986946\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986946&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986946\",\"count\":16029503,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\",\"UDP\",\"Built\",\"64846\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320133\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320133&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320133\",\"count\":16029314,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344820\",\"302015\",\"50060\",\"53\",\"50060\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335046\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335046&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335046\",\"count\":16029947,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344986\",\"302015\",\"49643\",\"53\",\"49643\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828416\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828416&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828416\",\"count\":16030186,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\",\"UDP\",\"Built\",\"49562\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839253\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839253&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839253\",\"count\":16029848,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\",\"UDP\",\"Built\",\"49170\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986947\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986947&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986947\",\"count\":16029504,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344870\",\"302015\",\"64846\",\"53\",\"64846\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151752\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151752&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151752\",\"count\":16030124,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\",\"UDP\",\"Built\",\"64971\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335045\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335045&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335045\",\"count\":16029946,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\",\"UDP\",\"Built\",\"49643\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151755\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151755&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151755\",\"count\":16030127,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345032\",\"302015\",\"50400\",\"53\",\"50400\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335044\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335044&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335044\",\"count\":16029945,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344985\",\"302015\",\"64945\",\"53\",\"64945\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349062\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349062&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349062\",\"count\":16030143,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\",\"UDP\",\"Built\",\"65385\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348491\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348491&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348491\",\"count\":16029618,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344896\",\"302015\",\"64998\",\"53\",\"64998\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828417\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828417&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828417\",\"count\":16030187,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345047\",\"302015\",\"49562\",\"53\",\"49562\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839251\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839251&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839251\",\"count\":16029846,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\",\"UDP\",\"Built\",\"65230\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620430\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620430&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620430\",\"count\":16030074,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\",\"UDP\",\"Built\",\"49611\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706114\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706114&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706114\",\"count\":16029695,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\",\"UDP\",\"Built\",\"64784\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466049\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466049&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466049\",\"count\":16029436,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344853\",\"302015\",\"64764\",\"53\",\"64764\"]]}},{\"description\":\"```\\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478018\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478018&startTime=1626098021031&endTime=1626098021032\",\"id\":\"809689201099478018\",\"count\":16029244,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:41.031Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"}],\"rows\":[[\"Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\",\"TCP\",\"Deny\",\"443\",\"6\",\"54.69.174.114\",\"10.100.20.5\",\"106015\",\"64009\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839252\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839252&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839252\",\"count\":16029847,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344968\",\"302015\",\"65230\",\"53\",\"65230\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170242\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170242&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170242\",\"count\":16029263,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\",\"UDP\",\"Built\",\"49787\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T14:00:00.4789615Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955446,\\\"Execution\\\":{\\\"ThreadID\\\":2088,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x9949ff5\\\",\\\"IpPort\\\":\\\"64196\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x9949FF5\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64196\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693387534963720\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693387534963720&startTime=1626098400478&endTime=1626098400479\",\"id\":\"809693387534963720\",\"count\":142605,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:00:00.478Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340928\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340928&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340928\",\"count\":16029554,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\",\"UDP\",\"Built\",\"50695\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674374\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674374&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674374\",\"count\":16029370,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\",\"UDP\",\"Built\",\"49377\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230216\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230216&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230216\",\"count\":16029901,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\",\"UDP\",\"Built\",\"65098\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674375\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674375&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674375\",\"count\":16029371,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344835\",\"302015\",\"49377\",\"53\",\"49377\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706116\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706116&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706116\",\"count\":16029697,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\",\"UDP\",\"Built\",\"50626\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004611\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004611&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004611\",\"count\":16030002,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\",\"UDP\",\"Built\",\"65291\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706117\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706117&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706117\",\"count\":16029698,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344925\",\"302015\",\"50626\",\"53\",\"50626\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674372\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674372&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674372\",\"count\":16029368,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\",\"UDP\",\"Built\",\"50682\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809696703551706115\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706115&startTime=1626098471286&endTime=1626098471287\",\"id\":\"809696703551706115\",\"count\":16029696,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:01:11.286Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344924\",\"302015\",\"64784\",\"53\",\"64784\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320135\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320135&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320135\",\"count\":16029316,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344821\",\"302015\",\"50113\",\"53\",\"50113\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230217\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230217&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230217\",\"count\":16029902,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344977\",\"302015\",\"65098\",\"53\",\"65098\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378818\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378818&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378818\",\"count\":16029277,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\",\"TCP\",\"Built\",\"64188\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349061\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349061&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349061\",\"count\":16030142,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345036\",\"302015\",\"64783\",\"53\",\"64783\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674382\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674382&startTime=1626098171125&endTime=1626098171126\",\"id\":\"809691484847674382\",\"count\":16029380,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:56:11.125Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\",\"UDP\",\"Built\",\"50455\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687271082103828\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103828&startTime=1626097912979&endTime=1626097912980\",\"id\":\"809687271082103828\",\"count\":16029134,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:51:52.979Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344773\",\"302015\",\"50677\",\"53\",\"50677\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230219\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230219&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230219\",\"count\":16029904,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344978\",\"302015\",\"50745\",\"53\",\"50745\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170243\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170243&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170243\",\"count\":16029264,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344808\",\"302015\",\"49787\",\"53\",\"49787\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892034\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892034&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892034\",\"count\":16029956,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\",\"TCP\",\"Built\",\"64217\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466051\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466051&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466051\",\"count\":16029438,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344854\",\"302015\",\"49908\",\"53\",\"49908\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349060\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349060&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349060\",\"count\":16030141,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\",\"UDP\",\"Built\",\"64783\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478024\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478024&startTime=1626098023033&endTime=1626098023034\",\"id\":\"809689201099478024\",\"count\":16029251,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:43.033Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\",\"TCP\",\"Built\",\"64186\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620432\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620432&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620432\",\"count\":16030076,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\",\"UDP\",\"Built\",\"49898\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859782\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859782&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859782\",\"count\":16030231,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\",\"UDP\",\"Built\",\"65343\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348493\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348493&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348493\",\"count\":16029620,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344897\",\"302015\",\"50204\",\"53\",\"50204\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282632\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282632&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282632\",\"count\":16029776,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\",\"UDP\",\"Built\",\"50248\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004614\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004614&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004614\",\"count\":16030005,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345008\",\"302015\",\"50277\",\"53\",\"50277\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282633\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282633&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282633\",\"count\":16029777,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344950\",\"302015\",\"50248\",\"53\",\"50248\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282630\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282630&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282630\",\"count\":16029774,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\",\"UDP\",\"Built\",\"49247\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320132\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320132&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320132\",\"count\":16029313,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\",\"UDP\",\"Built\",\"50060\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859785\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859785&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859785\",\"count\":16030234,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345058\",\"302015\",\"49731\",\"53\",\"49731\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828418\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828418&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828418\",\"count\":16030188,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\",\"UDP\",\"Built\",\"50195\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892032\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892032&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892032\",\"count\":16029954,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\",\"UDP\",\"Built\",\"50326\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348492\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348492&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348492\",\"count\":16029619,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\",\"UDP\",\"Built\",\"50204\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054085\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054085&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054085\",\"count\":16029187,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344783\",\"302015\",\"49173\",\"53\",\"49173\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340931\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340931&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340931\",\"count\":16029557,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344878\",\"302015\",\"65519\",\"53\",\"65519\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687523998635011\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635011&startTime=1626097925978&endTime=1626097925979\",\"id\":\"809687523998635011\",\"count\":16029146,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:52:05.978Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344775\",\"302015\",\"50506\",\"53\",\"50506\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620431\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620431&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620431\",\"count\":16030075,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345022\",\"302015\",\"49611\",\"53\",\"49611\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054084\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054084&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054084\",\"count\":16029186,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\",\"UDP\",\"Built\",\"49173\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302013: Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.68.107.242\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478025\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478025&startTime=1626098023033&endTime=1626098023034\",\"id\":\"809689201099478025\",\"count\":16029252,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:43.033Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\",\"TCP\",\"Built\",\"443\",\"6\",\"54.68.107.242\",\"inside\",\"54.68.107.242\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344804\",\"302013\",\"64186\",\"443\",\"64186\"]]}},{\"description\":\"```\\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478016\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478016&startTime=1626098021031&endTime=1626098021032\",\"id\":\"809689201099478016\",\"count\":16029242,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:41.031Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"}],\"rows\":[[\"Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\",\"TCP\",\"Deny\",\"443\",\"6\",\"54.69.174.114\",\"10.100.20.5\",\"106015\",\"64009\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004613\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004613&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004613\",\"count\":16030004,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\",\"UDP\",\"Built\",\"50277\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809702635874620433\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620433&startTime=1626098833496&endTime=1626098833497\",\"id\":\"809702635874620433\",\"count\":16030077,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:07:13.496Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345023\",\"302015\",\"49898\",\"53\",\"49898\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986945\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986945&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986945\",\"count\":16029502,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344869\",\"302015\",\"65195\",\"53\",\"65195\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340930\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340930&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340930\",\"count\":16029556,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\",\"UDP\",\"Built\",\"65519\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151753\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151753&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151753\",\"count\":16030125,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345031\",\"302015\",\"64971\",\"53\",\"64971\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466050\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466050&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466050\",\"count\":16029437,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\",\"UDP\",\"Built\",\"49908\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170244\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170244&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170244\",\"count\":16029265,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\",\"UDP\",\"Built\",\"49248\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892033\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892033&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892033\",\"count\":16029955,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344988\",\"302015\",\"50326\",\"53\",\"50326\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809686263241184260\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809686263241184260&startTime=1626097855032&endTime=1626097855033\",\"id\":\"809686263241184260\",\"count\":16029040,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:50:55.032Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344747\",\"302015\",\"49352\",\"53\",\"49352\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674373\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674373&startTime=1626098165120&endTime=1626098165121\",\"id\":\"809691484847674373\",\"count\":16029369,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:56:05.120Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344834\",\"302015\",\"50682\",\"53\",\"50682\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809697685136282631\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282631&startTime=1626098533324&endTime=1626098533325\",\"id\":\"809697685136282631\",\"count\":16029775,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:02:13.324Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344949\",\"302015\",\"49247\",\"53\",\"49247\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T13:55:00.2628542Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955405,\\\"Execution\\\":{\\\"ThreadID\\\":3852,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x99411c9\\\",\\\"IpPort\\\":\\\"64181\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x99411C9\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64181\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688350612067336\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688350612067336&startTime=1626098100262&endTime=1626098100263\",\"id\":\"809688350612067336\",\"count\":142564,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:55:00.262Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698673951839254\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839254&startTime=1626098594358&endTime=1626098594359\",\"id\":\"809698673951839254\",\"count\":16029849,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:03:14.358Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344969\",\"302015\",\"49170\",\"53\",\"49170\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054087\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054087&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054087\",\"count\":16029189,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344784\",\"302015\",\"49870\",\"53\",\"49870\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700762933335043\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335043&startTime=1626098713421&endTime=1626098713422\",\"id\":\"809700762933335043\",\"count\":16029944,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:13.421Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\",\"UDP\",\"Built\",\"64945\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809690440214320134\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320134&startTime=1626098105095&endTime=1626098105096\",\"id\":\"809690440214320134\",\"count\":16029315,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:55:05.095Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\",\"UDP\",\"Built\",\"50113\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704094066349063\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349063&startTime=1626098916536&endTime=1626098916537\",\"id\":\"809704094066349063\",\"count\":16030144,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:36.536Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345037\",\"302015\",\"65385\",\"53\",\"65385\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689485708170245\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170245&startTime=1626098045047&endTime=1626098045048\",\"id\":\"809689485708170245\",\"count\":16029266,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:05.047Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344809\",\"302015\",\"49248\",\"53\",\"49248\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809701731784004612\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004612&startTime=1626098773463&endTime=1626098773464\",\"id\":\"809701731784004612\",\"count\":16030003,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:06:13.463Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345007\",\"302015\",\"65291\",\"53\",\"65291\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T14:05:00.6935032Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955484,\\\"Execution\\\":{\\\"ThreadID\\\":2088,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x9951965\\\",\\\"IpPort\\\":\\\"64210\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x9951965\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64210\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809698427058328584\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698427058328584&startTime=1626098700693&endTime=1626098700694\",\"id\":\"809698427058328584\",\"count\":142643,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:00.693Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}},{\"description\":\"```\\n<166>%ASA-6-302013: Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"4.27.9.254\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809700815982892035\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892035&startTime=1626098714422&endTime=1626098714423\",\"id\":\"809700815982892035\",\"count\":16029957,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:05:14.422Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\",\"TCP\",\"Built\",\"80\",\"6\",\"4.27.9.254\",\"inside\",\"4.27.9.254\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344989\",\"302013\",\"64217\",\"80\",\"64217\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809688390827054086\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054086&startTime=1626097986018&endTime=1626097986019\",\"id\":\"809688390827054086\",\"count\":16029188,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:06.018Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\",\"UDP\",\"Built\",\"49870\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859784\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859784&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859784\",\"count\":16030233,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\",\"UDP\",\"Built\",\"49731\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809699588075230218\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230218&startTime=1626098653390&endTime=1626098653391\",\"id\":\"809699588075230218\",\"count\":16029903,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:04:13.390Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\",\"UDP\",\"Built\",\"50745\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689201099478017\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478017&startTime=1626098021031&endTime=1626098021032\",\"id\":\"809689201099478017\",\"count\":16029243,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:53:41.031Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"}],\"rows\":[[\"Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\",\"TCP\",\"Deny\",\"443\",\"6\",\"54.69.174.114\",\"10.100.20.5\",\"106015\",\"64009\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809693658939986944\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986944&startTime=1626098287185&endTime=1626098287186\",\"id\":\"809693658939986944\",\"count\":16029501,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:58:07.185Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\",\"UDP\",\"Built\",\"65195\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703625445151754\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151754&startTime=1626098894525&endTime=1626098894526\",\"id\":\"809703625445151754\",\"count\":16030126,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:08:14.525Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\",\"UDP\",\"Built\",\"50400\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378817\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378817&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378817\",\"count\":16029276,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344812\",\"302015\",\"49691\",\"53\",\"49691\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809691484847674383\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674383&startTime=1626098171125&endTime=1626098171126\",\"id\":\"809691484847674383\",\"count\":16029381,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:56:11.125Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344838\",\"302015\",\"50455\",\"53\",\"50455\"]]}},{\"description\":\"```\\n<166>%ASA-6-302013: Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"52.137.106.217\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809689768169378819\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378819&startTime=1626098054052&endTime=1626098054053\",\"id\":\"809689768169378819\",\"count\":16029278,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:54:14.052Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\",\"TCP\",\"Built\",\"443\",\"6\",\"52.137.106.217\",\"inside\",\"52.137.106.217\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344813\",\"302013\",\"64188\",\"443\",\"64188\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809692675694466048\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466048&startTime=1626098227241&endTime=1626098227242\",\"id\":\"809692675694466048\",\"count\":16029435,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:57:07.241Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\",\"UDP\",\"Built\",\"64764\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809694803129340929\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340929&startTime=1626098347214&endTime=1626098347215\",\"id\":\"809694803129340929\",\"count\":16029555,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:59:07.214Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"344877\",\"302015\",\"50695\",\"53\",\"50695\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809704846272828419\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828419&startTime=1626098953556&endTime=1626098953557\",\"id\":\"809704846272828419\",\"count\":16030189,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:09:13.556Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345048\",\"302015\",\"50195\",\"53\",\"50195\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809687271082103827\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103827&startTime=1626097912979&endTime=1626097912980\",\"id\":\"809687271082103827\",\"count\":16029133,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T13:51:52.979Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\",\"UDP\",\"Built\",\"50677\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n<166>%ASA-6-302015: Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\\n```\",\"schema_version\":\"1.1.6\",\"relations\":[{\"origin\":\"qradar\",\"relation\":\"Connected_To\",\"source\":{\"value\":\"10.100.20.5\",\"type\":\"ip\"},\"related\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"}}],\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809705757862859783\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859783&startTime=1626099013592&endTime=1626099013593\",\"id\":\"809705757862859783\",\"count\":16030232,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:10:13.592Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"dest_translated_ip\",\"type\":\"string\"},{\"name\":\"src_ip\",\"type\":\"string\"},{\"name\":\"src_translated_ip\",\"type\":\"string\"},{\"name\":\"direction\",\"type\":\"string\"},{\"name\":\"session_id\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"},{\"name\":\"src_port\",\"type\":\"string\"},{\"name\":\"dest_translated_port\",\"type\":\"string\"},{\"name\":\"src_translated_port\",\"type\":\"string\"}],\"rows\":[[\"Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\",\"UDP\",\"Built\",\"53\",\"6\",\"8.8.8.8\",\"inside\",\"8.8.8.8\",\"10.100.20.5\",\"24.141.154.216\",\"outbound\",\"345057\",\"302015\",\"65343\",\"53\",\"65343\"]]}},{\"description\":\"```\\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809695536243348490\"],\"short_description\":\"devbox-collector received a log from qradar - local use 4 (local4) containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348490&startTime=1626098410254&endTime=1626098410255\",\"id\":\"809695536243348490\",\"count\":16029617,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:00:10.254Z\"},\"data\":{\"columns\":[{\"name\":\"msg\",\"type\":\"string\"},{\"name\":\"protocol\",\"type\":\"string\"},{\"name\":\"action\",\"type\":\"string\"},{\"name\":\"dest_port\",\"type\":\"string\"},{\"name\":\"log_level\",\"type\":\"string\"},{\"name\":\"dest_ip\",\"type\":\"string\"},{\"name\":\"dest_zone\",\"type\":\"string\"},{\"name\":\"message_id\",\"type\":\"string\"}],\"rows\":[[\"Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\",\"UDP\",\"Built\",\"64998\",\"6\",\"24.141.154.216\",\"outside\",\"305011\"]]}},{\"description\":\"```\\n{\\\"TimeCreated\\\":\\\"2021-07-12T14:10:00.8598157Z\\\",\\\"EventID\\\":\\\"4624\\\",\\\"Task\\\":12544,\\\"Correlation\\\":\\\"\\\",\\\"Keywords\\\":\\\"Audit Success\\\",\\\"Channel\\\":\\\"Security\\\",\\\"Opcode\\\":\\\"Info\\\",\\\"Security\\\":\\\"\\\",\\\"Provider\\\":{\\\"Guid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"Name\\\":\\\"Microsoft-Windows-Security-Auditing\\\"},\\\"EventRecordID\\\":955528,\\\"Execution\\\":{\\\"ThreadID\\\":2088,\\\"ProcessID\\\":684},\\\"Version\\\":2,\\\"Computer\\\":\\\"AD.lan.cyberthre.at\\\",\\\"Level\\\":\\\"Information\\\",\\\"EventData\\\":{\\\"WorkstationName\\\":\\\"-\\\",\\\"TargetDomainName\\\":\\\"LAN.CYBERTHRE.AT\\\",\\\"VirtualAccount\\\":\\\"%%1843\\\",\\\"SubjectUserSid\\\":\\\"S-1-0-0\\\",\\\"TargetOutboundDomainName\\\":\\\"-\\\",\\\"LogonProcessName\\\":\\\"Kerberos\\\",\\\"TargetLinkedLogonId\\\":\\\"0x0\\\",\\\"ImpersonationLevel\\\":\\\"%%1833\\\",\\\"TargetUserName\\\":\\\"AD$\\\",\\\"TargetUserSid\\\":\\\"S-1-5-18\\\",\\\"IpAddress\\\":\\\"10.100.20.5\\\",\\\"ProcessId\\\":\\\"0x0\\\",\\\"KeyLength\\\":\\\"0\\\",\\\"ProcessName\\\":\\\"-\\\",\\\"SubjectUserName\\\":\\\"-\\\",\\\"LogonType\\\":\\\"3\\\",\\\"TargetOutboundUserName\\\":\\\"-\\\",\\\"TransmittedServices\\\":\\\"-\\\",\\\"LogonGuid\\\":\\\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\",\\\"SubjectLogonId\\\":\\\"0x0\\\",\\\"ElevatedToken\\\":\\\"%%1842\\\",\\\"RestrictedAdminMode\\\":\\\"-\\\",\\\"TargetLogonId\\\":\\\"0x997152b\\\",\\\"IpPort\\\":\\\"64224\\\",\\\"AuthenticationPackageName\\\":\\\"Kerberos\\\",\\\"LmPackageName\\\":\\\"-\\\",\\\"SubjectDomainName\\\":\\\"-\\\"},\\\"Message\\\":\\\"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNULL SID\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\t-\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\t-\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\r\\\\nLogon Information:\\\\r\\\\n\\\\tLogon Type:\\\\t\\\\t3\\\\r\\\\n\\\\tRestricted Admin Mode:\\\\t-\\\\r\\\\n\\\\tVirtual Account:\\\\t\\\\tNo\\\\r\\\\n\\\\tElevated Token:\\\\t\\\\tYes\\\\r\\\\n\\\\r\\\\nImpersonation Level:\\\\t\\\\tImpersonation\\\\r\\\\n\\\\r\\\\nNew Logon:\\\\r\\\\n\\\\tSecurity ID:\\\\t\\\\tNT AUTHORITY\\\\\\\\SYSTEM\\\\r\\\\n\\\\tAccount Name:\\\\t\\\\tAD$\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tLAN.CYBERTHRE.AT\\\\r\\\\n\\\\tLogon ID:\\\\t\\\\t0x997152B\\\\r\\\\n\\\\tLinked Logon ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tNetwork Account Name:\\\\t-\\\\r\\\\n\\\\tNetwork Account Domain:\\\\t-\\\\r\\\\n\\\\tLogon GUID:\\\\t\\\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\\\r\\\\n\\\\r\\\\nProcess Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t0x0\\\\r\\\\n\\\\tProcess Name:\\\\t\\\\t-\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tWorkstation Name:\\\\t-\\\\r\\\\n\\\\tSource Network Address:\\\\t10.100.20.5\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t64224\\\\r\\\\n\\\\r\\\\nDetailed Authentication Information:\\\\r\\\\n\\\\tLogon Process:\\\\t\\\\tKerberos\\\\r\\\\n\\\\tAuthentication Package:\\\\tKerberos\\\\r\\\\n\\\\tTransited Services:\\\\t-\\\\r\\\\n\\\\tPackage Name (NTLM only):\\\\t-\\\\r\\\\n\\\\tKey Length:\\\\t\\\\t0\\\\r\\\\n\\\\r\\\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\\\r\\\\n\\\\r\\\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\\\r\\\\n\\\\r\\\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\\\r\\\\n\\\\r\\\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\\\r\\\\n\\\\r\\\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\\\r\\\\n\\\\r\\\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\\\r\\\\n\\\\r\\\\nThe authentication information fields provide detailed information about this specific logon request.\\\\r\\\\n\\\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\\\r\\\\n\\\\t- Transited services indicate which intermediate services have participated in this logon request.\\\\r\\\\n\\\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\\\r\\\\n\\\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\\\"}\\n```\",\"schema_version\":\"1.1.6\",\"observables\":[{\"value\":\"10.100.20.5\",\"type\":\"ip\"}],\"type\":\"sighting\",\"source\":\"Sumo Logic\",\"external_ids\":[\"809703524647638024\"],\"short_description\":\"AD received a log from Windows Events - Security containing the observable\",\"title\":\"Log message from last 30 days in Sumo Logic contains observable\",\"internal\":true,\"source_uri\":\"https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703524647638024&startTime=1626099000859&endTime=1626099000860\",\"id\":\"809703524647638024\",\"count\":142687,\"confidence\":\"High\",\"observed_time\":{\"start_time\":\"2023-07-03T14:10:00.859Z\"},\"data\":{\"columns\":[{\"name\":\"direction\",\"type\":\"string\"}],\"rows\":[[\"Outbound\"]]}}]}}}],\"errors\":[{\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"code\":\"too-many-messages-warning\",\"message\":\"There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages.\",\"type\":\"warning\",\"module\":\"Sumo Logic\"}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-12T14:12:24.794Z\",\"uuid\":\"f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e\"},{\"arg\":[{\"type\":\"ip\",\"value\":\"10.100.20.5\"},{\"type\":\"ip\",\"value\":\"4.27.9.254\"},{\"type\":\"ip\",\"value\":\"52.137.106.217\"},{\"type\":\"ip\",\"value\":\"54.68.107.242\"},{\"type\":\"ip\",\"value\":\"54.69.174.114\"},{\"type\":\"ip\",\"value\":\"8.8.8.8\"}],\"created\":\"2021-07-12T14:12:25.446Z\",\"id\":\"deliberate-3e507d5a\",\"result\":{\"data\":[{\"module\":\"AMP File Reputation\",\"module_instance_id\":\"ddcf41a2-3ecb-43e8-b5b2-0e36ad2e16f3\",\"module_type_id\":\"1898d0e8-45f7-550d-8ab5-915f064426dd\",\"data\":{\"verdicts\":{\"count\":0,\"docs\":[]}}},{\"module\":\"Umbrella\",\"module_instance_id\":\"2d1cf6f6-f941-4caa-ba98-a87c3d9fa5b3\",\"module_type_id\":\"188d70f7-29d5-5069-9098-d83a3ec8e797\",\"data\":{\"verdicts\":{\"count\":5,\"docs\":[{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"8.8.8.8\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-07-03T14:12:27.242Z\",\"end_time\":\"2023-08-02T14:12:27.242Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"4.27.9.254\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-07-03T14:12:27.140Z\",\"end_time\":\"2023-08-02T14:12:27.140Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"52.137.106.217\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-07-03T14:12:26.412Z\",\"end_time\":\"2023-08-02T14:12:26.412Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"54.68.107.242\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-07-03T14:12:26.497Z\",\"end_time\":\"2023-08-02T14:12:26.497Z\"}},{\"type\":\"verdict\",\"disposition\":5,\"observable\":{\"value\":\"54.69.174.114\",\"type\":\"ip\"},\"disposition_name\":\"Unknown\",\"valid_time\":{\"start_time\":\"2023-07-03T14:12:26.045Z\",\"end_time\":\"2023-08-02T14:12:26.045Z\"}}]}}},{\"module\":\"Sumo Logic\",\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"data\":{}}]},\"state\":\"ok\",\"type\":\"deliberate\",\"updated\":\"2021-07-12T14:12:57.510Z\",\"uuid\":\"d25daa24-6560-4f68-bb6b-9a41d8e0a5ad\"}]", "short_description": "Snapshot @ 20210712 14:14:28", "omittedObservables": [], "archivedObservables": [{"key": "0dea2b71-74ae-4200-8840-99a1149c1725", "value": "10.100.20.5", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable_id": "3f0d90f3", "module_type_id": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable": {"type": "ip", "value": "10.100.20.5"}, "type": "warning", "action_id": "f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e", "code": "too-many-messages-warning", "module_name": "Sumo Logic", "module_instance_id": "947937b2-0a11-414a-8741-60f7ed7009bb", "message": "There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "10.100.20.5", "id": "3f0d90f3", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:10:00.8598157Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955528,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x997152b\",\"IpPort\":\"64224\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x997152B\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64224\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:10:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142687, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703524647638024"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703524647638024&startTime=1626099000859&endTime=1626099000860", "disposition_name": "Unknown", "id": "809703524647638024", "observed_start_time": "2021-07-12T14:10:00Z", "count": 142687, "observable_type": "ip", "ctr_uuid": "4918eb82-db45-485f-a981-1649bf564b94", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:00.859Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029617, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348490"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348490&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348490", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029617, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998", "UDP", "Built", "64998", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030232, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859783"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859783&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859783", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030232, "observable_type": "ip", "ctr_uuid": "3eed88f1-1bf7-406f-a565-e904031cceba", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345057", "302015", "65343", "53", "65343"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029133, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103827"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103827&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103827", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029133, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677", "UDP", "Built", "50677", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828419"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828419&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828419", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030189, "observable_type": "ip", "ctr_uuid": "efca3729-1589-41e2-9ebd-087f2f1dc008", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345048", "302015", "50195", "53", "50195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029555, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340929"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340929&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340929", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029555, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344877", "302015", "50695", "53", "50695"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029435, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466048"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466048&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466048", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029435, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764", "UDP", "Built", "64764", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "52.137.106.217", "type": "ip"}}], "unknown": 16029278, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378819"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378819&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378819", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029278, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)", "TCP", "Built", "443", "6", "52.137.106.217", "inside", "52.137.106.217", "10.100.20.5", "24.141.154.216", "outbound", "344813", "302013", "64188", "443", "64188"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029381, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674383"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674383&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674383", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029381, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344838", "302015", "50455", "53", "50455"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029276, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378817"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378817&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378817", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029276, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344812", "302015", "49691", "53", "49691"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030126, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151754"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151754&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151754", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030126, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400", "UDP", "Built", "50400", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029501, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986944"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986944&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986944", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029501, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195", "UDP", "Built", "65195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029243, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478017"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478017&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478017", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029243, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029903, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230218"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230218&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230218", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029903, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745", "UDP", "Built", "50745", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030233, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859784"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859784&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859784", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030233, "observable_type": "ip", "ctr_uuid": "8ae66931-86fb-4b92-b59c-b3ec8c212d90", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731", "UDP", "Built", "49731", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054086"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054086&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054086", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029188, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870", "UDP", "Built", "49870", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "4.27.9.254", "type": "ip"}}], "unknown": 16029957, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892035"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892035&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892035", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029957, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)", "TCP", "Built", "80", "6", "4.27.9.254", "inside", "4.27.9.254", "10.100.20.5", "24.141.154.216", "outbound", "344989", "302013", "64217", "80", "64217"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:05:00.6935032Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955484,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9951965\",\"IpPort\":\"64210\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9951965\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64210\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:05:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142643, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698427058328584"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698427058328584&startTime=1626098700693&endTime=1626098700694", "disposition_name": "Unknown", "id": "809698427058328584", "observed_start_time": "2021-07-12T14:05:00Z", "count": 142643, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:00.693Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030003, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004612"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004612&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004612", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030003, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345007", "302015", "65291", "53", "65291"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029266, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170245"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170245&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170245", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029266, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344809", "302015", "49248", "53", "49248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030144, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349063"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349063&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349063", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030144, "observable_type": "ip", "ctr_uuid": "449352e1-f59c-47cf-a4bc-f086f939d29a", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345037", "302015", "65385", "53", "65385"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029315, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320134"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320134&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320134", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029315, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113", "UDP", "Built", "50113", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029944, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335043"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335043&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335043", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029944, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945", "UDP", "Built", "64945", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054087"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054087&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054087", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029189, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344784", "302015", "49870", "53", "49870"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029849, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839254"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839254&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839254", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029849, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344969", "302015", "49170", "53", "49170"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T13:55:00.2628542Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955405,\"Execution\":{\"ThreadID\":3852,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x99411c9\",\"IpPort\":\"64181\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x99411C9\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64181\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T13:55:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142564, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688350612067336"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688350612067336&startTime=1626098100262&endTime=1626098100263", "disposition_name": "Unknown", "id": "809688350612067336", "observed_start_time": "2021-07-12T13:55:00Z", "count": 142564, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:00.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029775, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282631"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282631&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282631", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029775, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344949", "302015", "49247", "53", "49247"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029369, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674373"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674373&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674373", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029369, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344834", "302015", "50682", "53", "50682"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\n```", "observed_end_time": "2021-07-12T13:50:55Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029040, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809686263241184260"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809686263241184260&startTime=1626097855032&endTime=1626097855033", "disposition_name": "Unknown", "id": "809686263241184260", "observed_start_time": "2021-07-12T13:50:55Z", "count": 16029040, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:50:55.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344747", "302015", "49352", "53", "49352"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029955, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892033"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892033&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892033", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029955, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344988", "302015", "50326", "53", "50326"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029265, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170244"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170244&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170244", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029265, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248", "UDP", "Built", "49248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029437, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466050"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466050&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466050", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029437, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908", "UDP", "Built", "49908", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030125, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151753"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151753&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151753", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030125, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345031", "302015", "64971", "53", "64971"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029556, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340930"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340930&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340930", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029556, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519", "UDP", "Built", "65519", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029502, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986945"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986945&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986945", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029502, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344869", "302015", "65195", "53", "65195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030077, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620433"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620433&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620433", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030077, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345023", "302015", "49898", "53", "49898"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030004, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004613"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004613&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004613", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030004, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277", "UDP", "Built", "50277", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029242, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478016"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478016&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478016", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029242, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.68.107.242", "type": "ip"}}], "unknown": 16029252, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478025"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478025&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478025", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029252, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)", "TCP", "Built", "443", "6", "54.68.107.242", "inside", "54.68.107.242", "10.100.20.5", "24.141.154.216", "outbound", "344804", "302013", "64186", "443", "64186"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054084"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054084&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054084", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029186, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173", "UDP", "Built", "49173", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030075, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620431"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620431&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620431", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030075, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345022", "302015", "49611", "53", "49611"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029146, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635011"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635011&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635011", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029146, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344775", "302015", "50506", "53", "50506"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029557, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340931"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340931&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340931", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029557, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344878", "302015", "65519", "53", "65519"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054085"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054085&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054085", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029187, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344783", "302015", "49173", "53", "49173"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029619, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348492"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348492&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348492", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029619, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204", "UDP", "Built", "50204", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029954, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892032"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892032&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892032", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029954, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326", "UDP", "Built", "50326", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828418"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828418&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828418", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030188, "observable_type": "ip", "ctr_uuid": "15efd3bf-4368-4790-84fe-4946c2c52d8b", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195", "UDP", "Built", "50195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030234, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859785"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859785&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859785", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030234, "observable_type": "ip", "ctr_uuid": "ada8ef67-f7de-4ee6-baf4-b657e61f3d66", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345058", "302015", "49731", "53", "49731"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029313, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320132"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320132&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320132", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029313, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060", "UDP", "Built", "50060", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029774, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282630"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282630&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282630", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029774, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247", "UDP", "Built", "49247", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029777, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282633"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282633&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282633", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029777, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344950", "302015", "50248", "53", "50248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030005, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004614"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004614&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004614", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030005, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345008", "302015", "50277", "53", "50277"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029776, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282632"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282632&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282632", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029776, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248", "UDP", "Built", "50248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029620, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348493"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348493&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348493", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029620, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344897", "302015", "50204", "53", "50204"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030231, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859782"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859782&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859782", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030231, "observable_type": "ip", "ctr_uuid": "fcc2f499-ee84-40ca-9749-1a33a16587cb", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343", "UDP", "Built", "65343", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030076, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620432"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620432&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620432", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030076, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898", "UDP", "Built", "49898", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029251, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478024"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478024&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478024", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029251, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186", "TCP", "Built", "64186", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030141, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349060"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349060&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349060", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030141, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783", "UDP", "Built", "64783", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029438, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466051"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466051&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466051", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029438, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344854", "302015", "49908", "53", "49908"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029956, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892034"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892034&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892034", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029956, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217", "TCP", "Built", "64217", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029264, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170243"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170243&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170243", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029264, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344808", "302015", "49787", "53", "49787"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029904, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230219"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230219&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230219", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029904, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344978", "302015", "50745", "53", "50745"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029134, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103828"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103828&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103828", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029134, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344773", "302015", "50677", "53", "50677"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029380, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674382"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674382&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674382", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029380, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455", "UDP", "Built", "50455", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030142, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349061"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349061&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349061", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030142, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345036", "302015", "64783", "53", "64783"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029277, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378818"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378818&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378818", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029277, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188", "TCP", "Built", "64188", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029902, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230217"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230217&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230217", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029902, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344977", "302015", "65098", "53", "65098"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029316, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320135"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320135&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320135", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029316, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344821", "302015", "50113", "53", "50113"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029696, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706115"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706115&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706115", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029696, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344924", "302015", "64784", "53", "64784"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029368, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674372"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674372&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674372", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029368, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682", "UDP", "Built", "50682", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029698, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706117"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706117&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706117", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029698, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344925", "302015", "50626", "53", "50626"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030002, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004611"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004611&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004611", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030002, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291", "UDP", "Built", "65291", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029697, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706116"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706116&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706116", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029697, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626", "UDP", "Built", "50626", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029371, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674375"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674375&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674375", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029371, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344835", "302015", "49377", "53", "49377"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029901, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230216"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230216&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230216", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029901, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098", "UDP", "Built", "65098", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029370, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674374"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674374&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674374", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029370, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377", "UDP", "Built", "49377", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029554, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340928"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340928&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340928", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029554, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695", "UDP", "Built", "50695", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:00:00.4789615Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955446,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9949ff5\",\"IpPort\":\"64196\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9949FF5\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64196\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:00:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142605, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693387534963720"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693387534963720&startTime=1626098400478&endTime=1626098400479", "disposition_name": "Unknown", "id": "809693387534963720", "observed_start_time": "2021-07-12T14:00:00Z", "count": 142605, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:00.478Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029263, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170242"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170242&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170242", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029263, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787", "UDP", "Built", "49787", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029847, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839252"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839252&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839252", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029847, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344968", "302015", "65230", "53", "65230"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029244, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478018"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478018&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478018", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029244, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029436, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466049"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466049&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466049", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029436, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344853", "302015", "64764", "53", "64764"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029695, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706114"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706114&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706114", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029695, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784", "UDP", "Built", "64784", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030074, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620430"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620430&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620430", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030074, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611", "UDP", "Built", "49611", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029846, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839251"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839251&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839251", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029846, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230", "UDP", "Built", "65230", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828417"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828417&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828417", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030187, "observable_type": "ip", "ctr_uuid": "a264f82d-474e-41fb-a311-21f35934261d", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345047", "302015", "49562", "53", "49562"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029618, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348491"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348491&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348491", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029618, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344896", "302015", "64998", "53", "64998"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030143, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349062"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349062&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349062", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030143, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385", "UDP", "Built", "65385", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029945, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335044"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335044&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335044", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029945, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344985", "302015", "64945", "53", "64945"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030127, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151755"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151755&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151755", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030127, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345032", "302015", "50400", "53", "50400"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029946, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335045"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335045&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335045", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029946, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643", "UDP", "Built", "49643", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030124, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151752"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151752&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151752", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030124, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971", "UDP", "Built", "64971", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029504, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986947"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986947&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986947", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029504, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344870", "302015", "64846", "53", "64846"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029848, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839253"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839253&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839253", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029848, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170", "UDP", "Built", "49170", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828416"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828416&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828416", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030186, "observable_type": "ip", "ctr_uuid": "712716e7-8463-45d4-baeb-6e480f5bb5f2", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562", "UDP", "Built", "49562", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029947, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335046"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335046&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335046", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029947, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344986", "302015", "49643", "53", "49643"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029314, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320133"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320133&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320133", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029314, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344820", "302015", "50060", "53", "50060"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029503, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986946"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986946&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986946", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029503, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846", "UDP", "Built", "64846", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029275, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378816"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378816&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378816", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029275, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691", "UDP", "Built", "49691", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029145, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635010"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635010&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635010", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029145, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506", "UDP", "Built", "50506", "6", "24.141.154.216", "outside", "305011"]]}}], "revListOrder": 4}], "selectedObservables": [{"uuid": "e188457d-01e0-4c40-a780-f585120edf6b", "observable": {"key": "0dea2b71-74ae-4200-8840-99a1149c1725", "value": "10.100.20.5", "indicators": [], "type": "ip", "state": "investigated", "targets": [], "disposition": 5, "verdicts": [], "notifications": [{"module_type": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable_id": "3f0d90f3", "module_type_id": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable": {"type": "ip", "value": "10.100.20.5"}, "type": "warning", "action_id": "f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e", "code": "too-many-messages-warning", "module_name": "Sumo Logic", "module_instance_id": "947937b2-0a11-414a-8741-60f7ed7009bb", "message": "There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages."}], "disposition_name": "Unknown", "obsListSortOrder": 4, "listOrder": 0, "label": "10.100.20.5", "id": "3f0d90f3", "judgements": [], "sightings": [{"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:10:00.8598157Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955528,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x997152b\",\"IpPort\":\"64224\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x997152B\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64224\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:10:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142687, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703524647638024"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703524647638024&startTime=1626099000859&endTime=1626099000860", "disposition_name": "Unknown", "id": "809703524647638024", "observed_start_time": "2021-07-12T14:10:00Z", "count": 142687, "observable_type": "ip", "ctr_uuid": "4918eb82-db45-485f-a981-1649bf564b94", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:00.859Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029617, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348490"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348490&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348490", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029617, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64998 to outside:24.141.154.216/64998", "UDP", "Built", "64998", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030232, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859783"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859783&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859783", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030232, "observable_type": "ip", "ctr_uuid": "3eed88f1-1bf7-406f-a565-e904031cceba", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345057 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65343 (24.141.154.216/65343)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345057", "302015", "65343", "53", "65343"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029133, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103827"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103827&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103827", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029133, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50677 to outside:24.141.154.216/50677", "UDP", "Built", "50677", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828419"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828419&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828419", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030189, "observable_type": "ip", "ctr_uuid": "efca3729-1589-41e2-9ebd-087f2f1dc008", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345048 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50195 (24.141.154.216/50195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345048", "302015", "50195", "53", "50195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029555, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340929"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340929&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340929", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029555, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344877 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50695 (24.141.154.216/50695)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344877", "302015", "50695", "53", "50695"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029435, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466048"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466048&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466048", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029435, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64764 to outside:24.141.154.216/64764", "UDP", "Built", "64764", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "52.137.106.217", "type": "ip"}}], "unknown": 16029278, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378819"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378819&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378819", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029278, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344813 for outside:52.137.106.217/443 (52.137.106.217/443) to inside:10.100.20.5/64188 (24.141.154.216/64188)", "TCP", "Built", "443", "6", "52.137.106.217", "inside", "52.137.106.217", "10.100.20.5", "24.141.154.216", "outbound", "344813", "302013", "64188", "443", "64188"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029381, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674383"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674383&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674383", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029381, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344838 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50455 (24.141.154.216/50455)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344838", "302015", "50455", "53", "50455"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029276, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378817"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378817&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378817", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029276, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344812 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49691 (24.141.154.216/49691)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344812", "302015", "49691", "53", "49691"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030126, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151754"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151754&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151754", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030126, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50400 to outside:24.141.154.216/50400", "UDP", "Built", "50400", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029501, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986944"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986944&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986944", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029501, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65195 to outside:24.141.154.216/65195", "UDP", "Built", "65195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029243, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478017"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478017&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478017", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029243, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags FIN ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029903, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230218"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230218&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230218", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029903, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50745 to outside:24.141.154.216/50745", "UDP", "Built", "50745", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030233, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859784"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859784&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859784", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030233, "observable_type": "ip", "ctr_uuid": "8ae66931-86fb-4b92-b59c-b3ec8c212d90", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49731 to outside:24.141.154.216/49731", "UDP", "Built", "49731", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054086"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054086&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054086", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029188, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49870 to outside:24.141.154.216/49870", "UDP", "Built", "49870", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "4.27.9.254", "type": "ip"}}], "unknown": 16029957, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892035"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892035&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892035", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029957, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344989 for outside:4.27.9.254/80 (4.27.9.254/80) to inside:10.100.20.5/64217 (24.141.154.216/64217)", "TCP", "Built", "80", "6", "4.27.9.254", "inside", "4.27.9.254", "10.100.20.5", "24.141.154.216", "outbound", "344989", "302013", "64217", "80", "64217"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:05:00.6935032Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955484,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9951965\",\"IpPort\":\"64210\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9951965\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64210\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:05:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142643, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698427058328584"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698427058328584&startTime=1626098700693&endTime=1626098700694", "disposition_name": "Unknown", "id": "809698427058328584", "observed_start_time": "2021-07-12T14:05:00Z", "count": 142643, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:00.693Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030003, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004612"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004612&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004612", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030003, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345007 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65291 (24.141.154.216/65291)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345007", "302015", "65291", "53", "65291"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029266, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170245"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170245&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170245", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029266, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344809 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49248 (24.141.154.216/49248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344809", "302015", "49248", "53", "49248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030144, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349063"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349063&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349063", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030144, "observable_type": "ip", "ctr_uuid": "449352e1-f59c-47cf-a4bc-f086f939d29a", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345037 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65385 (24.141.154.216/65385)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345037", "302015", "65385", "53", "65385"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029315, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320134"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320134&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320134", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029315, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50113 to outside:24.141.154.216/50113", "UDP", "Built", "50113", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029944, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335043"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335043&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335043", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029944, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64945 to outside:24.141.154.216/64945", "UDP", "Built", "64945", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029189, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054087"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054087&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054087", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029189, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344784 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49870 (24.141.154.216/49870)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344784", "302015", "49870", "53", "49870"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029849, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839254"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839254&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839254", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029849, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344969 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49170 (24.141.154.216/49170)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344969", "302015", "49170", "53", "49170"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T13:55:00.2628542Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955405,\"Execution\":{\"ThreadID\":3852,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x99411c9\",\"IpPort\":\"64181\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x99411C9\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64181\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T13:55:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142564, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688350612067336"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688350612067336&startTime=1626098100262&endTime=1626098100263", "disposition_name": "Unknown", "id": "809688350612067336", "observed_start_time": "2021-07-12T13:55:00Z", "count": 142564, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:00.262Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029775, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282631"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282631&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282631", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029775, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344949 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49247 (24.141.154.216/49247)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344949", "302015", "49247", "53", "49247"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029369, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674373"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674373&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674373", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029369, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344834 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50682 (24.141.154.216/50682)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344834", "302015", "50682", "53", "50682"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)\n```", "observed_end_time": "2021-07-12T13:50:55Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029040, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809686263241184260"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809686263241184260&startTime=1626097855032&endTime=1626097855033", "disposition_name": "Unknown", "id": "809686263241184260", "observed_start_time": "2021-07-12T13:50:55Z", "count": 16029040, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:50:55.032Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344747 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49352 (24.141.154.216/49352)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344747", "302015", "49352", "53", "49352"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029955, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892033"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892033&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892033", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029955, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344988 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50326 (24.141.154.216/50326)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344988", "302015", "50326", "53", "50326"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029265, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170244"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170244&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170244", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029265, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49248 to outside:24.141.154.216/49248", "UDP", "Built", "49248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029437, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466050"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466050&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466050", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029437, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49908 to outside:24.141.154.216/49908", "UDP", "Built", "49908", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030125, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151753"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151753&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151753", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030125, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345031 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64971 (24.141.154.216/64971)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345031", "302015", "64971", "53", "64971"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029556, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340930"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340930&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340930", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029556, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65519 to outside:24.141.154.216/65519", "UDP", "Built", "65519", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029502, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986945"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986945&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986945", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029502, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344869 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65195 (24.141.154.216/65195)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344869", "302015", "65195", "53", "65195"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030077, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620433"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620433&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620433", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030077, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345023 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49898 (24.141.154.216/49898)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345023", "302015", "49898", "53", "49898"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030004, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004613"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004613&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004613", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030004, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50277 to outside:24.141.154.216/50277", "UDP", "Built", "50277", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029242, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478016"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478016&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478016", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029242, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags PSH ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302013: Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.68.107.242", "type": "ip"}}], "unknown": 16029252, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478025"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478025&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478025", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029252, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound TCP connection 344804 for outside:54.68.107.242/443 (54.68.107.242/443) to inside:10.100.20.5/64186 (24.141.154.216/64186)", "TCP", "Built", "443", "6", "54.68.107.242", "inside", "54.68.107.242", "10.100.20.5", "24.141.154.216", "outbound", "344804", "302013", "64186", "443", "64186"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054084"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054084&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054084", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029186, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49173 to outside:24.141.154.216/49173", "UDP", "Built", "49173", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030075, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620431"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620431&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620431", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030075, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345022 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49611 (24.141.154.216/49611)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345022", "302015", "49611", "53", "49611"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029146, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635011"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635011&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635011", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029146, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344775 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50506 (24.141.154.216/50506)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344775", "302015", "50506", "53", "50506"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029557, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340931"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340931&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340931", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029557, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344878 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65519 (24.141.154.216/65519)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344878", "302015", "65519", "53", "65519"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)\n```", "observed_end_time": "2021-07-12T13:53:06Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809688390827054085"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809688390827054085&startTime=1626097986018&endTime=1626097986019", "disposition_name": "Unknown", "id": "809688390827054085", "observed_start_time": "2021-07-12T13:53:06Z", "count": 16029187, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:06.018Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344783 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49173 (24.141.154.216/49173)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344783", "302015", "49173", "53", "49173"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029619, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348492"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348492&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348492", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029619, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50204 to outside:24.141.154.216/50204", "UDP", "Built", "50204", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029954, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892032"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892032&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892032", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029954, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50326 to outside:24.141.154.216/50326", "UDP", "Built", "50326", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030188, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828418"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828418&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828418", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030188, "observable_type": "ip", "ctr_uuid": "15efd3bf-4368-4790-84fe-4946c2c52d8b", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50195 to outside:24.141.154.216/50195", "UDP", "Built", "50195", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030234, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859785"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859785&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859785", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030234, "observable_type": "ip", "ctr_uuid": "ada8ef67-f7de-4ee6-baf4-b657e61f3d66", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345058 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49731 (24.141.154.216/49731)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345058", "302015", "49731", "53", "49731"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029313, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320132"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320132&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320132", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029313, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50060 to outside:24.141.154.216/50060", "UDP", "Built", "50060", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029774, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282630"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282630&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282630", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029774, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49247 to outside:24.141.154.216/49247", "UDP", "Built", "49247", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029777, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282633"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282633&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282633", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029777, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344950 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50248 (24.141.154.216/50248)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344950", "302015", "50248", "53", "50248"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030005, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004614"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004614&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004614", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030005, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345008 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50277 (24.141.154.216/50277)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345008", "302015", "50277", "53", "50277"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248\n```", "observed_end_time": "2021-07-12T14:02:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029776, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809697685136282632"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809697685136282632&startTime=1626098533324&endTime=1626098533325", "disposition_name": "Unknown", "id": "809697685136282632", "observed_start_time": "2021-07-12T14:02:13Z", "count": 16029776, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:02:13.324Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50248 to outside:24.141.154.216/50248", "UDP", "Built", "50248", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029620, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348493"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348493&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348493", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029620, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344897 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50204 (24.141.154.216/50204)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344897", "302015", "50204", "53", "50204"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343\n```", "observed_end_time": "2021-07-12T14:10:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030231, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809705757862859782"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809705757862859782&startTime=1626099013592&endTime=1626099013593", "disposition_name": "Unknown", "id": "809705757862859782", "observed_start_time": "2021-07-12T14:10:13Z", "count": 16030231, "observable_type": "ip", "ctr_uuid": "fcc2f499-ee84-40ca-9749-1a33a16587cb", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:10:13.592Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65343 to outside:24.141.154.216/65343", "UDP", "Built", "65343", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030076, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620432"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620432&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620432", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030076, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49898 to outside:24.141.154.216/49898", "UDP", "Built", "49898", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186\n```", "observed_end_time": "2021-07-12T13:53:43Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029251, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478024"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478024&startTime=1626098023033&endTime=1626098023034", "disposition_name": "Unknown", "id": "809689201099478024", "observed_start_time": "2021-07-12T13:53:43Z", "count": 16029251, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:43.033Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64186 to outside:24.141.154.216/64186", "TCP", "Built", "64186", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030141, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349060"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349060&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349060", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030141, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64783 to outside:24.141.154.216/64783", "UDP", "Built", "64783", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029438, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466051"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466051&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466051", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029438, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344854 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49908 (24.141.154.216/49908)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344854", "302015", "49908", "53", "49908"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217\n```", "observed_end_time": "2021-07-12T14:05:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029956, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700815982892034"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700815982892034&startTime=1626098714422&endTime=1626098714423", "disposition_name": "Unknown", "id": "809700815982892034", "observed_start_time": "2021-07-12T14:05:14Z", "count": 16029956, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:14.422Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64217 to outside:24.141.154.216/64217", "TCP", "Built", "64217", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029264, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170243"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170243&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170243", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029264, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344808 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49787 (24.141.154.216/49787)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344808", "302015", "49787", "53", "49787"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029904, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230219"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230219&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230219", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029904, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344978 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50745 (24.141.154.216/50745)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344978", "302015", "50745", "53", "50745"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)\n```", "observed_end_time": "2021-07-12T13:51:52Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029134, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687271082103828"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687271082103828&startTime=1626097912979&endTime=1626097912980", "disposition_name": "Unknown", "id": "809687271082103828", "observed_start_time": "2021-07-12T13:51:52Z", "count": 16029134, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:51:52.979Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344773 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50677 (24.141.154.216/50677)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344773", "302015", "50677", "53", "50677"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455\n```", "observed_end_time": "2021-07-12T13:56:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029380, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674382"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674382&startTime=1626098171125&endTime=1626098171126", "disposition_name": "Unknown", "id": "809691484847674382", "observed_start_time": "2021-07-12T13:56:11Z", "count": 16029380, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:11.125Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50455 to outside:24.141.154.216/50455", "UDP", "Built", "50455", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030142, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349061"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349061&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349061", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030142, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345036 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64783 (24.141.154.216/64783)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345036", "302015", "64783", "53", "64783"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029277, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378818"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378818&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378818", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029277, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic TCP translation from inside:10.100.20.5/64188 to outside:24.141.154.216/64188", "TCP", "Built", "64188", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029902, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230217"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230217&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230217", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029902, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344977 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65098 (24.141.154.216/65098)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344977", "302015", "65098", "53", "65098"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029316, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320135"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320135&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320135", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029316, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344821 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50113 (24.141.154.216/50113)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344821", "302015", "50113", "53", "50113"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029696, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706115"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706115&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706115", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029696, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344924 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64784 (24.141.154.216/64784)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344924", "302015", "64784", "53", "64784"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029368, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674372"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674372&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674372", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029368, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50682 to outside:24.141.154.216/50682", "UDP", "Built", "50682", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029698, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706117"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706117&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706117", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029698, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344925 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50626 (24.141.154.216/50626)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344925", "302015", "50626", "53", "50626"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291\n```", "observed_end_time": "2021-07-12T14:06:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030002, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809701731784004611"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809701731784004611&startTime=1626098773463&endTime=1626098773464", "disposition_name": "Unknown", "id": "809701731784004611", "observed_start_time": "2021-07-12T14:06:13Z", "count": 16030002, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:06:13.463Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65291 to outside:24.141.154.216/65291", "UDP", "Built", "65291", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029697, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706116"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706116&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706116", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029697, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50626 to outside:24.141.154.216/50626", "UDP", "Built", "50626", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029371, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674375"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674375&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674375", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029371, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344835 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49377 (24.141.154.216/49377)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344835", "302015", "49377", "53", "49377"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098\n```", "observed_end_time": "2021-07-12T14:04:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029901, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809699588075230216"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809699588075230216&startTime=1626098653390&endTime=1626098653391", "disposition_name": "Unknown", "id": "809699588075230216", "observed_start_time": "2021-07-12T14:04:13Z", "count": 16029901, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:04:13.390Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65098 to outside:24.141.154.216/65098", "UDP", "Built", "65098", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377\n```", "observed_end_time": "2021-07-12T13:56:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029370, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809691484847674374"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809691484847674374&startTime=1626098165120&endTime=1626098165121", "disposition_name": "Unknown", "id": "809691484847674374", "observed_start_time": "2021-07-12T13:56:05Z", "count": 16029370, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:56:05.120Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49377 to outside:24.141.154.216/49377", "UDP", "Built", "49377", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695\n```", "observed_end_time": "2021-07-12T13:59:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029554, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809694803129340928"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809694803129340928&startTime=1626098347214&endTime=1626098347215", "disposition_name": "Unknown", "id": "809694803129340928", "observed_start_time": "2021-07-12T13:59:07Z", "count": 16029554, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:59:07.214Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50695 to outside:24.141.154.216/50695", "UDP", "Built", "50695", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n{\"TimeCreated\":\"2021-07-12T14:00:00.4789615Z\",\"EventID\":\"4624\",\"Task\":12544,\"Correlation\":\"\",\"Keywords\":\"Audit Success\",\"Channel\":\"Security\",\"Opcode\":\"Info\",\"Security\":\"\",\"Provider\":{\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"Name\":\"Microsoft-Windows-Security-Auditing\"},\"EventRecordID\":955446,\"Execution\":{\"ThreadID\":2088,\"ProcessID\":684},\"Version\":2,\"Computer\":\"AD.lan.cyberthre.at\",\"Level\":\"Information\",\"EventData\":{\"WorkstationName\":\"-\",\"TargetDomainName\":\"LAN.CYBERTHRE.AT\",\"VirtualAccount\":\"%%1843\",\"SubjectUserSid\":\"S-1-0-0\",\"TargetOutboundDomainName\":\"-\",\"LogonProcessName\":\"Kerberos\",\"TargetLinkedLogonId\":\"0x0\",\"ImpersonationLevel\":\"%%1833\",\"TargetUserName\":\"AD$\",\"TargetUserSid\":\"S-1-5-18\",\"IpAddress\":\"10.100.20.5\",\"ProcessId\":\"0x0\",\"KeyLength\":\"0\",\"ProcessName\":\"-\",\"SubjectUserName\":\"-\",\"LogonType\":\"3\",\"TargetOutboundUserName\":\"-\",\"TransmittedServices\":\"-\",\"LogonGuid\":\"{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\",\"SubjectLogonId\":\"0x0\",\"ElevatedToken\":\"%%1842\",\"RestrictedAdminMode\":\"-\",\"TargetLogonId\":\"0x9949ff5\",\"IpPort\":\"64196\",\"AuthenticationPackageName\":\"Kerberos\",\"LmPackageName\":\"-\",\"SubjectDomainName\":\"-\"},\"Message\":\"An account was successfully logged on.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tNULL SID\\r\\n\\tAccount Name:\\t\\t-\\r\\n\\tAccount Domain:\\t\\t-\\r\\n\\tLogon ID:\\t\\t0x0\\r\\n\\r\\nLogon Information:\\r\\n\\tLogon Type:\\t\\t3\\r\\n\\tRestricted Admin Mode:\\t-\\r\\n\\tVirtual Account:\\t\\tNo\\r\\n\\tElevated Token:\\t\\tYes\\r\\n\\r\\nImpersonation Level:\\t\\tImpersonation\\r\\n\\r\\nNew Logon:\\r\\n\\tSecurity ID:\\t\\tNT AUTHORITY\\\\SYSTEM\\r\\n\\tAccount Name:\\t\\tAD$\\r\\n\\tAccount Domain:\\t\\tLAN.CYBERTHRE.AT\\r\\n\\tLogon ID:\\t\\t0x9949FF5\\r\\n\\tLinked Logon ID:\\t\\t0x0\\r\\n\\tNetwork Account Name:\\t-\\r\\n\\tNetwork Account Domain:\\t-\\r\\n\\tLogon GUID:\\t\\t{827d8995-ff4c-0663-279b-7e8c8f8eb84b}\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x0\\r\\n\\tProcess Name:\\t\\t-\\r\\n\\r\\nNetwork Information:\\r\\n\\tWorkstation Name:\\t-\\r\\n\\tSource Network Address:\\t10.100.20.5\\r\\n\\tSource Port:\\t\\t64196\\r\\n\\r\\nDetailed Authentication Information:\\r\\n\\tLogon Process:\\t\\tKerberos\\r\\n\\tAuthentication Package:\\tKerberos\\r\\n\\tTransited Services:\\t-\\r\\n\\tPackage Name (NTLM only):\\t-\\r\\n\\tKey Length:\\t\\t0\\r\\n\\r\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\r\\n\\r\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\r\\n\\r\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\r\\n\\r\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\r\\n\\r\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\r\\n\\r\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\r\\n\\r\\nThe authentication information fields provide detailed information about this specific logon request.\\r\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\r\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\r\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\r\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\"}\n```", "observed_end_time": "2021-07-12T14:00:00Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 142605, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693387534963720"], "disposition": 5, "short_description": "AD received a log from Windows Events - Security containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693387534963720&startTime=1626098400478&endTime=1626098400479", "disposition_name": "Unknown", "id": "809693387534963720", "observed_start_time": "2021-07-12T14:00:00Z", "count": 142605, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:00.478Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "direction", "type": "string"}], "rows": [["Outbound"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787\n```", "observed_end_time": "2021-07-12T13:54:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029263, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689485708170242"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689485708170242&startTime=1626098045047&endTime=1626098045048", "disposition_name": "Unknown", "id": "809689485708170242", "observed_start_time": "2021-07-12T13:54:05Z", "count": 16029263, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:05.047Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49787 to outside:24.141.154.216/49787", "UDP", "Built", "49787", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029847, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839252"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839252&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839252", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029847, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344968 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/65230 (24.141.154.216/65230)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344968", "302015", "65230", "53", "65230"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-106015: Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside\n```", "observed_end_time": "2021-07-12T13:53:41Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "54.69.174.114", "type": "ip"}}], "unknown": 16029244, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689201099478018"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689201099478018&startTime=1626098021031&endTime=1626098021032", "disposition_name": "Unknown", "id": "809689201099478018", "observed_start_time": "2021-07-12T13:53:41Z", "count": 16029244, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:53:41.031Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}], "rows": [["Deny TCP (no connection) from 10.100.20.5/64009 to 54.69.174.114/443 flags RST ACK on interface inside", "TCP", "Deny", "443", "6", "54.69.174.114", "10.100.20.5", "106015", "64009"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)\n```", "observed_end_time": "2021-07-12T13:57:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029436, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809692675694466049"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809692675694466049&startTime=1626098227241&endTime=1626098227242", "disposition_name": "Unknown", "id": "809692675694466049", "observed_start_time": "2021-07-12T13:57:07Z", "count": 16029436, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:57:07.241Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344853 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64764 (24.141.154.216/64764)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344853", "302015", "64764", "53", "64764"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784\n```", "observed_end_time": "2021-07-12T14:01:11Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029695, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809696703551706114"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809696703551706114&startTime=1626098471286&endTime=1626098471287", "disposition_name": "Unknown", "id": "809696703551706114", "observed_start_time": "2021-07-12T14:01:11Z", "count": 16029695, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:01:11.286Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64784 to outside:24.141.154.216/64784", "UDP", "Built", "64784", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611\n```", "observed_end_time": "2021-07-12T14:07:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030074, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809702635874620430"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809702635874620430&startTime=1626098833496&endTime=1626098833497", "disposition_name": "Unknown", "id": "809702635874620430", "observed_start_time": "2021-07-12T14:07:13Z", "count": 16030074, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:07:13.496Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49611 to outside:24.141.154.216/49611", "UDP", "Built", "49611", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029846, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839251"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839251&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839251", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029846, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65230 to outside:24.141.154.216/65230", "UDP", "Built", "65230", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030187, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828417"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828417&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828417", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030187, "observable_type": "ip", "ctr_uuid": "a264f82d-474e-41fb-a311-21f35934261d", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345047 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49562 (24.141.154.216/49562)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345047", "302015", "49562", "53", "49562"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)\n```", "observed_end_time": "2021-07-12T14:00:10Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029618, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809695536243348491"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809695536243348491&startTime=1626098410254&endTime=1626098410255", "disposition_name": "Unknown", "id": "809695536243348491", "observed_start_time": "2021-07-12T14:00:10Z", "count": 16029618, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:00:10.254Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344896 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64998 (24.141.154.216/64998)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344896", "302015", "64998", "53", "64998"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385\n```", "observed_end_time": "2021-07-12T14:08:36Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030143, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704094066349062"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704094066349062&startTime=1626098916536&endTime=1626098916537", "disposition_name": "Unknown", "id": "809704094066349062", "observed_start_time": "2021-07-12T14:08:36Z", "count": 16030143, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:36.536Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/65385 to outside:24.141.154.216/65385", "UDP", "Built", "65385", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029945, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335044"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335044&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335044", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029945, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344985 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64945 (24.141.154.216/64945)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344985", "302015", "64945", "53", "64945"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16030127, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151755"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151755&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151755", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030127, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 345032 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50400 (24.141.154.216/50400)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "345032", "302015", "50400", "53", "50400"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029946, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335045"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335045&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335045", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029946, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49643 to outside:24.141.154.216/49643", "UDP", "Built", "49643", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971\n```", "observed_end_time": "2021-07-12T14:08:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030124, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809703625445151752"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809703625445151752&startTime=1626098894525&endTime=1626098894526", "disposition_name": "Unknown", "id": "809703625445151752", "observed_start_time": "2021-07-12T14:08:14Z", "count": 16030124, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:08:14.525Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64971 to outside:24.141.154.216/64971", "UDP", "Built", "64971", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029504, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986947"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986947&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986947", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029504, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344870 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/64846 (24.141.154.216/64846)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344870", "302015", "64846", "53", "64846"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170\n```", "observed_end_time": "2021-07-12T14:03:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029848, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809698673951839253"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809698673951839253&startTime=1626098594358&endTime=1626098594359", "disposition_name": "Unknown", "id": "809698673951839253", "observed_start_time": "2021-07-12T14:03:14Z", "count": 16029848, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:03:14.358Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49170 to outside:24.141.154.216/49170", "UDP", "Built", "49170", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562\n```", "observed_end_time": "2021-07-12T14:09:13Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16030186, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809704846272828416"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809704846272828416&startTime=1626098953556&endTime=1626098953557", "disposition_name": "Unknown", "id": "809704846272828416", "observed_start_time": "2021-07-12T14:09:13Z", "count": 16030186, "observable_type": "ip", "ctr_uuid": "712716e7-8463-45d4-baeb-6e480f5bb5f2", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:09:13.556Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49562 to outside:24.141.154.216/49562", "UDP", "Built", "49562", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)\n```", "observed_end_time": "2021-07-12T14:05:13Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029947, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809700762933335046"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809700762933335046&startTime=1626098713421&endTime=1626098713422", "disposition_name": "Unknown", "id": "809700762933335046", "observed_start_time": "2021-07-12T14:05:13Z", "count": 16029947, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T14:05:13.421Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344986 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/49643 (24.141.154.216/49643)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344986", "302015", "49643", "53", "49643"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-302015: Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)\n```", "observed_end_time": "2021-07-12T13:55:05Z", "target_count": 0, "schema_version": "1.1.6", "relations": [{"origin": "qradar", "relation": "Connected_To", "source": {"value": "10.100.20.5", "type": "ip"}, "related": {"value": "8.8.8.8", "type": "ip"}}], "unknown": 16029314, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809690440214320133"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809690440214320133&startTime=1626098105095&endTime=1626098105096", "disposition_name": "Unknown", "id": "809690440214320133", "observed_start_time": "2021-07-12T13:55:05Z", "count": 16029314, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:55:05.095Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "dest_translated_ip", "type": "string"}, {"name": "src_ip", "type": "string"}, {"name": "src_translated_ip", "type": "string"}, {"name": "direction", "type": "string"}, {"name": "session_id", "type": "string"}, {"name": "message_id", "type": "string"}, {"name": "src_port", "type": "string"}, {"name": "dest_translated_port", "type": "string"}, {"name": "src_translated_port", "type": "string"}], "rows": [["Built outbound UDP connection 344820 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:10.100.20.5/50060 (24.141.154.216/50060)", "UDP", "Built", "53", "6", "8.8.8.8", "inside", "8.8.8.8", "10.100.20.5", "24.141.154.216", "outbound", "344820", "302015", "50060", "53", "50060"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846\n```", "observed_end_time": "2021-07-12T13:58:07Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029503, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809693658939986946"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809693658939986946&startTime=1626098287185&endTime=1626098287186", "disposition_name": "Unknown", "id": "809693658939986946", "observed_start_time": "2021-07-12T13:58:07Z", "count": 16029503, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:58:07.185Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/64846 to outside:24.141.154.216/64846", "UDP", "Built", "64846", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691\n```", "observed_end_time": "2021-07-12T13:54:14Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029275, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809689768169378816"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809689768169378816&startTime=1626098054052&endTime=1626098054053", "disposition_name": "Unknown", "id": "809689768169378816", "observed_start_time": "2021-07-12T13:54:14Z", "count": 16029275, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:54:14.052Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/49691 to outside:24.141.154.216/49691", "UDP", "Built", "49691", "6", "24.141.154.216", "outside", "305011"]]}}, {"suspicious": 0, "description": "```\n<166>%ASA-6-305011: Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506\n```", "observed_end_time": "2021-07-12T13:52:05Z", "target_count": 0, "schema_version": "1.1.6", "unknown": 16029145, "observable_value": "10.100.20.5", "observables": [{"value": "10.100.20.5", "type": "ip"}], "obs": "ip:10.100.20.5", "type": "sighting", "source": "Sumo Logic", "external_ids": ["809687523998635010"], "disposition": 5, "short_description": "devbox-collector received a log from qradar - local use 4 (local4) containing the observable", "malicious": 0, "title": "Log message from last 30 days in Sumo Logic contains observable", "module": "Sumo Logic", "internal": true, "common": 0, "source_uri": "https://service.us2.sumologic.com/ui/#/search/create?query=_messageid+%3D+809687523998635010&startTime=1626097925978&endTime=1626097925979", "disposition_name": "Unknown", "id": "809687523998635010", "observed_start_time": "2021-07-12T13:52:05Z", "count": 16029145, "observable_type": "ip", "confidence": "High", "observed_time": {"start_time": "2021-07-12T13:52:05.978Z"}, "ctr_hide": false, "clean": 0, "data": {"columns": [{"name": "msg", "type": "string"}, {"name": "protocol", "type": "string"}, {"name": "action", "type": "string"}, {"name": "dest_port", "type": "string"}, {"name": "log_level", "type": "string"}, {"name": "dest_ip", "type": "string"}, {"name": "dest_zone", "type": "string"}, {"name": "message_id", "type": "string"}], "rows": [["Built dynamic UDP translation from inside:10.100.20.5/50506 to outside:24.141.154.216/50506", "UDP", "Built", "50506", "6", "24.141.154.216", "outside", "305011"]]}}], "revListOrder": 4}, "notifications": [{"module_type": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable_id": "3f0d90f3", "module_type_id": "bc485330-d5ae-4d45-81a5-13619193e5b6", "observable": {"type": "ip", "value": "10.100.20.5"}, "type": "warning", "action_id": "f3d2f8b2-1f49-40c2-9160-c3e9d2d3264e", "code": "too-many-messages-warning", "module_name": "Sumo Logic", "module_instance_id": "947937b2-0a11-414a-8741-60f7ed7009bb", "message": "There are more messages in Sumo Logic for 10.100.20.5 than can be displayed in Threat Response. Login to the Sumo Logic console to see all messages."}], "disposition_name": "Unknown", "disposition": 5, "type": "ip", "value": "10.100.20.5", "id": "3f0d90f3"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-2ea701d3-5d0b-4470-b9f5-b2d278c4fbbb", "tlp": "amber", "groups": ["8952c102-9799-4d12-b8fb-fd6acc5a860a"], "timestamp": "2021-07-12T14:14:38.744Z", "owner": "43c79817-42b6-4010-ba53-cfbb5f832a4d", "source": "Olena Shynkarenko"} \ No newline at end of file diff --git a/SumoLogic/Snapshot_SumoLogic_MD5.json b/SumoLogic/Snapshot_SumoLogic_MD5.json index 6ec3dd67..4a52e856 100644 --- a/SumoLogic/Snapshot_SumoLogic_MD5.json +++ b/SumoLogic/Snapshot_SumoLogic_MD5.json @@ -1 +1 @@ -{"description": "Sumo Logic MD5", "schema_version": "1.1.3", "type": "investigation", "search-txt": "md5:\"3dd9ed6a273180e986fbc46da81ccc65\"", "actions": "[{\"arg\":{\"text\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-12T13:26:32.755Z\",\"id\":\"collect-28160cc3\",\"result\":[{\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"type\":\"md5\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-12T13:26:32.953Z\",\"uuid\":\"9b83ba32-e478-4c26-aa06-7e2f531b14d9\"},{\"arg\":{\"type\":\"md5\",\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\"},\"created\":\"2021-07-12T13:26:32.980Z\",\"id\":\"investigate-526264eb\",\"result\":{\"data\":[{\"module\":\"Sumo Logic\",\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"type\":\"md5\"},\"judgement_id\":\"transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-04-11T13:24:20.000Z\",\"end_time\":\"2526-12-16T00:00:00.000Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-04-11T13:24:20.000Z\",\"end_time\":\"2526-12-16T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"type\":\"md5\"},\"reason_uri\":\"https://www.crowdstrike.com/\",\"type\":\"judgement\",\"source\":\"Sumo Logic\",\"disposition\":2,\"external_references\":[],\"reason\":\"Found in CrowdStrike Intelligence\",\"source_uri\":\"https://service.us2.sumologic.com/\",\"disposition_name\":\"Malicious\",\"priority\":85,\"id\":\"transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b\",\"severity\":\"High\",\"tlp\":\"amber\",\"confidence\":\"High\"}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-12T13:26:52.026Z\",\"uuid\":\"d43df7f8-f474-4d76-a781-3765d0c8f9d2\"}]", "short_description": "Snapshot @ 20210712 13:27:31", "omittedObservables": [], "archivedObservables": [{"key": "54e44362-115a-446d-a448-aad24737dc6b", "value": "3dd9ed6a273180e986fbc46da81ccc65", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Sumo Logic", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Sumo Logic:248a472d", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "judgement_id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "3dd9ed6a273180e986fbc46da81ccc65", "id": "248a472d", "judgements": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "reason_uri": "https://www.crowdstrike.com/", "type": "judgement", "source": "Sumo Logic", "disposition": 2, "module": "Sumo Logic", "external_references": [], "module-type": null, "reason": "Found in CrowdStrike Intelligence", "source_uri": "https://service.us2.sumologic.com/", "disposition_name": "Malicious", "priority": 85, "id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b", "severity": "High", "tlp": "amber", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "ctr_uuid": "ec6725e6-5a54-46c4-a599-3645c8bd8a5d", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [], "revListOrder": 1}], "selectedObservables": [{"uuid": "a8bafed9-79b8-44d8-bca3-bc9f95a3109e", "observable": {"key": "54e44362-115a-446d-a448-aad24737dc6b", "value": "3dd9ed6a273180e986fbc46da81ccc65", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Sumo Logic", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Sumo Logic:248a472d", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "judgement_id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "3dd9ed6a273180e986fbc46da81ccc65", "id": "248a472d", "judgements": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "reason_uri": "https://www.crowdstrike.com/", "type": "judgement", "source": "Sumo Logic", "disposition": 2, "module": "Sumo Logic", "external_references": [], "module-type": null, "reason": "Found in CrowdStrike Intelligence", "source_uri": "https://service.us2.sumologic.com/", "disposition_name": "Malicious", "priority": 85, "id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b", "severity": "High", "tlp": "amber", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "ctr_uuid": "ec6725e6-5a54-46c4-a599-3645c8bd8a5d", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "md5", "value": "3dd9ed6a273180e986fbc46da81ccc65", "id": "248a472d"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-e3942a1e-3bd3-420d-9196-61e61833ca32", "tlp": "amber", "groups": ["8952c102-9799-4d12-b8fb-fd6acc5a860a"], "timestamp": "2021-07-12T13:28:27.809Z", "owner": "43c79817-42b6-4010-ba53-cfbb5f832a4d", "source": "Olena Shynkarenko"} \ No newline at end of file +{"description": "Sumo Logic MD5", "schema_version": "1.1.3", "type": "investigation", "search-txt": "md5:\"3dd9ed6a273180e986fbc46da81ccc65\"", "actions": "[{\"arg\":{\"text\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"omit\":false,\"reset\":true},\"created\":\"2021-07-12T13:26:32.755Z\",\"id\":\"collect-28160cc3\",\"result\":[{\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"type\":\"md5\"}],\"state\":\"ok\",\"type\":\"collect\",\"updated\":\"2021-07-12T13:26:32.953Z\",\"uuid\":\"9b83ba32-e478-4c26-aa06-7e2f531b14d9\"},{\"arg\":{\"type\":\"md5\",\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\"},\"created\":\"2021-07-12T13:26:32.980Z\",\"id\":\"investigate-526264eb\",\"result\":{\"data\":[{\"module\":\"Sumo Logic\",\"module_instance_id\":\"947937b2-0a11-414a-8741-60f7ed7009bb\",\"module_type_id\":\"bc485330-d5ae-4d45-81a5-13619193e5b6\",\"data\":{\"verdicts\":{\"count\":1,\"docs\":[{\"type\":\"verdict\",\"disposition\":2,\"observable\":{\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"type\":\"md5\"},\"judgement_id\":\"transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b\",\"disposition_name\":\"Malicious\",\"valid_time\":{\"start_time\":\"2023-04-18T13:24:20.000Z\",\"end_time\":\"2526-12-23T00:00:00.000Z\"}}]},\"judgements\":{\"count\":1,\"docs\":[{\"valid_time\":{\"start_time\":\"2023-04-18T13:24:20.000Z\",\"end_time\":\"2526-12-23T00:00:00.000Z\"},\"schema_version\":\"1.1.6\",\"observable\":{\"value\":\"3dd9ed6a273180e986fbc46da81ccc65\",\"type\":\"md5\"},\"reason_uri\":\"https://www.crowdstrike.com/\",\"type\":\"judgement\",\"source\":\"Sumo Logic\",\"disposition\":2,\"external_references\":[],\"reason\":\"Found in CrowdStrike Intelligence\",\"source_uri\":\"https://service.us2.sumologic.com/\",\"disposition_name\":\"Malicious\",\"priority\":85,\"id\":\"transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b\",\"severity\":\"High\",\"tlp\":\"amber\",\"confidence\":\"High\"}]}}}]},\"state\":\"ok\",\"type\":\"investigate\",\"updated\":\"2021-07-12T13:26:52.026Z\",\"uuid\":\"d43df7f8-f474-4d76-a781-3765d0c8f9d2\"}]", "short_description": "Snapshot @ 20210712 13:27:31", "omittedObservables": [], "archivedObservables": [{"key": "54e44362-115a-446d-a448-aad24737dc6b", "value": "3dd9ed6a273180e986fbc46da81ccc65", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Sumo Logic", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Sumo Logic:248a472d", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "judgement_id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "3dd9ed6a273180e986fbc46da81ccc65", "id": "248a472d", "judgements": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "reason_uri": "https://www.crowdstrike.com/", "type": "judgement", "source": "Sumo Logic", "disposition": 2, "module": "Sumo Logic", "external_references": [], "module-type": null, "reason": "Found in CrowdStrike Intelligence", "source_uri": "https://service.us2.sumologic.com/", "disposition_name": "Malicious", "priority": 85, "id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b", "severity": "High", "tlp": "amber", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "ctr_uuid": "ec6725e6-5a54-46c4-a599-3645c8bd8a5d", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [], "revListOrder": 1}], "selectedObservables": [{"uuid": "a8bafed9-79b8-44d8-bca3-bc9f95a3109e", "observable": {"key": "54e44362-115a-446d-a448-aad24737dc6b", "value": "3dd9ed6a273180e986fbc46da81ccc65", "indicators": [], "type": "md5", "state": "investigated", "targets": [], "disposition": 2, "verdicts": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "type": "verdict", "disposition": 2, "module": "Sumo Logic", "module-type": null, "disposition_name": "Malicious", "id": "verdict:Sumo Logic:248a472d", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "judgement_id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b"}], "notifications": [], "disposition_name": "Malicious", "obsListSortOrder": 1, "listOrder": 0, "label": "3dd9ed6a273180e986fbc46da81ccc65", "id": "248a472d", "judgements": [{"valid_time": {"start_time": "2021-04-27T13:24:20.000Z", "end_time": "2525-01-01T00:00:00.000Z"}, "schema_version": "1.1.6", "observable": {"value": "3dd9ed6a273180e986fbc46da81ccc65", "type": "md5"}, "reason_uri": "https://www.crowdstrike.com/", "type": "judgement", "source": "Sumo Logic", "disposition": 2, "module": "Sumo Logic", "external_references": [], "module-type": null, "reason": "Found in CrowdStrike Intelligence", "source_uri": "https://service.us2.sumologic.com/", "disposition_name": "Malicious", "priority": 85, "id": "transient:judgement-1c902fd8-4b5f-581d-946f-7660342d635b", "severity": "High", "tlp": "amber", "action": "d43df7f8-f474-4d76-a781-3765d0c8f9d2", "ctr_uuid": "ec6725e6-5a54-46c4-a599-3645c8bd8a5d", "confidence": "High", "ctr_dispositionOrder": 1, "ctr_hide": false}], "sightings": [], "revListOrder": 1}, "notifications": [], "disposition_name": "Malicious", "disposition": 2, "type": "md5", "value": "3dd9ed6a273180e986fbc46da81ccc65", "id": "248a472d"}], "id": "https://private.intel.amp.cisco.com:443/ctia/investigation/investigation-e3942a1e-3bd3-420d-9196-61e61833ca32", "tlp": "amber", "groups": ["8952c102-9799-4d12-b8fb-fd6acc5a860a"], "timestamp": "2021-07-12T13:28:27.809Z", "owner": "43c79817-42b6-4010-ba53-cfbb5f832a4d", "source": "Olena Shynkarenko"} \ No newline at end of file